Route 53 — Managed DNS
Route 53 — Managed DNS
DNS, which resolves domain names to IPs, is one of the oldest pieces of internet infrastructure. AWS's managed DNS service is Route 53 — named after the standard DNS port (53).
1. About Route 53
| When | Event |
|---|---|
| 2010-12 | Route 53 GA. |
| 2011 | Latency-based · Geo routing. |
| 2014 | Domain registration · Traffic Flow. |
| 2020 | DNSSEC for Route 53. |
| 2021 | Application Recovery Controller. |
Base DNS standards are RFC 1034 · 1035 (1987). DNSSEC is RFC 4033 ~ 4035 (2005).
Core objects:
- Hosted Zone — A domain's set of records. Public and private (VPC) variants.
- Record Set — A bundle of records for a name + type.
- Name Server — Each Hosted Zone gets 4 NS records (
ns-xxx.awsdns-yy.org).
2. Record types
| Type | Meaning |
|---|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| CNAME | Alias to another name (not allowed at zone apex) |
| MX | Mail server |
| TXT | Free text (SPF · DKIM · domain verification) |
| NS | Name server delegation |
| SRV | Service location |
| CAA | CAs allowed to issue certificates |
| Alias (Route 53 extension) | Alias to AWS resources, allowed at zone apex |
A standard CNAME cannot be placed at the zone apex (e.g., example.com itself). Route 53's Alias is an extension that lets that location point to AWS resources like ALB · CloudFront · S3 static hosting · API Gateway. It works at no extra cost and tracks IP changes of the underlying resource automatically.
3. Routing policies
| Policy | Meaning |
|---|---|
| Simple | Returns a single record. |
| Weighted | Weighted distribution. A/B · canary deploys. |
| Latency | Region with the lowest latency to the user. |
| Geolocation | Based on user location (country/continent). |
| Geoproximity | Distance from a lat/long with a bias. |
| Failover | Switch to secondary on primary failure. Combine with health checks. |
| Multi-Value Answer | Round-robin multiple IPs. |
Complex flows are composed in Traffic Flow's visual editor (e.g., Geo → Latency → Failover stacking).
4. Health Checks
Periodic HTTP/HTTPS · TCP reachability checks against an endpoint. Pairs with CloudWatch alarms.
Health Check → exclude from Route 53 responses (on failure)
→ input to Failover/Multi-Value
→ input to CloudWatch Alarms
Multiple regional checker nodes evaluate simultaneously. Healthy if a percentage threshold is met.
5. Domain registration · Private Zone
Route 53 also offers domain registration and renewal (since 2014). TLD pricing varies a lot.
Domains bought at other registrars (GoDaddy · Namecheap · Gandi) only need their NS records swapped to the Route 53 NS set.
Private Hosted Zone — A zone visible only inside a VPC. The same name can answer differently than the public zone (split-horizon DNS):
www.example.com (Public) → 1.2.3.4 (CloudFront)
www.example.com (Private VPC) → 10.0.0.5 (internal ALB)
6. DNSSEC
A standard that signs DNS responses to prevent tampering. Enable DNSSEC signing per Route 53 Hosted Zone, then register a DS record at the parent (TLD) zone to build the chain of trust.
DNSSEC is reported to be more difficult to operate (key rotation, validation) than to introduce. Adopt gradually unless required.
7. Other managed DNS
| Service | Notes |
|---|---|
| Cloudflare DNS (2017+) | Very fast. Free tier. WAF · DDoS · CDN integration. |
| Google Cloud DNS | GCP integration. Anycast. |
| Azure DNS | Azure integration. |
| NS1 | Enterprise routing (Filter Chain). Fine-grained control. |
| DigitalOcean DNS | Free. Simple. |
Decision factors:
- Integration with AWS resources — Route 53.
- DDoS · WAF · CDN bundle — Cloudflare.
- Fine routing logic — NS1.
- Simple free hosting — Cloudflare · DigitalOcean.
8. Domain + ALB connection flow
- Create the Route 53 Hosted Zone.
- Register the 4 NS records at the registrar.
- Issue a certificate via ACM.
- ALB → attach certificate → HTTPS listener.
- Route 53 Alias A record (apex
example.com→ ALB).
9. TTL · cost
Record changes are immediate at the Route 53 authoritative servers, but the time to reach users depends on TTL. Short TTLs reflect changes faster but increase DNS query cost. As a general rule, keep stable resources long (1 hour ~ 1 day) and frequently changing ones short (60 seconds).
Cost:
- Hosted Zone — $0.50 / month.
- DNS query count — Per million, varies by policy.
- Health Check — Per check.
- Domain registration — Per TLD per year.
A light site costs $1 ~ 3 per month.
10. Common pitfalls
Missing NS update — Hosted Zone does not function until the registrar's 4 NS records are switched to Route 53's.
CNAME zone-apex limit — Cannot place a CNAME at the apex (example.com). Use Alias for AWS resources.
Long TTL slowing down incident response — Reduce TTL ahead of changes.
False negatives in Health Checks — Origin SGs must allow Route 53 checker IPs. Otherwise, they always look unhealthy.
Geolocation blind spots — Without a default record, unmapped locations may receive no answer. Always set a default.
DNSSEC key rotation — Failing to refresh DS records during KSK rotation makes the entire zone fail validation.
Private Hosted Zone not associated with VPC — Forgetting the VPC association is a common incident.
Closing thoughts
Route 53's appeal lies in Alias integration with AWS resources and refined routing policies (Failover · Latency · Geo). Cloudflare DNS's free tier + DDoS protection is enough for small operations; Route 53 fits where you are deep in AWS.
Next
- load-balancers
- ecs-fargate
Route 53 developer guide · Traffic Flow · DNSSEC guide · Cloudflare DNS · Google Cloud DNS · RFC 1035 DNS · RFC 4033 DNSSEC for reference.