AWS: Services & Architecture
by Sergey Okinchuk
VPCCloudFront
Amazon Route 53
Service 25

Amazon Route 53

NetworkingDNSEdge

Route 53 is AWS's managed DNS service — and also a domain registrar and a traffic-routing layer. It answers DNS queries with a historically 100% availability SLA, registers and renews domains, and runs health checks that drive failover automatically. The name is a joke: DNS runs on port 53.

It covers the three DNS jobs most teams need: registrar (buy and renew names), authoritative server (publish records), and traffic router (express rules like "send European users to the European Region"). The 100% SLA applies to answering queries, not to your records being correct — delete a record by accident and that is on you.

Hosted Zones and Records

A hosted zone holds the records for one domain. Public zones answer the internet (you set the four NS records at your registrar); private zones answer only from associated VPCs, for internal names like db.internal. Running both for the same name is split-horizon DNS.

Beyond standard record types, the AWS-specific alias record works at the zone apex (where CNAMEs are forbidden), is free to query, and resolves directly to AWS resources like ALBs, CloudFront, and API Gateway. Use short TTLs (30–60s) for records that may fail over and long TTLs for stable NS and MX records.

Routing Policies

When multiple records share a name and type, the routing policy picks the answer. Simple returns one answer; weighted splits by relative weight for canary and A/B; latency-based sends each user to the lowest-latency Region; failover swaps to a secondary when the primary's health check fails.

Geolocation routes by the user's country or continent for compliance and localization; geoproximity routes by distance with a bias knob (needs Traffic Flow); multi-value answer returns up to 8 healthy IPs for cheap health-checked round-robin. The common multi-Region stack is latency-based routing with health checks.

Health Checks

A health check periodically probes an endpoint (HTTP, HTTPS, or TCP) and, paired with failover or multi-value routing, removes failing targets from DNS answers automatically. Three shapes exist: endpoint checks, CloudWatch-alarm checks, and calculated checks combining others with AND/OR logic.

Checks run from many Regions in parallel and only count as failed when a configurable threshold of regions agree, guarding against false positives from one bad vantage point.

Route 53 vs Elastic Load Balancing

Route 53 — DNS-level traffic steering across Regions or endpoints — latency, geo, weighted, failover. Changes propagate over seconds to hours due to DNS caching.

Elastic Load Balancing — request-level distribution across targets within a Region, in real time with health checks. Not a cross-Region tool on its own.

Common Mistakes
  • Trying to use Route 53 routing policies as real-time load balancing — DNS caching means changes take seconds to hours; use ELB for request-level distribution.
  • Pointing an apex domain with a CNAME (forbidden at the apex) instead of an alias record.
  • Setting long TTLs on failover records, so clients keep hitting a dead endpoint long after the health check fails.
  • Putting internal service names in a public hosted zone instead of a private zone, leaking topology.
  • Forgetting to enable domain auto-renew — a lapsed registration is a multi-day outage.
  • Enabling DNSSEC without a key-rollover plan — a misconfigured rollover can take the domain offline for days.
Best Practices
  • Use alias records to point apex domains at AWS resources — they are free and CNAME-at-apex is impossible.
  • Pair failover or multi-value routing with health checks for hands-off resilience.
  • Set TTLs intentionally: short for changeable records, long for stable ones.
  • Use private hosted zones for internal names instead of public DNS.
  • Enable domain auto-renew and monitor query volume for DDoS or runaway-retry spikes.
Comparable services GCP Cloud DNSAzure Azure DNS, Traffic Manager

Knowledge Check

Why use an alias record instead of a CNAME for an apex domain pointing at an ALB?

  • CNAMEs are not allowed at the zone apex; alias records work and query free
  • Alias records resolve much faster because they skip the DNS layer entirely
  • CNAMEs cannot point at any AWS-managed resource at all
  • Alias records encrypt the DNS response sent to the client

Which routing policy fits a multi-Region active-active web app that should send each user to the nearest Region?

  • Latency-based routing, paired with health checks
  • Simple routing with a fixed answer per name
  • Weighted routing at a flat 50/50 split
  • Geolocation routing keyed by the continent boundary

Why is Route 53 a poor substitute for a load balancer?

  • It works at the DNS layer, where resolver caching delays changes by seconds to hours
  • It cannot perform any health checks on its endpoints
  • It only supports a single record per registered domain, with no room for routing policies
  • It charges per balanced request exactly like a load balancer does, making it costly at scale

What does a Route 53 health check do when paired with failover routing?

  • Automatically removes the failing endpoint from answers so traffic shifts over
  • Restarts the failing EC2 instance behind the record
  • Sends an alert email to the account owner but changes none of the served records
  • Increases the record's TTL automatically to ride out the brief endpoint failure

You got correct