Key concepts and components for Route 53 Global Resolver

The main service instance that provides DNS resolution and filtering for your organization across multiple AWS Regions. Your global resolver uses anycast technology to automatically route DNS queries to the nearest available Region, ensuring fast response times for all clients regardless of their location.

Two unique IPv4 or IPv6 addresses assigned to your global resolver that you configure on client devices and network equipment. These anycast IP addresses are the same globally, which simplifies DNS configuration across all your locations. Anycast IP addressing enables automatic routing of DNS requests to the nearest global resolver, optimizing response times and improving service reliability.

Configuration templates that let you apply different DNS policies to different groups of clients in your network. Use DNS views to implement split-horizon DNS—for example, apply strict filtering and token authentication for remote locations, while using IP-based access and different security policies for branch offices.

Secure DNS connections using encrypted tokens for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). You can generate unique access tokens for individual clients or device groups, set expiration periods, and revoke tokens as needed.

Control access using IP address and CIDR range allowlists. You can configure your branch office public IP addresses or network ranges, then specify which DNS protocols (DNS-over-port-53, DoT, or DoH) each location can use based on your security requirements.

Choose the appropriate DNS protocol based on your security and compatibility needs:

Hybrid DNS resolution allows Route 53 Global Resolver to simultaneously resolve queries from on-premises users and applications to private applications on AWS.

Global private zone access extends the reach of Amazon Route 53 private hosted zones beyond VPC boundaries. Authorized clients anywhere on the internet can resolve private domain names, enabling distributed teams to access internal resources without traditional network connectivity requirements.

Seamless failover ensures continuous access to both private and public resources even when individual AWS Regions become unavailable. The anycast architecture automatically routes queries to healthy regions while maintaining consistent resolution behavior.

Multi-region deployment distributes Route 53 Global Resolver instances across at least 2 AWS Regions to ensure high availability and allow failover during service outages. You can select specific Regions based on your geographic requirements and compliance needs.

Automatic geographic optimization routes DNS queries to the nearest available AWS Region based on network topology and latency. This reduces response times and improves user experience for globally distributed organizations.

Built-in redundancy ensures service continuity through automatic failover to alternate regions when primary regions become unavailable. Clients continue to use the same anycast IP addresses while traffic is transparently rerouted.

Private hosted zone resolution enables Route 53 Global Resolver to resolve DNS queries for Route 53 private hosted zones across AWS Regions. This allows authorized clients to resolve domains for applications and resources hosted by Route 53 from anywhere on the internet.

Split-horizon DNS provides different DNS responses based on the client making the query. Route 53 Global Resolver can resolve public domains on the internet while simultaneously resolving private domains, providing seamless access to both public and private resources.

DNSSEC validation verifies the authenticity and integrity of DNS responses from public nameservers for DNSSEC-signed domains. This validation ensures DNS responses haven't been tampered with during transmission, providing protection against DNS spoofing and cache poisoning attacks.

EDNS Client Subnet is an optional feature that forwards client subnet information in DNS queries to authoritative nameservers. This enables more accurate geographic-based DNS responses, potentially reducing latency by directing clients to nearer content delivery networks or servers. For DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) connections, you can use EDNS0 to pass the client IP address information. When ECS is enabled on Global Resolver, the service automatically injects the client IP if not provided in the query.

DNS filtering rules define how Route 53 Global Resolver handles DNS queries based on domain matching criteria. Rules are evaluated in priority order and can specify actions (ALLOW, BLOCK, or ALERT) for queries to specific domains or domain categories.

Domain lists are collections of domains used in filtering rules. They can be:

DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.

Domain Generation Algorithms (DGAs) are used by attackers to create large numbers of domain names for its command-and-control servers.

Each detection algorithm outputs a confidence score that determines rule triggering. Higher confidence thresholds reduce false positives but may miss sophisticated attacks. Lower thresholds increase detection sensitivity but require additional alert analysis to filter false positives.

Advanced threat protection rules support only ALERT and BLOCK actions. The ALLOW action is not supported because algorithmic detection cannot definitively classify benign traffic, only identify potentially malicious patterns.

Query logs provide detailed information about DNS queries processed by Route 53 Global Resolver, including source IP, queried domain, response code, policy actions taken, and timestamps. Logs can be delivered to Amazon CloudWatch, Amazon Data Firehose, or Amazon Simple Storage Service for analysis and compliance reporting.

Open Cybersecurity Schema Framework (OCSF) format is a standardized logging format used by Route 53 Global Resolver for DNS query logs. This format provides consistent, structured data that integrates easily with security information and event management (SIEM) systems and other security tools.

Log destinations determine where DNS query logs are delivered, each with different characteristics:

The Observability Region determines where DNS query logs are delivered.