AWS Networking & Content Delivery

Split-view DNS using Amazon Route 53

5 min read
Updated June 23, 2025
4,644 characters

Guide: Implementing Split-View DNS with Amazon Route 53

This guide summarizes the process for setting up a Split-View DNS (also known as split-horizon DNS) architecture using Amazon Route 53, as detailed in the Tutorials Dojo article.

What is Split-View DNS?

Split-View DNS is a configuration where a DNS server provides different answers to the same DNS query depending on the source of the query.

For example, when a user on the public internet queries app.your-domain.com, they get a public IP address. When a user or application inside your private Amazon VPC queries the exact same domain name, they get a private IP address. This allows you to route traffic optimally and securely.

Common Use Cases

  • Optimal Routing: Direct internal users to internal-facing servers (via private IPs) for lower latency and no data transfer costs, while directing external users to public-facing load balancers.

  • Controlled Deployments: Test a new version of an application internally by pointing the private DNS record to the new environment before changing the public record.

  • Private-Only Records: Create DNS records for internal tools (e.g., testing.your-domain.com) that are only resolvable from within your VPC and are completely hidden from the public internet.

The Core Concept: Parallel Hosted Zones

The implementation in Amazon Route 53 is elegant and straightforward. You create two hosted zones that have the exact same domain name:

  1. A Public Hosted Zone: This zone is accessible to the entire internet and holds the public DNS records for your domain.

  2. A Private Hosted Zone: This zone is associated with one or more of your VPCs. It holds the internal DNS records for the same domain.

When a DNS query originates from within a VPC that you have associated with a private hosted zone, Route 53 automatically gives the answer from the private hosted zone. All queries originating from outside that VPC (i.e., the public internet) will receive answers from the public hosted zone.

Step-by-Step Implementation

Prerequisites

  • You have a registered domain name in Route 53 (or elsewhere, with NS records pointing to Route 53).

  • You have a VPC where your internal applications reside.

  • In your VPC settings, ensure that both DNS resolution and DNS hostnames are enabled. (This is the default setting for new VPCs).

Step 1: Create the Public Hosted Zone and Public Records

  1. In the Route 53 console, create a Public Hosted Zone for your domain (e.g., your-domain.com).

  2. Inside this public zone, create the DNS records that you want the public to see. For example, you might create an A record for app.your-domain.com that is an alias to a public Application Load Balancer.

    • Record Name: app.your-domain.com

    • Record Type: A

    • Value/Route traffic to: Alias to Application Load Balancer public-facing-alb.us-east-1.elb.amazonaws.com

Step 2: Create the Private Hosted Zone and Private Records

  1. In the Route 53 console, click "Create hosted zone" again.

  2. Enter the exact same domain name as your public zone (e.g., your-domain.com).

  3. For Type, select Private hosted zone.

  4. In the VPCs to associate section, select the region and the VPC(s) from which you want to resolve private records.

  5. Create the hosted zone.

  6. Inside this new private zone, create the DNS records that you want your internal applications to see. For example, you might create an A record for app.your-domain.com that points directly to the private IP of an EC2 instance.

    • Record Name: app.your-domain.com

    • Record Type: A

    • Value/Route traffic to: 10.0.1.55 (the private IP of your application server)

How It Works: The Resolution Path

With this setup complete, Route 53 handles the routing logic automatically:

  • A query from the Internet:

    1. A user's browser queries for app.your-domain.com.

    2. The query hits the public DNS resolvers.

    3. Route 53 consults the public hosted zone.

    4. It returns the public IP address of the Application Load Balancer.

  • A query from within the VPC:

    1. An EC2 instance in your associated VPC queries for app.your-domain.com.

    2. The query hits the VPC's Route 53 Resolver (at the .2 address of your VPC CIDR).

    3. Because the query originated from an associated VPC, Route 53 consults the private hosted zone.

    4. It returns the private IP address, 10.0.1.55. Traffic stays entirely within the private network.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All