AWS Networking & Content Delivery

Using Amazon Route 53 Resolver

5 min read
Updated June 23, 2025
5,116 characters

Guide: Understanding and Using Amazon Route 53 Resolver

This guide provides a comprehensive overview of the Amazon Route 53 Resolver service, explaining its default functionality and its advanced capabilities for hybrid cloud DNS, based on the detailed Tutorials Dojo article.

What is the Route 53 Resolver?

The Amazon Route 53 Resolver is the default DNS server that is automatically available in every Amazon VPC. When you launch a resource like an EC2 instance, it is pre-configured to use the Route 53 Resolver for all its DNS queries. The resolver is always located at the .2 address of your VPC's primary CIDR block (e.g., 10.0.0.2 for a 10.0.0.0/16 VPC).

Default Capabilities

Out of the box, the Route 53 Resolver can answer DNS queries for:

  1. Public Domain Names: It recursively looks up public records on the internet (e.g., www.amazon.com).

  2. EC2 Instance Private DNS: It can resolve the private DNS hostnames of EC2 instances within the same VPC (e.g., ec2-172-16-2-44.compute-1.amazonaws.com).

  3. Private Hosted Zones: It can resolve records you've defined in any Route 53 Private Hosted Zone that is associated with the VPC (e.g., database.mycorp.internal).

While this is sufficient for cloud-only workloads, the Resolver's true power is unlocked when you extend it to a hybrid environment using Endpoints.

Extending the Resolver for Hybrid Cloud

For environments that span an on-premises data center and an AWS VPC, you need a way to bridge the two DNS systems. Route 53 Resolver Endpoints provide this bridge.

Key Prerequisite: You must have a private network connection between your on-premises network and your VPC, using either AWS Site-to-Site VPN or AWS Direct Connect.

Part 1: The Inbound Flow (On-Premises to AWS)

This flow allows your on-premises servers to resolve domain names that are managed within AWS, such as records in a Private Hosted Zone.

How It Works: The Query Path

  1. A client in the on-premises network queries its local DNS server to resolve an AWS-hosted domain (e.g., private.tutorialsdojo.com).

  2. The on-premises DNS server has a conditional forwarding rule. This rule tells it to forward any queries for that specific domain over the VPN/Direct Connect connection to the IP addresses of the Route 53 Inbound Endpoint.

  3. The Inbound Endpoint (which is a set of network interfaces inside your VPC) receives the query.

  4. The endpoint passes the query to the main Route 53 Resolver.

  5. The Route 53 Resolver finds the correct IP from its Private Hosted Zone and sends the answer back along the same path.

How to Create an Inbound Endpoint

  1. In the Route 53 console, navigate to Resolver > Inbound endpoints.

  2. Click Create inbound endpoint.

  3. Provide a name, select the VPC, and choose a Security Group that allows inbound DNS traffic (Port 53) from your on-premises DNS server IPs.

  4. Under IP addresses, specify private IP addresses from your subnets, preferably in at least two different Availability Zones for high availability. These IPs will be the targets for your on-premise DNS forwarder.

  5. Click Create.

Part 2: The Outbound Flow (AWS to On-Premises)

This flow allows your EC2 instances inside the VPC to resolve domain names that are managed by your on-premises DNS servers (e.g., server.onprem.corp).

How It Works: The Query Path & Resolver Rules

  1. An EC2 instance inside the VPC queries to resolve an on-premises domain (e.g., internal.tutorialsdojo.com).

  2. The query automatically goes to the VPC's Route 53 Resolver.

  3. The Resolver checks its Resolver Rules. It finds a forwarding rule that matches the domain (internal.tutorialsdojo.com).

  4. This rule instructs the Resolver to forward the query to the Outbound Endpoint.

  5. The Outbound Endpoint sends the query over the VPN/Direct Connect to the on-premises DNS resolver specified in the rule.

  6. The on-premises DNS server resolves the name and returns the answer back along the same path.

How to Create an Outbound Endpoint and Rule

  1. Create the Endpoint:

    • In the Route 53 console, navigate to Resolver > Outbound endpoints.

    • Click Create outbound endpoint.

    • Provide a name, select the VPC, and choose a Security Group that allows outbound DNS traffic to your on-premises DNS server IPs.

    • Select subnets in at least two Availability Zones. Route 53 will place network interfaces in them to send the queries from.

  2. Create the Rule:

    • Navigate to Resolver > Rules.

    • Click Create rule.

    • Provide a name and choose Forward as the rule type.

    • For Domain name, enter the domain you want to forward (e.g., internal.tutorialsdojo.com).

    • Associate the rule with the VPC that will be using it.

    • Select the Outbound endpoint you just created.

    • Under Target IP addresses, enter the IP addresses of your on-premises DNS servers.

    • Click Submit.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All