DNS works on port 53, hence the name route 53

In a VPC, AWS reserves the network range +2 address for DNS server.

What are R53 resolvers?

Inbound endpoint
For queries from on-prem systems to resolve AWS hosted domains.

Outbound endpoint
For queries from AWS workloads for on-prem systems.

You can specify rule for directing queries from inbound/outbound EP.

Limit - 10,000 queries per second per IP Address for an EP. For higher performance, use DNS configured on an EC2. With EC2 based DNS, VPC perring is required.

1. DNS-VPC primary Amazon DNS server (IP - VPC CIDR +2)
2. Resolver Endpoints (EP) - Inbound, Outbound
3. R53 Resolver EP rules
   1. awscloud.private on inbound resolver EP, forwards queries for this domain to the DNS-VPC primary Amazon DNS server.
   2. onprem.private on outbound resolver EP, forwards queries for this domain to the on-prem DNS server.
4. R53 Resolver > Rules are shared to all the Org accounts using [[AWS Resource Access Manager]].
5. Unique private hosted zone in each account, using a sub-domain of aws.private. Each zone should be associated with the shared rule from step 4.
6. On-prem DNS server with conditional forwarders to forward AWS domain queries to the Inbound Resolver EP of AWS DNS-VPC.

No VPC peering is necessary in this setup!

WARNING If using Private Link or EFS, make sure to have rules in a way the these service endpoints are able to resolve locally in the same account, and are not forwarded to the central DNS server. #todo expand on this with example

To associate a VPC with a hosted zone created in a different account, use AWS CLI, not possible via console.

Delegating responsibility for a subdomain You cannot create NS records in a private hosted zone to delegate responsibility for a subdomain. #question

Routing Policies

Simple
Failover - for active-passive setups to failover to healthy resources
Geolocation - based on location of users
Geoproximity - based on location of resources
Latency - region specific records
IP-based
Multivalue answer - upto 8, random healthy records
Weighted - similar effect is also possible by using weighted rules for load balancer listners - use different target groups for different weights. In fact the ALB approach is preferred if there is a need to maintain session stickiness as well.

Records

an alias record cannot point to a record in a domain in another hosted zone.

dns failover active-active https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-types.html#dns-failover-types-active-active

References

• https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/

• https://aws.amazon.com/blogs/security/how-to-centralize-dns-management-in-a-multi-account-environment/

• https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/

• https://aws.amazon.com/blogs/architecture/using-route-53-private-hosted-zones-for-cross-account-multi-region-architectures/

• https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html

• https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-considerations.html