AWS DNS and Domain Management

Complete Certification Guide

1. DNS Protocol Fundamentals

DNS Architecture Overview

DNS Resolution Flow Explanation:

Step 1-2: Client initiates DNS query to local resolver (typically ISP or configured DNS server like 8.8.8.8)

Step 3-4: Resolver performs recursive lookup starting with root servers, then TLD servers

Step 5-8: Authoritative server responds with actual IP address, response travels back through the chain

Caching: Each level caches responses based on TTL to reduce future query time

DNSSEC: Provides cryptographic validation to prevent DNS spoofing attacks

DNS Record Types

graph LR A[DNS Zone: example.com] --> B[A Record
example.com → 192.168.1.1] A --> C[AAAA Record
example.com → 2001:db8::1] A --> D[CNAME Record
www.example.com → example.com] A --> E[MX Record
Priority: 10
mail.example.com] A --> F[TXT Record
SPF, DKIM, Verification] A --> G[NS Record
ns1.example.com
ns2.example.com] A --> H[PTR Record
Reverse DNS Lookup] A --> I[SRV Record
_service._protocol.domain] style A fill:#2c3e50,stroke:#34495e,color:#fff style B fill:#3498db,stroke:#2980b9,color:#fff style C fill:#9b59b6,stroke:#8e44ad,color:#fff style D fill:#e74c3c,stroke:#c0392b,color:#fff style E fill:#f39c12,stroke:#e67e22,color:#fff

DNS Record Types Explained:

A Record: Maps domain name to IPv4 address (most common)

AAAA Record: Maps domain name to IPv6 address

CNAME Record: Creates alias pointing to another domain name

MX Record: Specifies mail servers with priority values

TXT Record: Stores text data for verification, SPF, DKIM policies

NS Record: Delegates subdomain to other name servers

PTR Record: Reverse DNS lookup (IP to domain name)

SRV Record: Specifies service location with port and priority

2. Route 53 Core Features

Route 53 Service Architecture

graph TB A[Route 53 Console/API] --> B[Hosted Zones] B --> C[Public Hosted Zone] B --> D[Private Hosted Zone] C --> E[DNS Records] D --> F[VPC Association] A --> G[Health Checks] G --> H[HTTP/HTTPS Endpoints] G --> I[TCP Connections] G --> J[Calculated Health Checks] A --> K[Traffic Policies] K --> L[Geolocation Routing] K --> M[Latency-based Routing] K --> N[Weighted Routing] K --> O[Failover Routing] A --> P[Resolver] P --> Q[Inbound Endpoints] P --> R[Outbound Endpoints] P --> S[Rules & Forwarding] style A fill:#ff6b6b,stroke:#ee5a52,color:#fff style C fill:#4ecdc4,stroke:#45b7aa,color:#fff style D fill:#45b7d1,stroke:#3a9bc1,color:#fff style G fill:#96ceb4,stroke:#85c1a3,color:#fff style K fill:#ffeaa7,stroke:#fdcb6e,color:#000 style P fill:#dda0dd,stroke:#d8bfd8,color:#000

Route 53 Architecture Components:

Hosted Zones: Container for DNS records for a domain

Public Hosted Zone: Responds to DNS queries from the internet

Private Hosted Zone: Responds to DNS queries from within associated VPCs

Health Checks: Monitor endpoint health for routing decisions

Traffic Policies: Complex routing configurations with visual editor

Resolver: Hybrid DNS solution connecting on-premises and AWS

Route 53 Routing Policies

graph TD A[DNS Query: api.example.com] --> B{Routing Policy} B -->|Simple| C[Single IP Address
192.168.1.100] B -->|Weighted| D[Weight-based Distribution] D --> D1[Server A: 70%
192.168.1.100] D --> D2[Server B: 30%
192.168.1.101] B -->|Latency-based| E[Lowest Latency Target] E --> E1[US-East-1
192.168.1.100] E --> E2[EU-West-1
192.168.2.100] B -->|Failover| F[Primary/Secondary] F --> F1[Primary: Healthy
192.168.1.100] F --> F2[Secondary: Standby
192.168.1.101] B -->|Geolocation| G[Geographic Routing] G --> G1[North America
192.168.1.100] G --> G2[Europe
192.168.2.100] G --> G3[Default
192.168.3.100] B -->|Multivalue| H[Multiple IPs with Health Checks] H --> H1[192.168.1.100 ✓] H --> H2[192.168.1.101 ✓] H --> H3[192.168.1.102 ✗] style A fill:#3498db,stroke:#2980b9,color:#fff style B fill:#e74c3c,stroke:#c0392b,color:#fff style F1 fill:#27ae60,stroke:#229954,color:#fff style F2 fill:#f39c12,stroke:#e67e22,color:#000 style H3 fill:#95a5a6,stroke:#7f8c8d,color:#fff

Route 53 Routing Policies Explained:

Simple: Single resource record with one or more IP addresses

Weighted: Distribute traffic based on assigned weights (A/B testing, gradual deployments)

Latency-based: Route to resource with lowest latency from user's location

Failover: Active-passive failover with health check monitoring

Geolocation: Route based on user's geographic location

Multivalue: Return multiple IP addresses with health checks (simple load balancing)

3. AWS CLI Commands and Configuration

Command Execution Flow

graph TD A[1. Create Hosted Zone] --> B[2. Create Health Checks] B --> C[3. Create DNS Records] C --> D[4. Associate with VPC
Private Zone Only] D --> E[5. Configure Resolver
Hybrid DNS] E --> F[6. Set up Traffic Policies] F --> G[7. Monitor and Log] H[Domain Registration] -.->|Optional| A I[Certificate Manager] -.->|SSL/TLS| C J[CloudWatch] -.->|Monitoring| G style A fill:#e74c3c,stroke:#c0392b,color:#fff style B fill:#f39c12,stroke:#e67e22,color:#fff style C fill:#f1c40f,stroke:#f39c12,color:#000 style D fill:#2ecc71,stroke:#27ae60,color:#fff style E fill:#3498db,stroke:#2980b9,color:#fff style F fill:#9b59b6,stroke:#8e44ad,color:#fff style G fill:#1abc9c,stroke:#16a085,color:#fff

AWS CLI Command Execution Order:

Step 1: Create hosted zone first - this is the foundation

Step 2: Set up health checks before creating records that depend on them

Step 3: Create DNS records with appropriate routing policies

Step 4: For private zones, associate with VPCs

Step 5: Configure Route 53 Resolver for hybrid scenarios

Step 6: Implement complex traffic policies if needed

Step 7: Enable logging and monitoring

1. Creating a Public Hosted Zone

aws route53 create-hosted-zone \
    --name "example.com" \
    --caller-reference "$(date +%s)" \
    --hosted-zone-config Comment="Public hosted zone for example.com",PrivateZone=false

Parameters Explained:

--name: The domain name for the hosted zone (must be a valid DNS name)

--caller-reference: Unique string to prevent duplicate requests (using timestamp)

--hosted-zone-config: Additional configuration options

Comment: Description for the hosted zone (optional but recommended)

PrivateZone: Set to false for public zones, true for private zones

What this creates: A public hosted zone that can respond to DNS queries from anywhere on the internet. AWS automatically creates NS and SOA records. You'll receive 4 name servers that you need to configure with your domain registrar.

2. Creating a Private Hosted Zone

aws route53 create-hosted-zone \
    --name "internal.company.com" \
    --caller-reference "private-$(date +%s)" \
    --vpc VPCRegion=us-east-1,VPCId=vpc-12345678 \
    --hosted-zone-config Comment="Private hosted zone for internal services",PrivateZone=true

Private Zone Specific Parameters:

--vpc: Specifies the VPC to associate with this private hosted zone

VPCRegion: AWS region where the VPC is located

VPCId: The ID of the VPC to associate

PrivateZone=true: Makes this zone only accessible from associated VPCs

What this creates: A private hosted zone that only responds to DNS queries from within the specified VPC. Perfect for internal service discovery and private domain names that shouldn't be accessible from the internet.

3. Creating Health Checks

aws route53 create-health-check \
    --caller-reference "health-check-$(date +%s)" \
    --health-check-config Type=HTTP,ResourcePath="/health",FullyQualifiedDomainName="api.example.com",Port=80,RequestInterval=30,FailureThreshold=3 \
    --cloud-watch-alarm-region us-east-1

Health Check Parameters:

Type: HTTP, HTTPS, HTTP_STR_MATCH, HTTPS_STR_MATCH, TCP, CALCULATED, CLOUDWATCH_METRIC

ResourcePath: Path to check on the target server

FullyQualifiedDomainName: Domain name or IP address to check

Port: Port number to connect to (80 for HTTP, 443 for HTTPS)

RequestInterval: 10 or 30 seconds between checks

FailureThreshold: Number of consecutive failures before marking unhealthy (1-10)

What this creates: A health check that monitors your endpoint every 30 seconds. If 3 consecutive checks fail, the endpoint is marked unhealthy and DNS will route traffic away from it.

4. Creating DNS Records with Different Routing Policies

A. Simple Routing Record

aws route53 change-resource-record-sets \
    --hosted-zone-id Z123456789 \
    --change-batch '{
        "Changes": [{
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "www.example.com",
                "Type": "A",
                "TTL": 300,
                "ResourceRecords": [{"Value": "192.168.1.100"}]
            }
        }]
    }'

Simple Record Parameters:

Action: CREATE, UPSERT, or DELETE

Name: The DNS name for this record

Type: A, AAAA, CNAME, MX, TXT, NS, PTR, SRV

TTL: Time to live in seconds (how long to cache)

ResourceRecords: Array of values for this record

B. Weighted Routing Record

aws route53 change-resource-record-sets \
    --hosted-zone-id Z123456789 \
    --change-batch '{
        "Changes": [{
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "api.example.com",
                "Type": "A",
                "SetIdentifier": "server-a-70-percent",
                "Weight": 70,
                "TTL": 60,
                "ResourceRecords": [{"Value": "192.168.1.100"}],
                "HealthCheckId": "abc123def456"
            }
        }]
    }'

Weighted Routing Parameters:

SetIdentifier: Unique identifier for this record set

Weight: Relative weight (0-255), higher weight = more traffic

HealthCheckId: Optional health check to associate with this record

Lower TTL: Recommended for weighted routing to enable faster traffic shifts

C. Latency-based Routing Record

aws route53 change-resource-record-sets \
    --hosted-zone-id Z123456789 \
    --change-batch '{
        "Changes": [{
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "api.example.com",
                "Type": "A",
                "SetIdentifier": "us-east-1-server",
                "Region": "us-east-1",
                "TTL": 60,
                "ResourceRecords": [{"Value": "192.168.1.100"}],
                "HealthCheckId": "abc123def456"
            }
        }]
    }'

Latency-based Routing Parameters:

Region: AWS region where this resource is located

SetIdentifier: Unique identifier for this record in the latency set

Route 53 measures latency: From users to AWS regions and routes to lowest latency

D. Failover Routing Record (Primary)

aws route53 change-resource-record-sets \
    --hosted-zone-id Z123456789 \
    --change-batch '{
        "Changes": [{
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "api.example.com",
                "Type": "A",
                "SetIdentifier": "primary-server",
                "Failover": "PRIMARY",
                "TTL": 60,
                "ResourceRecords": [{"Value": "192.168.1.100"}],
                "HealthCheckId": "primary-health-check"
            }
        }]
    }'

Failover Routing Parameters:

Failover: PRIMARY or SECONDARY

Primary must have health check: Required to determine when to failover

Secondary is optional health check: Can have health check for better reliability

Active-Passive setup: Traffic goes to primary unless unhealthy

5. VPC Association for Private Zones

aws route53 associate-vpc-with-hosted-zone \
    --hosted-zone-id Z123456789 \
    --vpc VPCRegion=us-west-2,VPCId=vpc-87654321 \
    --comment "Adding additional VPC to private hosted zone"

VPC Association Parameters:

--hosted-zone-id: ID of the private hosted zone

VPCRegion: Region of the VPC to associate

VPCId: ID of the VPC to associate

--comment: Optional description of this association

What this does: Associates an additional VPC with an existing private hosted zone. Resources in this VPC can now resolve DNS names in the private zone. You can associate up to 100 VPCs with a single private hosted zone.

6. Route 53 Resolver Configuration

A. Create Inbound Resolver Endpoint

aws route53resolver create-resolver-endpoint \
    --creator-request-id "inbound-$(date +%s)" \
    --security-group-ids sg-12345678 \
    --direction INBOUND \
    --ip-addresses SubnetId=subnet-12345678,Ip=10.0.1.100 SubnetId=subnet-87654321,Ip=10.0.2.100 \
    --name "Corporate-Inbound-Endpoint" \
    --tags Key=Environment,Value=Production Key=Purpose,Value=HybridDNS

Inbound Endpoint Parameters:

--direction INBOUND: Allows on-premises to query AWS DNS

--security-group-ids: Security groups allowing DNS traffic (port 53)

--ip-addresses: Minimum 2 IPs in different AZs for high availability

SubnetId: Subnet where the resolver endpoint IP will be placed

Ip: Optional specific IP address (must be in subnet range)

B. Create Outbound Resolver Endpoint

aws route53resolver create-resolver-endpoint \
    --creator-request-id "outbound-$(date +%s)" \
    --security-group-ids sg-12345678 \
    --direction OUTBOUND \
    --ip-addresses SubnetId=subnet-12345678 SubnetId=subnet-87654321 \
    --name "Corporate-Outbound-Endpoint"

Outbound Endpoint Parameters:

--direction OUTBOUND: Allows AWS resources to query on-premises DNS

Security groups: Must allow outbound DNS traffic to on-premises servers

High availability: Multiple AZs ensure continued operation during AZ failure

C. Create Resolver Rule

aws route53resolver create-resolver-rule \
    --creator-request-id "rule-$(date +%s)" \
    --rule-type FORWARD \
    --domain-name "corp.company.com" \
    --resolver-endpoint-id rslvr-out-abc123def456 \
    --target-ips Ip=192.168.100.10,Port=53 Ip=192.168.100.11,Port=53 \
    --name "Corporate-Domain-Forwarding"

Resolver Rule Parameters:

--rule-type: FORWARD (to on-premises) or SYSTEM (use Route 53)

--domain-name: Domain to forward (can use wildcards like *.corp.company.com)

--resolver-endpoint-id: Outbound endpoint to use for forwarding

--target-ips: On-premises DNS servers (minimum 1, maximum 6)

Port: Usually 53, but can specify different ports if needed

D. Associate Resolver Rule with VPC

aws route53resolver associate-resolver-rule \
    --resolver-rule-id rslvr-rr-abc123def456 \
    --vpc-id vpc-12345678 \
    --name "Corp-Domain-Rule-Association"

Rule Association Parameters:

--resolver-rule-id: ID of the rule to associate

--vpc-id: VPC where this rule should apply

Propagation: Rules can be shared across accounts and regions

4. Hybrid DNS Architecture

graph TB subgraph "On-Premises Network" A[On-Premises DNS Server
192.168.100.10] B[Corporate Applications
app.corp.company.com] C[On-Premises Clients] end subgraph "AWS VPC" D[Route 53 Resolver
Inbound Endpoint
10.0.1.100] E[Route 53 Resolver
Outbound Endpoint
10.0.2.100] F[EC2 Instances] G[Private Hosted Zone
aws.company.com] end subgraph "Route 53 Public" H[Public Hosted Zone
company.com] I[Internet DNS Queries] end C -->|Query: service.aws.company.com| A A -->|Forward to AWS| D D -->|Resolve via| G F -->|Query: app.corp.company.com| E E -->|Forward to On-Premises| A A -->|Resolve locally| B I -->|Query: www.company.com| H J[VPN/Direct Connect] -.->|Secure Connection| D J -.->|Secure Connection| E style A fill:#ff6b6b,stroke:#ee5a52,color:#fff style D fill:#4ecdc4,stroke:#45b7aa,color:#fff style E fill:#45b7d1,stroke:#3a9bc1,color:#fff style G fill:#96ceb4,stroke:#85c1a3,color:#fff style H fill:#ffeaa7,stroke:#fdcb6e,color:#000

Hybrid DNS Architecture Explained:

Inbound Resolution: On-premises clients can resolve AWS private DNS names

Outbound Resolution: AWS resources can resolve on-premises DNS names

Conditional Forwarding: Each environment forwards specific domains to the other

Security: DNS traffic flows over VPN or Direct Connect

High Availability: Multiple resolver endpoints across AZs

5. DNS Security and Monitoring

DNSSEC Configuration

aws route53 enable-hosted-zone-dnssec \
    --hosted-zone-id Z123456789

DNSSEC Parameters:

Cryptographic signing: Route 53 automatically manages key generation and rotation

Chain of trust: Must configure DS records with parent zone

Validation: Clients can verify DNS responses haven't been tampered with

DNS Query Logging

aws route53 create-query-logging-config \
    --hosted-zone-id Z123456789 \
    --cloud-watch-logs-log-group-arn "arn:aws:logs:us-east-1:123456789012:log-group:route53-queries"

Query Logging Parameters:

CloudWatch integration: All DNS queries logged to CloudWatch Logs

Log format: Includes timestamp, query name, type, response code, edge location

Analysis: Can analyze patterns, detect anomalies, troubleshoot issues

6. Domain Registration and Management

Register Domain

aws route53domains register-domain \
    --domain-name "newcompany.com" \
    --duration-in-years 2 \
    --auto-renew \
    --admin-contact '{
        "FirstName": "John",
        "LastName": "Smith", 
        "ContactType": "PERSON",
        "AddressLine1": "123 Main St",
        "City": "Seattle",
        "State": "WA",
        "CountryCode": "US",
        "ZipCode": "98101",
        "PhoneNumber": "+1.2065551234",
        "Email": "admin@newcompany.com"
    }' \
    --registrant-contact '{
        "FirstName": "John",
        "LastName": "Smith",
        "ContactType": "PERSON",
        "AddressLine1": "123 Main St", 
        "City": "Seattle",
        "State": "WA",
        "CountryCode": "US",
        "ZipCode": "98101",
        "PhoneNumber": "+1.2065551234",
        "Email": "registrant@newcompany.com"
    }' \
    --tech-contact '{
        "FirstName": "Jane",
        "LastName": "Doe",
        "ContactType": "PERSON", 
        "AddressLine1": "123 Main St",
        "City": "Seattle",
        "State": "WA", 
        "CountryCode": "US",
        "ZipCode": "98101",
        "PhoneNumber": "+1.2065551235",
        "Email": "tech@newcompany.com"
    }' \
    --privacy-protect-admin-contact \
    --privacy-protect-registrant-contact \
    --privacy-protect-tech-contact

Domain Registration Parameters:

--duration-in-years: Registration period (1-10 years depending on TLD)

--auto-renew: Automatically renew before expiration

Contact types: PERSON, COMPANY, ASSOCIATION, PUBLIC_BODY, RESELLER

Privacy protection: Hides contact info from WHOIS lookups

Three contacts: Admin, Registrant, and Technical contacts (can be same person)

Important: Domain registration is not immediate and can take up to 24 hours. You'll receive email confirmations that must be verified within 15 days or the domain will be suspended.

7. Advanced Traffic Management

Traffic Policy Creation

graph TD A[Traffic Policy] --> B[Geolocation Branch] A --> C[Latency Branch] A --> D[Health Check Branch] B --> E[North America
Weighted Distribution] B --> F[Europe
Failover] B --> G[Asia
Latency-based] E --> H[US-East: 70%] E --> I[US-West: 30%] F --> J[Primary: Ireland] F --> K[Secondary: Frankfurt] G --> L[Tokyo] G --> M[Singapore] G --> N[Mumbai] style A fill:#e74c3c,stroke:#c0392b,color:#fff style B fill:#3498db,stroke:#2980b9,color:#fff style C fill:#f39c12,stroke:#e67e22,color:#fff style D fill:#27ae60,stroke:#229954,color:#fff

Complex Traffic Policy Structure:

Multi-level routing: Combine different routing policies in a hierarchy

Geographic first: Route based on user location, then apply sub-policies

Weighted distribution: A/B testing or gradual rollouts within regions

Failover redundancy: Automatic failover when primary endpoints fail

Latency optimization: Route to closest available endpoint

Create Traffic Policy

aws route53 create-traffic-policy \
    --name "Global-API-Distribution" \
    --type A \
    --document '{
        "AWSPolicyFormatVersion": "2015-10-01",
        "RecordType": "A",
        "StartRule": "geolocation_rule",
        "Rules": {
            "geolocation_rule": {
                "RuleType": "geolocation",
                "Locations": [
                    {
                        "CountryCode": "US",
                        "Rule": "us_weighted_rule"
                    },
                    {
                        "CountryCode": "GB", 
                        "Rule": "eu_failover_rule"
                    },
                    {
                        "IsDefault": true,
                        "Rule": "default_latency_rule"
                    }
                ]
            },
            "us_weighted_rule": {
                "RuleType": "weighted",
                "Items": [
                    {
                        "Weight": 70,
                        "EndPoint": {
                            "Type": "value",
                            "Value": "192.168.1.100"
                        }
                    },
                    {
                        "Weight": 30, 
                        "EndPoint": {
                            "Type": "value",
                            "Value": "192.168.1.101"
                        }
                    }
                ]
            }
        }
    }' \
    --comment "Complex multi-region traffic distribution policy"

Traffic Policy Document Structure:

AWSPolicyFormatVersion: Policy format version (currently 2015-10-01)

StartRule: Entry point rule for traffic policy evaluation

Rules object: Contains all routing rules referenced in the policy

Nested policies: Rules can reference other rules for complex routing

EndPoint types: "value" (IP/domain), "rule" (reference to another rule)

8. Troubleshooting and Best Practices

Common DNS Issues and Solutions

aws route53 associate-vpc-with-hosted-zone

Issue	Cause	Solution	AWS CLI Command
DNS not resolving	Name servers not configured	Update domain registrar NS records	`aws route53 get-hosted-zone --id Z123456789`
High DNS query latency	TTL too low	Increase TTL for stable records	`aws route53 change-resource-record-sets`
Failover not working	Health check misconfigured	Verify health check settings	`aws route53 get-health-check --health-check-id abc123`
Private zone not resolving	VPC not associated	Associate VPC with hosted zone

DNS Testing Commands

# Test DNS resolution
dig @8.8.8.8 example.com A
nslookup example.com 8.8.8.8

# Test specific Route 53 name servers
dig @ns-123.awsdns-12.com example.com A

# Test health check endpoint
curl -I http://api.example.com/health

# Trace DNS resolution path
dig +trace example.com A

Monitoring and Alerts

aws cloudwatch put-metric-alarm \
    --alarm-name "Route53-Health-Check-Failed" \
    --alarm-description "Alert when health check fails" \
    --metric-name "HealthCheckStatus" \
    --namespace "AWS/Route53" \
    --statistic "Minimum" \
    --period 60 \
    --threshold 1 \
    --comparison-operator "LessThanThreshold" \
    --dimensions Name=HealthCheckId,Value=abc123def456 \
    --evaluation-periods 2 \
    --alarm-actions "arn:aws:sns:us-east-1:123456789012:dns-alerts"

CloudWatch Alarm Parameters:

HealthCheckStatus metric: 1 = healthy, 0 = unhealthy

LessThanThreshold 1: Triggers when health check fails

evaluation-periods 2: Must fail for 2 consecutive periods

alarm-actions: SNS topic to notify when alarm triggers

9. Cost Optimization

Route 53 Pricing Considerations:

Hosted Zones: $0.50 per hosted zone per month
DNS Queries: $0.40 per million queries for first 1 billion
Health Checks: $0.50 per health check per month
Resolver Endpoints: $0.125 per hour per endpoint
Traffic Policies: $50 per policy record per month

Cost Optimization Strategies

# Delete unused health checks
aws route53 list-health-checks --query 'HealthChecks[?Config.Disabled==`true`].Id' --output text

# Optimize TTL values to reduce query volume
aws route53 change-resource-record-sets \
    --hosted-zone-id Z123456789 \
    --change-batch '{
        "Changes": [{
            "Action": "UPSERT",
            "ResourceRecordSet": {
                "Name": "static.example.com",
                "Type": "A", 
                "TTL": 86400,
                "ResourceRecords": [{"Value": "192.168.1.100"}]
            }
        }]
    }'

Remember: Always test DNS changes in a staging environment first. DNS propagation can take up to 48 hours globally, and mistakes can cause service outages.

10. Summary and Exam Tips

Key Points for AWS Certification Exams:

Route 53 is a global service - not region-specific
Alias records are free - prefer over CNAME when possible
Health checks are required for failover routing
Private hosted zones only work within associated VPCs
Resolver endpoints enable hybrid DNS scenarios
DNSSEC provides cryptographic validation
Traffic policies enable complex routing scenarios