AWS Route 53 Resolver

Comprehensive Guide with Mermaid Diagrams and CLI Examples

Table of Contents

Route 53 Resolver Overview

AWS Route 53 Resolver provides DNS resolution services for your VPCs, allowing you to resolve DNS queries between your VPC and on-premises networks, or between VPCs in different AWS accounts.

graph TB A[Client] --> B[VPC] B --> C[Route 53 Resolver] C --> D{Query Type} D -->|Local VPC| E[VPC DNS] D -->|External| F[Public DNS] D -->|On-premises| G[Outbound Resolver] D -->|Cross-VPC| H[Inbound Resolver] G --> I[On-premises DNS] H --> J[Target VPC] style A fill:#3498db,stroke:#2980b9,color:#fff style C fill:#e74c3c,stroke:#c0392b,color:#fff style G fill:#f39c12,stroke:#e67e22,color:#fff style H fill:#27ae60,stroke:#229954,color:#fff

Diagram Explanation: Route 53 Resolver Flow

This diagram shows how DNS queries flow through Route 53 Resolver:

  • Client: Any resource making DNS queries (EC2, Lambda, etc.)
  • VPC: The Virtual Private Cloud where resources reside
  • Route 53 Resolver: Central DNS resolution service
  • Query Types: Different paths based on the DNS query destination
  • Outbound Resolver: Forwards queries to on-premises DNS servers
  • Inbound Resolver: Receives queries from external networks

Architecture Diagrams

Hybrid DNS Architecture

graph LR subgraph "AWS Cloud" subgraph "VPC" A[EC2 Instances] B[Route 53 Resolver] C[Outbound Endpoint] D[Inbound Endpoint] end E[Route 53 Private Hosted Zone] end subgraph "On-Premises" F[Corporate DNS] G[Internal Servers] end subgraph "Internet" H[Public DNS] end A --> B B --> C C -->|Encrypted Tunnel| F F --> G D <-->|VPN/Direct Connect| F B --> E B --> H style B fill:#e74c3c,stroke:#c0392b,color:#fff style C fill:#f39c12,stroke:#e67e22,color:#fff style D fill:#27ae60,stroke:#229954,color:#fff style E fill:#9b59b6,stroke:#8e44ad,color:#fff

Diagram Explanation: Hybrid DNS Architecture

This architecture demonstrates how Route 53 Resolver integrates with on-premises DNS infrastructure:

  • Outbound Endpoint: Forwards AWS VPC DNS queries to on-premises DNS servers
  • Inbound Endpoint: Receives DNS queries from on-premises networks
  • Private Hosted Zone: Manages internal AWS DNS records
  • Encrypted Tunnel: Secure communication via VPN or Direct Connect

Multi-VPC DNS Resolution

graph TB subgraph "Account A" subgraph "VPC-A" A1[Applications] A2[Inbound Endpoint] end end subgraph "Account B" subgraph "VPC-B" B1[Services] B2[Outbound Endpoint] B3[Resolver Rules] end end subgraph "Shared Services Account" subgraph "Shared VPC" C1[Central DNS] C2[Resolver Endpoints] end end B1 --> B2 B2 --> B3 B3 -->|Forward Query| A2 A2 --> A1 B2 <-->|Resource Sharing| C2 C2 --> C1 style A2 fill:#27ae60,stroke:#229954,color:#fff style B2 fill:#f39c12,stroke:#e67e22,color:#fff style B3 fill:#3498db,stroke:#2980b9,color:#fff style C1 fill:#9b59b6,stroke:#8e44ad,color:#fff

Diagram Explanation: Multi-VPC DNS Resolution

This diagram shows DNS resolution across multiple AWS accounts and VPCs:

  • Cross-Account Resolution: VPC-B queries resolve resources in VPC-A
  • Resolver Rules: Define which domains are forwarded to specific endpoints
  • Resource Sharing: AWS RAM enables sharing resolver rules across accounts
  • Central DNS: Shared services account provides centralized DNS management

Core Components

graph TD A[Route 53 Resolver] --> B[Resolver Endpoints] A --> C[Resolver Rules] A --> D[Query Logging] B --> E[Inbound Endpoints] B --> F[Outbound Endpoints] C --> G[Forwarding Rules] C --> H[System Rules] E --> I[ENI in Subnets] F --> J[ENI in Subnets] G --> K[Target IP Addresses] H --> L[Built-in Rules] D --> M[CloudWatch Logs] D --> N[S3 Bucket] style A fill:#e74c3c,stroke:#c0392b,color:#fff style B fill:#3498db,stroke:#2980b9,color:#fff style C fill:#f39c12,stroke:#e67e22,color:#fff style D fill:#27ae60,stroke:#229954,color:#fff

Diagram Explanation: Route 53 Resolver Components

This diagram breaks down the key components of Route 53 Resolver:

  • Resolver Endpoints: Network interfaces that handle DNS traffic
  • Resolver Rules: Define how DNS queries are processed and forwarded
  • Query Logging: Captures DNS query information for monitoring and troubleshooting
  • ENI (Elastic Network Interface): Physical network interfaces in your subnets
  • Target IP Addresses: Destination DNS servers for forwarded queries

Setup Workflow

graph TD A[Start] --> B[Create VPC & Subnets] B --> C[Create Security Groups] C --> D[Create Resolver Endpoints] D --> E[Create Resolver Rules] E --> F[Associate Rules with VPC] F --> G[Configure Query Logging] G --> H[Test DNS Resolution] H --> I[Monitor & Troubleshoot] I --> J[End] D --> D1[Inbound Endpoint] D --> D2[Outbound Endpoint] E --> E1[Forwarding Rules] E --> E2[System Rules] style A fill:#27ae60,stroke:#229954,color:#fff style J fill:#e74c3c,stroke:#c0392b,color:#fff style D fill:#3498db,stroke:#2980b9,color:#fff style E fill:#f39c12,stroke:#e67e22,color:#fff

Diagram Explanation: Setup Workflow

This flowchart shows the step-by-step process for setting up Route 53 Resolver:

  1. VPC & Subnets: Foundational network infrastructure
  2. Security Groups: Control traffic to/from resolver endpoints
  3. Resolver Endpoints: Create inbound and/or outbound endpoints as needed
  4. Resolver Rules: Define DNS forwarding logic
  5. Association: Link rules to VPCs
  6. Query Logging: Enable monitoring and troubleshooting
  7. Testing: Verify DNS resolution works as expected

AWS CLI Commands

Step 1: Create Security Group for Resolver Endpoints

aws ec2 create-security-group \
    --group-name route53-resolver-sg \
    --description "Security group for Route 53 Resolver endpoints" \
    --vpc-id vpc-0123456789abcdef0
Expected Output: 
{
    "GroupId": "sg-0a1b2c3d4e5f6g7h8"
}
aws ec2 authorize-security-group-ingress \
    --group-id sg-0a1b2c3d4e5f6g7h8 \
    --protocol tcp \
    --port 53 \
    --source-group sg-0a1b2c3d4e5f6g7h8

aws ec2 authorize-security-group-ingress \
    --group-id sg-0a1b2c3d4e5f6g7h8 \
    --protocol udp \
    --port 53 \
    --source-group sg-0a1b2c3d4e5f6g7h8
Security Group Parameters:
  • --group-name: Descriptive name for the security group
  • --description: Human-readable description
  • --vpc-id: VPC where the security group will be created
  • --protocol: TCP and UDP for DNS traffic
  • --port 53: Standard DNS port
  • --source-group: Allow traffic from the same security group

Step 2: Create Outbound Resolver Endpoint

aws route53resolver create-resolver-endpoint \
    --name "outbound-resolver-endpoint" \
    --direction OUTBOUND \
    --security-group-ids sg-0a1b2c3d4e5f6g7h8 \
    --ip-addresses SubnetId=subnet-0123456789abcdef0,Ip=10.0.1.100 \
                   SubnetId=subnet-0987654321fedcba0,Ip=10.0.2.100 \
    --tags Key=Name,Value=OutboundResolver Key=Environment,Value=Production
Expected Output: 
{
    "ResolverEndpoint": {
        "Id": "rslvr-out-0123456789abcdef0",
        "CreatorRequestId": "2023070212345678",
        "Arn": "arn:aws:route53resolver:us-east-1:123456789012:resolver-endpoint/rslvr-out-0123456789abcdef0",
        "Name": "outbound-resolver-endpoint",
        "SecurityGroupIds": ["sg-0a1b2c3d4e5f6g7h8"],
        "Direction": "OUTBOUND",
        "IpAddressCount": 2,
        "HostVPCId": "vpc-0123456789abcdef0",
        "Status": "CREATING",
        "StatusMessage": "Creating Resolver Endpoint",
        "CreationTime": "2025-07-02T10:30:00.000000+00:00",
        "ModificationTime": "2025-07-02T10:30:00.000000+00:00"
    }
}
Outbound Endpoint Parameters:
  • --name: Friendly name for the resolver endpoint
  • --direction OUTBOUND: Specifies this endpoint forwards queries out of VPC
  • --security-group-ids: Security groups controlling access
  • --ip-addresses: Subnet and IP assignments (minimum 2 for HA)
  • SubnetId: Must be in different AZs for high availability
  • Ip: Optional static IP assignment within subnet CIDR

Note: Outbound endpoints are used to forward DNS queries from your VPC to external DNS servers (like on-premises). You need at least 2 IP addresses in different Availability Zones.

Step 3: Create Inbound Resolver Endpoint

aws route53resolver create-resolver-endpoint \
    --name "inbound-resolver-endpoint" \
    --direction INBOUND \
    --security-group-ids sg-0a1b2c3d4e5f6g7h8 \
    --ip-addresses SubnetId=subnet-0123456789abcdef0,Ip=10.0.1.200 \
                   SubnetId=subnet-0987654321fedcba0,Ip=10.0.2.200 \
    --tags Key=Name,Value=InboundResolver Key=Environment,Value=Production
Expected Output: 
{
    "ResolverEndpoint": {
        "Id": "rslvr-in-0123456789abcdef0",
        "CreatorRequestId": "2023070212345679",
        "Arn": "arn:aws:route53resolver:us-east-1:123456789012:resolver-endpoint/rslvr-in-0123456789abcdef0",
        "Name": "inbound-resolver-endpoint",
        "SecurityGroupIds": ["sg-0a1b2c3d4e5f6g7h8"],
        "Direction": "INBOUND",
        "IpAddressCount": 2,
        "HostVPCId": "vpc-0123456789abcdef0",
        "Status": "CREATING",
        "StatusMessage": "Creating Resolver Endpoint",
        "CreationTime": "2025-07-02T10:35:00.000000+00:00",
        "ModificationTime": "2025-07-02T10:35:00.000000+00:00"
    }
}
Inbound Endpoint Parameters:
  • --direction INBOUND: Specifies this endpoint receives queries from external networks
  • Same IP address structure as outbound, but serves opposite purpose
  • External networks (on-premises) will point to these IP addresses for DNS resolution

Note: Inbound endpoints receive DNS queries from external networks (like on-premises) and resolve them using VPC DNS or Route 53 private hosted zones.

Step 4: Create Resolver Rule

aws route53resolver create-resolver-rule \
    --name "forward-to-onpremises" \
    --rule-type FORWARD \
    --domain-name "corp.internal" \
    --resolver-endpoint-id rslvr-out-0123456789abcdef0 \
    --target-ips Ip=192.168.1.10,Port=53 Ip=192.168.1.11,Port=53 \
    --tags Key=Name,Value=OnPremisesForwardRule Key=Environment,Value=Production
Expected Output: 
{
    "ResolverRule": {
        "Id": "rslvr-rr-0123456789abcdef0",
        "CreatorRequestId": "2023070212345680",
        "Arn": "arn:aws:route53resolver:us-east-1:123456789012:resolver-rule/rslvr-rr-0123456789abcdef0",
        "DomainName": "corp.internal",
        "Status": "COMPLETE",
        "StatusMessage": "Rule created successfully",
        "RuleType": "FORWARD",
        "Name": "forward-to-onpremises",
        "TargetIps": [
            {
                "Ip": "192.168.1.10",
                "Port": 53
            },
            {
                "Ip": "192.168.1.11",
                "Port": 53
            }
        ],
        "ResolverEndpointId": "rslvr-out-0123456789abcdef0",
        "OwnerId": "123456789012",
        "ShareStatus": "NOT_SHARED",
        "CreationTime": "2025-07-02T10:40:00.000000+00:00",
        "ModificationTime": "2025-07-02T10:40:00.000000+00:00"
    }
}
Resolver Rule Parameters:
  • --name: Descriptive name for the rule
  • --rule-type FORWARD: Forward queries to specified target IPs
  • --domain-name: Domain pattern to match (supports wildcards like *.corp.internal)
  • --resolver-endpoint-id: Must reference an OUTBOUND endpoint
  • --target-ips: DNS servers to forward queries to (on-premises DNS)
  • Port=53: Standard DNS port (can be customized if needed)

Rule Types Available:

  • FORWARD: Forward queries to target IPs
  • SYSTEM: Use AWS default DNS resolution
  • RECURSIVE: Use Route 53 Resolver recursive resolution

Step 5: Associate Resolver Rule with VPC

aws route53resolver associate-resolver-rule \
    --resolver-rule-id rslvr-rr-0123456789abcdef0 \
    --vpc-id vpc-0123456789abcdef0 \
    --name "production-vpc-association"
Expected Output: 
{
    "ResolverRuleAssociation": {
        "Id": "rslvr-rrassoc-0123456789abcdef0",
        "ResolverRuleId": "rslvr-rr-0123456789abcdef0",
        "Name": "production-vpc-association",
        "VPCId": "vpc-0123456789abcdef0",
        "Status": "CREATING",
        "StatusMessage": "Creating Resolver Rule Association"
    }
}
Rule Association Parameters:
  • --resolver-rule-id: The rule to associate
  • --vpc-id: VPC where the rule should apply
  • --name: Optional name for the association

Important: A resolver rule must be associated with a VPC to take effect. Rules can be associated with multiple VPCs, and a VPC can have multiple rule associations.

Step 6: Enable Query Logging

aws route53resolver create-resolver-query-log-config \
    --name "production-dns-query-logs" \
    --destination-arn "arn:aws:logs:us-east-1:123456789012:log-group:route53-resolver-queries" \
    --tags Key=Name,Value=DNSQueryLogs Key=Environment,Value=Production
Expected Output: 
{
    "ResolverQueryLogConfig": {
        "Id": "rqlc-0123456789abcdef0",
        "Name": "production-dns-query-logs",
        "Arn": "arn:aws:route53resolver:us-east-1:123456789012:resolver-query-log-config/rqlc-0123456789abcdef0",
        "Status": "CREATING",
        "DestinationArn": "arn:aws:logs:us-east-1:123456789012:log-group:route53-resolver-queries",
        "CreatorRequestId": "2023070212345681",
        "CreationTime": "2025-07-02T10:45:00.000000+00:00",
        "AssociationCount": 0
    }
}
aws route53resolver associate-resolver-query-log-config \
    --resolver-query-log-config-id rqlc-0123456789abcdef0 \
    --resource-id vpc-0123456789abcdef0
Expected Output: 
{
    "ResolverQueryLogConfigAssociation": {
        "Id": "rqlca-0123456789abcdef0",
        "ResolverQueryLogConfigId": "rqlc-0123456789abcdef0",
        "ResourceId": "vpc-0123456789abcdef0",
        "Status": "CREATING",
        "CreationTime": "2025-07-02T10:50:00.000000+00:00"
    }
}
Query Logging Parameters:
  • --name: Name for the query log configuration
  • --destination-arn: CloudWatch Logs group or S3 bucket ARN
  • --resource-id: VPC to associate with query logging

Supported Destinations:

  • CloudWatch Logs: arn:aws:logs:region:account:log-group:name
  • S3 Bucket: arn:aws:s3:::bucket-name
  • Kinesis Data Firehose: arn:aws:firehose:region:account:deliverystream/name

Step 7: Verify Configuration

aws route53resolver list-resolver-endpoints
Expected Output: 
{
    "ResolverEndpoints": [
        {
            "Id": "rslvr-out-0123456789abcdef0",
            "Name": "outbound-resolver-endpoint",
            "Direction": "OUTBOUND",
            "Status": "OPERATIONAL",
            "IpAddressCount": 2,
            "HostVPCId": "vpc-0123456789abcdef0"
        },
        {
            "Id": "rslvr-in-0123456789abcdef0",
            "Name": "inbound-resolver-endpoint",
            "Direction": "INBOUND",
            "Status": "OPERATIONAL",
            "IpAddressCount": 2,
            "HostVPCId": "vpc-0123456789abcdef0"
        }
    ]
}
aws route53resolver list-resolver-rules
Expected Output: 
{
    "ResolverRules": [
        {
            "Id": "rslvr-rr-0123456789abcdef0",
            "Name": "forward-to-onpremises",
            "DomainName": "corp.internal",
            "Status": "COMPLETE",
            "RuleType": "FORWARD",
            "ResolverEndpointId": "rslvr-out-0123456789abcdef0",
            "TargetIps": [
                {
                    "Ip": "192.168.1.10",
                    "Port": 53
                },
                {
                    "Ip": "192.168.1.11",
                    "Port": 53
                }
            ]
        }
    ]
}

Configuration Examples

Complex Resolver Rule Configuration

# Create a wildcard forwarding rule for all subdomains aws route53resolver create-resolver-rule \ --name "wildcard-corp-forward" \ --rule-type FORWARD \ --domain-name "*.corp.internal" \ --resolver-endpoint-id rslvr-out-0123456789abcdef0 \ --target-ips Ip=192.168.1.10,Port=53 \ Ip=192.168.1.11,Port=53 \ Ip=192.168.2.10,Port=53
Wildcard Rule Configuration:
  • *.corp.internal: Matches all subdomains under corp.internal
  • Multiple target IPs provide redundancy and load distribution
  • Can specify different ports if on-premises DNS runs on non-standard ports

This configuration forwards all queries for any subdomain of corp.internal to the specified on-premises DNS servers. For example: app1.corp.internal, db.corp.internal, etc.

System Rule for Recursive Resolution

# Create a system rule to use AWS recursive resolution aws route53resolver create-resolver-rule \ --name "aws-recursive-resolution" \ --rule-type SYSTEM \ --domain-name "amazonaws.com" \ --tags Key=Name,Value=AWSSystemRule
System Rule Configuration:
  • SYSTEM rule type uses AWS default DNS resolution
  • No resolver endpoint or target IPs needed
  • Useful for ensuring AWS service domains resolve properly
  • Higher priority than FORWARD rules

System rules ensure that specific domains use AWS's built-in DNS resolution instead of being forwarded to on-premises DNS servers.

Cross-Account Rule Sharing

# Share resolver rule with other AWS accounts using AWS RAM aws ram create-resource-share \ --name "dns-resolver-rules-share" \ --resource-arns "arn:aws:route53resolver:us-east-1:123456789012:resolver-rule/rslvr-rr-0123456789abcdef0" \ --principals "123456789013,123456789014" \ --tags Key=Name,Value=DNSRuleShare
Resource Sharing Configuration:
  • --resource-arns: ARN of the resolver rule to share
  • --principals: AWS account IDs to share with
  • Shared rules can be associated with VPCs in target accounts
  • Enables centralized DNS rule management

Resource sharing allows you to create resolver rules in one account and use them across multiple accounts, enabling centralized DNS policy management.

CloudWatch Log Group Configuration

# Create CloudWatch log group for DNS query logs aws logs create-log-group \ --log-group-name "route53-resolver-queries" \ --retention-in-days 30 \ --tags "Environment=Production,Service=Route53Resolver" # Set log group policy to allow Route 53 Resolver to write logs aws logs put-resource-policy \ --policy-name "Route53ResolverLogPolicy" \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "route53resolver.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:route53-resolver-queries:*" } ] }'
CloudWatch Logs Configuration:
  • --retention-in-days: How long to keep log data
  • put-resource-policy: Grants Route 53 Resolver permission to write logs
  • Policy allows CreateLogStream and PutLogEvents actions
  • Service principal: route53resolver.amazonaws.com

This configuration sets up CloudWatch Logs to receive DNS query logs from Route 53 Resolver, with appropriate retention and permissions.

Troubleshooting

graph TD A[DNS Resolution Issue] --> B{Check Resolver Endpoint Status} B -->|OPERATIONAL| C{Check Resolver Rule} B -->|CREATING/UPDATING| D[Wait for Completion] B -->|FAILED| E[Check Security Groups & Subnets] C -->|Rule Active| F{Check VPC Association} C -->|Rule Missing| G[Create/Associate Rule] F -->|Associated| H{Check Target IPs} F -->|Not Associated| I[Associate Rule with VPC] H -->|Reachable| J[Check Query Logs] H -->|Unreachable| K[Fix Network Connectivity] J --> L[Analyze Query Patterns] style A fill:#e74c3c,stroke:#c0392b,color:#fff style L fill:#27ae60,stroke:#229954,color:#fff style E fill:#f39c12,stroke:#e67e22,color:#fff style K fill:#f39c12,stroke:#e67e22,color:#fff

Diagram Explanation: Troubleshooting Flowchart

This troubleshooting flowchart helps diagnose common Route 53 Resolver issues:

  • Endpoint Status: First check if resolver endpoints are operational
  • Rule Configuration: Verify resolver rules are correctly configured
  • VPC Association: Ensure rules are associated with the correct VPCs
  • Network Connectivity: Verify target DNS servers are reachable
  • Query Analysis: Use logs to understand DNS query patterns

Common Troubleshooting Commands

# Check resolver endpoint details and IP addresses aws route53resolver get-resolver-endpoint \ --resolver-endpoint-id rslvr-out-0123456789abcdef0 # List all resolver rule associations for a VPC aws route53resolver list-resolver-rule-associations \ --filters Name=VPCId,Values=vpc-0123456789abcdef0 # Check query log configuration status aws route53resolver get-resolver-query-log-config \ --resolver-query-log-config-id rqlc-0123456789abcdef0 # Test DNS resolution from EC2 instance dig @10.0.1.100 app1.corp.internal nslookup app1.corp.internal 10.0.1.100
Troubleshooting Tools:
  • get-resolver-endpoint: Shows detailed endpoint configuration and status
  • list-resolver-rule-associations: Verifies rule-to-VPC associations
  • dig/nslookup: Test DNS resolution from instances
  • CloudWatch Logs: Analyze query patterns and failures

Always verify security groups allow DNS traffic (TCP/UDP 53) and that target DNS servers are accessible from the resolver endpoint subnets.