Route 53 Resolver Private DNS Patterns

Concepts Covered

• Route 53 VPC Resolver
• Private hosted zones
• VPC associations
• Inbound Resolver endpoints
• Outbound Resolver endpoints
• Resolver forwarding rules
• Hybrid DNS
• Split-horizon DNS
• PrivateLink private DNS
• DNS troubleshooting traps

1. Plain-English Mental Model

Route 53 private DNS has two separate jobs.

The first job is answering private names inside AWS:

private hosted zone -> records for associated VPCs

The second job is moving DNS questions between AWS and other networks:

Resolver endpoint + forwarding rule -> send this DNS question to that resolver

The short model is:

private hosted zone = private DNS records
Resolver endpoints and rules = hybrid DNS query paths

When DNS questions become confusing, ask three things:

• Where does the query start?
• Which DNS zone owns the name?
• Where should the query be answered?

2. Why This Service Exists

AWS workloads need names that are not public internet names.

An application may need db.internal.example.com to resolve only inside selected VPCs. A shared services account may host private names for many workload VPCs. An on-premises client may need to resolve AWS private records. An EC2 instance may need to resolve on-premises names across Direct Connect or VPN.

Private hosted zones exist to store private DNS records for one or more associated VPCs.

Route 53 VPC Resolver exists as the default recursive resolver in VPCs. Resolver endpoints and rules extend that resolver path to hybrid networks.

For SAA-C03, private DNS appears in hybrid connectivity, VPC endpoints, private hosted zones, split-horizon naming, and "on-premises must resolve AWS private names" scenarios.

3. The Naive Approach And Where It Breaks

The naive approach is to put every internal name into a private hosted zone.

That breaks when the authoritative DNS system lives somewhere else. If corp.example.com is owned by on-premises DNS, AWS should often forward matching queries to on-premises resolvers through an outbound Resolver endpoint and forwarding rule.

Another naive approach is to point on-premises DNS servers at the VPC's VPC+2 resolver address. AWS warns against forwarding private DNS queries directly to VPC CIDR plus 2 from on-premises or other VPC DNS servers. Use inbound Resolver endpoints instead.

Another mistake is creating a private hosted zone but not associating it with the VPC that needs to resolve it.

DNS is not just records. It is records plus query path plus network reachability.

4. Core Primitives

Route 53 VPC Resolver is available by default in VPCs and answers recursive DNS queries for public records, VPC-specific DNS names, and private hosted zones associated with the VPC.

A private hosted zone is a container for DNS records that Route 53 answers only for associated VPCs or supported hybrid paths through inbound endpoints.

A VPC association connects a private hosted zone to a VPC. Without association, that VPC does not receive private hosted zone answers.

An inbound Resolver endpoint lets DNS resolvers on another network send queries into AWS VPC Resolver. This is how on-premises clients can resolve AWS private hosted zone records.

An outbound Resolver endpoint lets VPC Resolver forward selected queries from AWS to resolvers on another network.

A Resolver rule matches a domain and tells VPC Resolver where to forward the query. Rules can be associated with VPCs and shared across accounts.

5. Architecture Use Cases

Use a private hosted zone for AWS-owned internal names:

app.internal.example.com -> private ALB
db.internal.example.com -> private database endpoint or record

Associate the private hosted zone with every VPC that should resolve those names.

Use an outbound Resolver endpoint and forwarding rule when EC2 instances in AWS must resolve names hosted by on-premises DNS:

EC2 query for corp.example.com
  -> VPC Resolver
  -> outbound Resolver endpoint
  -> on-premises DNS resolver

Use an inbound Resolver endpoint when on-premises clients must resolve AWS private names:

on-premises DNS
  -> inbound Resolver endpoint
  -> VPC Resolver
  -> private hosted zone answer

Use split-horizon DNS when the same domain name has public answers for internet users and private answers for VPC clients.

Use PrivateLink private DNS when service consumers should use a familiar service hostname that resolves to interface endpoint private IP addresses inside the VPC.

7. Security Model

Private hosted zones are not public DNS zones. They answer inside associated VPCs and supported hybrid paths.

Control who can create records, associate VPCs, create Resolver endpoints, create forwarding rules, and share rules across accounts.

Inbound Resolver endpoints expose a DNS query path into AWS private DNS. Their IP addresses are private and require network connectivity such as Direct Connect or VPN from the querying network.

Outbound Resolver endpoints send DNS queries from AWS toward target resolvers. Ensure the network path and security controls allow only intended DNS traffic.

DNS answers can reveal internal service names and topology. Protect query logs and DNS administration permissions.

DNS Firewall is a separate control that filters DNS queries through Route 53 Resolver. It is not the same as a private hosted zone or forwarding rule.

8. Reliability And Resilience

DNS reliability depends on records, resolver paths, endpoint placement, network connectivity, and authoritative server health.

Resolver endpoints use elastic network interfaces in your VPC. Place endpoint IPs across multiple Availability Zones when reliability matters.

For outbound forwarding, target multiple reachable on-premises resolver IP addresses. If target resolvers are unreachable, queries can become slow or fail.

For inbound forwarding, on-premises DNS servers should forward relevant domains to inbound endpoint IPs over reliable VPN or Direct Connect paths.

Private hosted zone mistakes can create broad application outages. Test record changes, TTLs, VPC associations, and split-horizon behavior before production rollout.

9. Performance And Scaling

DNS usually feels invisible until it is slow.

Forwarding rules add dependency on endpoint ENIs, network paths, and target resolvers. If the on-premises resolver is slow, AWS workloads waiting on that name are slow too.

Use the most specific Resolver rule when overlapping domains exist. For example, a rule for app.corp.example.com should beat a broader rule for corp.example.com when both match.

Keep DNS ownership clear. A private hosted zone should not casually duplicate names owned by another DNS system unless split-horizon behavior is intentional.

At organization scale, share Resolver rules and hosted zone associations deliberately so teams do not invent conflicting DNS paths.

10. Cost Model

Private hosted zones have hosted zone and query-related pricing according to current Route 53 pricing.

Resolver endpoints and query forwarding can add hourly and query-related costs depending on configuration.

DNS query logging creates storage and analysis costs.

The larger cost is often operational. Bad private DNS can break every dependency that relies on a name, and those failures can look like application, network, or IAM issues.

Use clear naming conventions, ownership records, and staged changes for important zones.

12. SAA-C03 Exam Signals

"Private DNS records for resources inside one or more VPCs" points to private hosted zones.

"On-premises clients need to resolve AWS private hosted zone records" points to inbound Resolver endpoint.

"AWS resources need to resolve on-premises DNS names" points to outbound Resolver endpoint plus forwarding rule.

"Forward queries for a specific domain to on-premises DNS" points to Resolver rules.

"Same name resolves differently inside VPC and on the public internet" points to split-horizon DNS.

"Block DNS queries to malicious domains" points to Route 53 Resolver DNS Firewall, not a private hosted zone.

"Private DNS for interface endpoint service names" points to interface endpoint private DNS behavior.

13. Common Exam Traps

Do not use a private hosted zone when the authoritative records live on-premises and AWS should forward queries there.

Do not use an outbound endpoint when on-premises clients need to query AWS private names. That is an inbound endpoint pattern.

Do not forward from on-premises DNS directly to the VPC CIDR plus 2 resolver address. Use inbound Resolver endpoints.

Do not forget VPC association for private hosted zones and Resolver rules.

Do not confuse DNS Firewall with private DNS hosting.

Do not assume a DNS answer means the application is reachable. Routes, security groups, NACLs, and listeners still matter.

Do not ignore overlapping private hosted zones and forwarding rules. The most specific matching behavior can decide where queries go.

15. Related Topics

Review Amazon Route 53, Route 53 Resolver DNS Firewall, VPC Endpoints And PrivateLink, and Hybrid Network Connectivity To AWS.

Official AWS references:

• Working with private hosted zones
• What is Route 53 VPC Resolver?
• Resolving DNS queries between VPCs and your network