Every device on the internet has an IP address (like 192.0.2.44 or 2001:db8::1). Humans can't remember these numbers, so we use domain names (like example.com). DNS (Domain Name System) is the system that translates names into addresses — just like a phone book translates "John Smith" into a phone number.

When you type www.example.com in your browser, before anything else happens, your computer asks DNS: "What's the IP address for this name?" Only after getting the answer can your browser connect to the server.

Amazon Route 53 is AWS's managed authoritative DNS service. It serves as the final source of truth for your domain names — when someone asks "what's the IP for myapp.example.com?", Route 53 answers authoritatively.

But Route 53 does more than just DNS. It provides three core functions:

Property	Value	Why It Matters
Availability SLA	100%	Only AWS service with 100% SLA. DNS failure = entire app unreachable.
Scope	Global (not regional)	Like IAM, CloudFront — one configuration applies worldwide.
Name Origin	Port 53 (DNS port)	Route (traffic routing) + 53 (DNS standard port).
Supported Protocols	DNS over UDP/TCP (port 53)	Standard DNS — works with all clients worldwide.
Pricing	$0.50/hosted zone + $0.40/M queries	Cheap for most apps. First 25 hosted zones included. Alias queries to AWS resources: free.
DNSSEC	Supported (signing)	Cryptographic proof that DNS responses aren't tampered with.
IPv6	Full support (AAAA records)	Route both IPv4 and IPv6 traffic.

Feature	Traditional DNS (GoDaddy, Namecheap)	Route 53
Basic DNS	✅ A, CNAME, MX, TXT records	✅ All standard records + Alias
Alias Records	❌ Not supported	✅ Free, instant resolution to AWS resources
Health Checks	❌ Separate service needed	✅ Built-in, triggers failover
Routing Policies	❌ Only simple (round-robin at best)	✅ 7 policies (latency, geo, weighted, etc.)
AWS Integration	❌ Manual IP/CNAME only	✅ Native (ALB, CloudFront, S3, API Gateway)
Availability	99.9% typical	100% SLA (globally distributed)
DDoS Protection	Basic	AWS Shield integrated
Pricing	Often "free" with domain	$0.50/zone/month + per-query

The Alias record is Route 53's most important feature for the exam. It's a Route 53-specific extension to DNS that resolves directly to AWS resources:

Alias Target	Example	Use Case
ELB (ALB/NLB/CLB)	example.com → my-alb-123.elb.amazonaws.com	Web apps behind load balancer
CloudFront Distribution	example.com → d111.cloudfront.net	CDN-fronted apps/static sites
S3 Website Endpoint	example.com → s3-website.us-east-1.amazonaws.com	Static website hosting
API Gateway	api.example.com → xyz.execute-api.us-east-1.amazonaws.com	Serverless APIs
Another Route 53 Record	example.com → (another record in same hosted zone)	Chaining routing policies
Global Accelerator	example.com → abc.awsglobalaccelerator.com	Global TCP/UDP acceleration
Elastic Beanstalk	example.com → my-env.region.elasticbeanstalk.com	Beanstalk environments
VPC Interface Endpoint	api.example.com → vpce-xyz.execute-api.us-east-1.vpce.amazonaws.com	Private API access

Feature	CNAME	Alias
Works at zone apex (example.com)	❌ No	✅ Yes
Free queries	❌ Charged normally	✅ Free (to AWS resources)
Auto-tracks resource IP changes	❌ No (static target)	✅ Yes (follows ALB/CF IPs)
Targets	Any hostname (AWS or non-AWS)	Only supported AWS services
Standard DNS	✅ Works everywhere	❌ Route 53 only
Health check support	❌ Not directly	✅ Yes (inherits target health)

A Hosted Zone is a container for DNS records for a specific domain. It's like a drawer in a filing cabinet — everything about example.com lives in one hosted zone. When you create a hosted zone, Route 53 assigns 4 nameservers to it.

Each hosted zone contains records — individual entries that tell Route 53 how to respond to queries. Know these for the exam:

Record Type	Maps To	Example	Use Case
A	IPv4 address	example.com → 192.0.2.44	Point domain to a server's IPv4 address
AAAA	IPv6 address	example.com → 2001:db8::1	Point domain to a server's IPv6 address
CNAME	Another domain name	www.example.com → example.com	Redirect one name to another (NOT at zone apex)
Alias	AWS resource (Route 53 extension)	example.com → my-alb.elb.amazonaws.com	Point to ALB, CloudFront, S3, etc. (works at apex)
MX	Mail server(s)	example.com → 10 mail.example.com	Route email to mail servers (lower priority number = higher preference)
TXT	Arbitrary text	example.com → "v=spf1 include:..."	Domain verification, SPF, DKIM, DMARC
NS	Nameservers for zone	example.com → ns-123.awsdns-45.com	Delegation — tells the internet which DNS servers are authoritative
SOA	Zone metadata	Serial, refresh, retry, expire, TTL	Administrative info about the zone (auto-created)
SRV	Service location	_sip._tcp.example.com → server:5060	Service discovery (port + priority + weight)
CAA	Certificate authorities	example.com → 0 issue "letsencrypt.org"	Control which CAs can issue SSL certs for your domain

TTL tells DNS resolvers how long to cache a response before asking again. It's the most misunderstood DNS concept — and a common exam topic:

Every DNS record in Route 53 has these components:

Component	Example	Purpose
Name	www.example.com	The domain name being queried
Type	A / AAAA / CNAME / Alias / MX / TXT	What kind of answer to give
Value	192.0.2.44 / d111.cloudfront.net	The actual answer (IP or hostname)
TTL	300 (seconds)	How long resolvers cache this answer
Routing Policy	Simple / Weighted / Latency / etc.	How to choose between multiple values
Health Check	Associated health check ID (optional)	Remove this record from answers if unhealthy

Every hosted zone is auto-created with two mandatory records:

Route 53 Resolver enables DNS resolution between your VPC and on-premises networks (or other VPCs). Essential for hybrid cloud architectures where EC2 instances need to resolve on-prem hostnames, and on-prem servers need to resolve VPC private DNS names.

DNS Firewall filters outbound DNS queries from your VPCs. It blocks queries to known-malicious domains (malware C2 servers, phishing) and can enforce allowlists for compliance.

Routing policies determine how Route 53 responds when a record has multiple possible answers. This is the most exam-tested topic in Route 53. Know all 7:

Policy	How It Works	Use Case	Health Check?
Simple	Returns one value (or random from multiple)	Single resource, no special routing needed	No
Weighted	Distribute traffic by percentage (weights)	A/B testing, gradual deployments (90%/10%)	Yes
Latency-based	Route to region with lowest latency for user	Global apps — send users to closest region	Yes
Failover	Primary + secondary. Switch on health check failure	Active-passive DR (primary fails → backup)	Yes (required)
Geolocation	Route based on user's geographic location	Content localization, legal restrictions by country	Yes
Geoproximity	Route based on geographic distance + bias	Shift traffic between regions with bias control	Yes
Multivalue Answer	Return up to 8 healthy IPs (client picks one)	Simple load balancing + health checking	Yes

The default. One record, one (or multiple) values. If multiple values exist, Route 53 returns all of them and the client picks randomly. No health checks — even if an IP is dead, it's still returned.

Assign numeric weights to multiple records. Route 53 returns answers proportional to their weight. Total doesn't need to be 100 — it's relative.

Use cases: A/B testing (send 10% to new version), blue-green deployments (gradually shift from 100/0 to 0/100), load distribution across regions.

Route 53 measures latency between the user's DNS resolver and each AWS region, then returns the record with the lowest latency. This is NOT geographic distance — it's actual network latency.

Active-passive failover. You define a Primary and a Secondary record. Route 53 returns Primary unless its health check fails — then it automatically returns Secondary. Health check is mandatory on the primary.

Routes based on the physical location of the user (continent, country, or US state). Unlike latency-based, this is about where you are, not what's fastest.

Like geolocation but with a bias dial. You can shift traffic toward or away from regions by adjusting the bias value (-99 to +99). Requires Route 53 Traffic Flow (visual policy editor).

Traffic Flow is a visual policy editor for building complex routing trees — combining multiple policies (geoproximity + weighted + failover) into a single reusable policy.

Feature	Detail
What it does	Visual drag-and-drop editor for complex routing policies
Cost	$50/month per traffic policy record (on top of standard Route 53 pricing)
Required for	Geoproximity routing (bias). Complex multi-level routing trees.
NOT required for	Simple, Weighted, Latency, Failover, Geolocation, Multivalue
Versioning	Policies are versioned — roll back to previous versions
Reusable	One policy can be applied to multiple DNS names

Returns up to 8 healthy records to the client. The client picks one randomly. It's like a simple round-robin but with health checks — unhealthy IPs are excluded from answers.

If the Exam Says…	Use	Why
"Route to closest/fastest region"	Latency-based	Picks lowest network latency, not geo distance
"Active-passive DR failover"	Failover	Primary + secondary with health check
"A/B testing, canary deployment"	Weighted	Control % of traffic to each version
"EU users must use EU servers (compliance)"	Geolocation	Routes by physical location, not performance
"Shift traffic between regions with bias"	Geoproximity	Distance + adjustable bias (Traffic Flow required)
"Client-side load distribution with health"	Multivalue Answer	Returns up to 8 healthy IPs
"One domain, one server, nothing fancy"	Simple	Default. No health check. Just one answer.

Route 53 health checks monitor the health of your endpoints and automatically remove unhealthy records from DNS responses. They're the mechanism that powers failover, weighted, latency, and multivalue routing.

Setting	Options	Default	Notes
Protocol	HTTP, HTTPS, TCP	HTTP	HTTPS validates SSL cert. TCP = port open check only.
Port	Any (1–65535)	80	Must match your application port
Path	Any URL path (HTTP/HTTPS)	/	Use /health or /status endpoint
Interval	30s (standard) or 10s (fast)	30s	Fast = 3× cost but detects failures faster
Failure Threshold	1–10 consecutive failures	3	Unhealthy after N consecutive failures
String Matching	Search response body (first 5120 bytes)	Disabled	Body must contain specified string to be healthy
Regions	Choose which regions check from	All recommended	Minimum 3 regions required

Route 53 health checkers live on the public internet — they cannot reach private IP addresses in your VPC. For private resources, use this pattern:

Health Check Type	Cost	Notes
Endpoint (AWS)	$0.50/month	Endpoints within AWS regions
Endpoint (non-AWS)	$0.75/month	On-premise or other cloud endpoints
Fast interval (10s)	Additional $1.00/month	vs standard 30s interval
String matching	Additional $1.00/month	Check body content for specific string
HTTPS	Additional $1.00/month	TLS connection required
Calculated	$1.00/month	Combines child health checks

Route 53 is also a domain registrar — you can buy domain names directly (example.com, myapp.io, etc.). When you register through Route 53, it automatically creates a hosted zone and assigns nameservers.

Step	Action	Notes
1	Unlock domain at current registrar	Remove transfer lock/hold
2	Get authorization code (EPP code)	Current registrar provides this
3	Initiate transfer in Route 53 console	Enter domain + auth code
4	Confirm email (ICANN requirement)	Sent to registrant email on record
5	Wait (up to 7 days)	Current registrar can approve or let it auto-approve
6	Route 53 creates hosted zone automatically	NS records set up. Done!

Route 53 integrates natively with nearly every AWS service that exposes an endpoint. The Alias record is what makes this seamless — it resolves to AWS resources without extra DNS hops, free of charge.

Scenario	Route 53 Record	Target	Notes
Web app behind load balancer	Alias (A)	ALB DNS name	Auto-tracks ALB IP changes
Static site with custom domain + HTTPS	Alias (A)	CloudFront distribution	ACM cert in us-east-1 required
Static site (HTTP only, simple)	Alias (A)	S3 website endpoint	Bucket name = domain name
REST API with custom domain	Alias (A)	API Gateway custom domain	Edge or Regional API
Email routing	MX	Mail server DNS names	Priority + hostname
Domain verification (SSL/SES)	CNAME or TXT	Verification token	ACM auto-creates if using Route 53
Internal service discovery	A (Private HZ)	Private IP / ENI	Private hosted zone associated with VPC

Primary region runs full application. If health check fails → Route 53 failover routes traffic to a static S3 "sorry" page or a warm standby in another region.

Use weighted routing to gradually shift traffic from the old version to the new version:

Phase	Blue (v1) Weight	Green (v2) Weight	Traffic Split
Start	100	0	100% → v1
Canary	90	10	90% v1, 10% v2 (test)
Expand	50	50	50/50 split
Complete	0	100	100% → v2
Rollback?	100	0	Instant rollback → back to v1

Scenario	Solution	Routing Policy
"Global app — users in US should have low latency, EU users too"	Deploy in us-east-1 + eu-west-1. Route 53 latency routing with health checks.	Latency
"DR — if primary region fails, serve maintenance page"	Failover: Primary = ALB. Secondary = S3 static site.	Failover
"Static website with custom domain + HTTPS"	Route 53 Alias → CloudFront → S3. ACM cert in us-east-1.	Simple (Alias)
"Gradually roll out new version to 10% of users"	Weighted routing: old=90, new=10. Health checks on both.	Weighted
"Legal: EU users MUST hit EU servers"	Geolocation routing: EU → eu-west-1 ALB. Default → us-east-1.	Geolocation
"Internal microservices communicate by name"	Private Hosted Zone associated with VPC. A records for each service.	Simple (Private)