Amazon Route 53 Global Resolver (Preview)

Route 53 offers two resolver services with distinct purposes: Global Resolver anycast DNS Resolver that is globally reachable over the internet from anywhere that provides encrypted DNS queries (via DoH or DoT) and is designed for on-premises clients and multi-region deployments needing secure resolution of both private and public domains. In contrast, VPC Resolver (formerly Route 53 Resolver) is the default recursive resolver for your Amazon VPCs in every region, accessible by VPC-hosted clients or through private connections like VPN or Direct Connect via Resolver endpoints, with DNS encryption available only for hybrid queries over these endpoints. ​

Route 53 Global Resolver is a DNS resolver that is globally reachable from anywhere over the internet, enabling you to easily resolve and forward traffic for both public and private domains, to help ensure security and authenticity of the queries over the internet. Global Resolver helps enterprises simplify resolution of queries made from on-premises, branch offices, and remote clients to public domains and private domains associated with Route 53 private hosted zones hosted on AWS, by offering a unified solution reachable over global anycast IPs. Global Resolver also helps secure DNS queries for clients by offering options for encrypted DNS connectivity (with DNS-over-HTTPs/DNS-over-TLS) and capabilities to help govern and block queries to potentially malicious and low-reputation domains. 

Global Resolver should be used by network administrators who are responsible for managing DNS resolution and connectivity for clients and enforcing DNS filtering policies complying with organizational security mandates. Global Resolver also helps network administrators reduce the cost of operating custom DNS forwarders used for forwarding and splitting DNS traffic directed to public and private domains.

Global Resolver provides customers three key benefits:

1. Simplify DNS resolution – Global Resolver helps customers simplify DNS resolution and forwarding of queries made by clients to public domains on the internet and to private domains associated with Route 53 private hosted zones hosted by the customer, by minimizing the management, cost, and complexity required to configure and maintain customer forwarding solutions.​
2. Improved security posture – Global Resolver enables administrators to improve their organization’s overall security posture by enforcing policies consistently for clients hosted on-premises, branch offices, or, for remote clients, to govern and filter DNS queries to potentially malicious or low-reputation domains. Customers also get continuous access to user query logs, allowing them to generate detailed reports that help audit query activity and compliance with security and business mandates. Global Resolver simplifies security operations for networking and security teams by providing a single place to configure, audit, and enforce policies for all clients.
3. Global availability – Customers can configure Global Resolver to be in multiple AWS Regions, to help respond to customer queries from anywhere, while optimizing for the closest geographic location and latency.

Customers can get started with Global Resolver in five easy steps:

1. Select the AWS Region(s) where Global Resolver will be instantiated. 
2. Select the authentication mechanism – Access source (IP ACLs) and/or access token – to identify and authenticate clients. For both authentication options, customers must also select the type of protocol (Do53, DoH, or DoT). Customer may select one or more protocols for different sets of IP ranges. 
3. Configure DNS filtering rules by specifying the domain list and any advanced DNS protections  to apply, along with the action (allow, block, alert) and the rule priority. 
4. Identify the Route 53 private hosted zones to forward traffic to. 
5. (optional): Configure logging by specifying the logging option (Amazon S3, Amazon Data Firehose, Amazon CloudWatch) and the AWS Region where the logs will be stored. ​

Yes. Global Resolver can be used by customers that are on VPN and corporate networks.

Yes. Customers can instantiate the service across two or more AWS Regions, or across all available Regions. Of the Regions instantiated by the customer, the service will resolve the query from the geographically closest one. Global Resolver can be accessed by authenticated customers’ devices via DNS-over-UDP, DNS-over-HTTPS, or DNS-over-TLS connections to a set of two IPv4 customer specific, public routable, global anycast IP addresses. ​

Global Resolver will support two authentication mechanisms 1.) Token-based authentication for DoH and DoT 2.) ACL-based IP & CIDR allowlisting for Do53, DoT, or DoH.

Administrators can establish a Global Resolver instance and generate unique access tokens for various clients in their organization. These tokens offer flexible management options, including customizable expiration periods and the choice between shared or individual tokens. Administrators can easily create new tokens,or revoke specific tokens as needed. Global Resolver employs a robust authentication process, validating each token claim before processing DNS queries.

Requests accompanied by valid tokens are permitted, while those with invalid claims are promptly rejected, helping to ensure secure and controlled access to DNS resolution services.

ACL-based allowlisting lets administrators control access to Global Resolver by defining which source IP addresses or CIDR ranges can use the service. For each allowlisted entry, administrators can specify which DNS protocols (Do53, DoT, or DoH) are permitted. When network access requirements change, administrators can easily update or remove IP addresses and CIDR ranges from the allowlist to maintain security.

Global Resolver's DNS filtering capability leverages the same proven functionality as Route 53 Resolver DNS Firewall. Administrators create a DNS filtering rule containing ordered lists of rules, with each rule specifying an action (ALLOW, BLOCK, or ALERT) and a matching criteria to match the domain(s). When a DNS query arrives, Global Resolver evaluates it against the rules, in priority order, until a match is found. Each rule can reference Route 53 Managed Domain Lists for known threats, custom domain lists created by administrators, or advanced threat protection. For Managed Domain Lists, administrators can filter based on domain lists classified by web content (e.g., gaming, social media) and DNS threats such as malware, spam, or phishing. For BLOCK actions, administrators can configure custom responses, returning NXDOMAIN, NODATA, or specific DNS responses. ALERT actions permit the query through, while logging it for security review.

Managed Domain Lists contain domain names that are associated with malicious activity or other domains not safe for work. AWS maintains these lists to enable Route 53 Global Resolver customers to ensure outbound DNS queries avoid these threats. Managed Domain Lists are classified by web-content (e.g., social media, gaming, adult sites, gambling etc.), and DNS threats (e.g., malware, phishing, spam, botnets, etc.)

Yes. Global Resolver offers advanced protection against sophisticated DNS-based threats. Specific security features include: 1)Domain Generation Algorithm (DGA) Detection: Global Resolver can identify and block queries to domains likely created by DGAs, which are commonly used by malware to evade detection and maintain communication with command-and-control servers; 2)DNS Tunneling Detection: This service can detect and block attempts to use DNS as a covert channel for data exfiltration or command and control communication. These advanced protection features are available as an opt-in option when configuring DNS Firewall rules. By enabling these protections, organizations can significantly enhance their defense against evolving and complex DNS-based threats, complementing traditional domain blocklists and content filtering.

Yes. Customers authenticating with Global Resolver, are able to resolve PHZs across AWS Regions.

Yes, Global Resolver supports DNSSEC (Domain Name System Security Extensions) validation. When enabled, it will verify the authenticity and integrity of DNS responses from public nameservers for DNSSEC-assigned domains. This validation ensure that DNS responses have not been tampered with during transmission, providing an additional layer of security against DNS spoofing and cache poisoning attacks. Administrators can enable or disable DNSSEC validation on a per DNS View basis, allowing for flexible security configurations. 

Global Resolver is available in 11 commercial regions during preview. Customers have the option to have Global Resolver available in all these regions or pick specific regions. ​

Yes. Global Resolver will support EDNS Client Subnet with an opt-in capability to forward the client subnet information available from the clients. This feature allows for more accurate geographic-based DNS responses, potentially resulting in lower latency resolution of customer DNS queries by directing them to closer content delivery networks or servers.

Global Resolver has multiple mechanisms in place to mitigate DDoS threats: 1) Global Resolver relies on AWS Shield to protect from DDoS attacks. 2) Global Resolver also has a custom dynamic DDoS implementation using top talker metrics and rate limits based on dynamic rules updated by the Route53 service team at the time of any impact. This allows Global Resolver to quickly respond in the case of a high volume or rate of failures from specific source IPs. It will also build default throttling and load shedding.

Yes, customers will need to onboard with private hosted zones (PHZ).