Amazon Route 53 Resolver endpoints now support DNS-over-HTTPS (DoH) with Server Name Indication (SNI) validation

Posted on: Oct 4, 2024

Starting today, you can provide Server Name Indication (SNI) with Route 53 Resolver endpoints for DNS-over-HTTPS (DoH), allowing you to specify the target server hostname for DNS query requests from your outbound endpoints to DoH servers that require SNI for TLS validation.

DoH on Amazon Route 53 Resolver endpoints allows you to encrypt DNS queries that pass through the endpoints and improve privacy by minimizing the visibility of the information exchanged through the queries. With this launch, you can now specify the hostname with your outbound endpoint configuration to perform TLS handshakes for your DNS requests from the outbound endpoints to the DoH server. Enabling SNI validation for your DoH Resolver endpoints also helps you meet regulatory and business compliance requirements, such as those described in the memorandum of the US Office of Management and Budget, where outbound DNS traffic must be be addressed to Cybersecurity and Infrastructure Security Agency (CISA) Protective DNS that require SNI hostname validation for a successful TLS handshake.

Resolver endpoints support for DoH with SNI is available in all Regions where Route 53 is available, including the AWS GovCloud (US) Regions. Visit the AWS Region Table to see all AWS Regions where Amazon Route 53 is available.

You can get started by using the AWS Console or Route 53 API. For more information, visit the Route 53 Resolver product detail page and service documentation. For details on pricing, visit the pricing page.