How can I use and override reverse DNS rules with Route 53 Resolver?

Last updated: 2020-07-02

How can I use and override auto-defined reverse DNS rules with Amazon Route 53 Resolver?


To use Resolver rules:

After "DNSHostname" is enabled, Resolver automatically creates auto-defined system rules that define how queries for selected domains are resolved by default. To override an auto-defined rule, create a forwarding rule (Resolver rule) for the domain name. Reverse DNS name resolution with Resolver depends on auto-defined rules, Resolver rules, and private hosted zone configurations.

The Amazon-provided DNS resolver evaluates the "most specific domain name" rule in the following priority order:

  • Resolver rules – Rules that are manually configured for the domain name that the Resolver forwards to the target IP address.
  • Rules for private hosted zones – For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the DNS resolver of the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with each VPC's DNS resolver.
  • Auto-defined rules for reverse DNS – Resolver creates auto-defined rules for reverse DNS lookup and localhost-related domains when you set "enableDnsHostnames" for the associated VPC to "true."

Rules apply to the CIDR block ranges of a VPC and all connected VPCs with DNS support enabled. Resolver creates the most generic rules possible given the CIDR block range.

Example of how to override auto-defined rules

The resources in this example are as follows:

  • DNS query source VPC1 with CIDR
  • DNSHostname attribute = Enabled
  • DNSSupport attribute = Enabled
  • Connected VPC2 (connected through a transit gateway or VPC peering with DNS support enabled) with CIDR
  • VPC DNS resolver = Amazon-provided DNS resolver
  • Route 53 Resolver outbound endpoint with connectivity to (DNS server located in another network)

The following auto-defined system rules were then created by Resolver:

Rules for private IP addresses Rules for VPC1 CIDR Rules for VPC2 CIDR (Peered VPC) through  

The DNS resolution requirements for the environment where queries are forwarded are:

Priority number CIDR for reverse DNS query Destination DNS server
1 (another network)
2 except Amazon-provided DNS resolver
3 Private hosted zone
4 except all of the above (another network)

The following steps achieve the preceding configuration:
Note: The source performing the DNS query is VPC1 and all requests are sent to the Amazon-provided DNS IP address.

  1. Because the IP address range is part of VPC1 CIDR, there are auto-defined system rules that apply to this IP address range. Create a Resolver rule for domain to override the auto-defined system rule for IP addresses in the range. Set the target IP address to
  2. For IP addresses in the except range, auto-defined system rules are available. The Amazon-provided DNS resolver resolves these DNS queries.
  3. For IP addresses in the range, there's already an auto-defined most specific rule available for VPC2 CIDR. However, because rules for private hosted zones have higher priority over auto-defined rules, a private hosted zone for domain name must be created.
  4. Create a Resolver rule for domain name This rule sends reverse DNS queries for IP addresses in the range (except IP addresses in the and ranges) to a DNS server in another network with an IP address of The rule also overrides the auto-defined system rule.

The following rules now meet the requirements and are considered by the Resolver based on priority:

  • Custom Resolver rules: and
  • Rule created for private hosted zone:

The reverse DNS query for IP addresses in the range are resolved based on Resolver rule priority. The rule for the private hosted zone and the auto-defined rules based on the most specific domain name rule are as follows:

Priority number IP address range for reverse DNS query Destination DNS server
1 By using "most specific Resolver rule"
2 except By Amazon-provided DNS resolver using default rules ("most specific system rule")
3 By Amazon-provided DNS resolver using default rules created for the private hosted zone
4 except all of the above By using Resolver rule (There are no other more specific rules available. Resolver rule with domain name has higher priority over auto-defined rules for the same domain name.)