Mastering AWS Route 53 Public Hosted Zones

Route 53 public hosted zones are the backbone of Internet-facing connectivity in AWS. They act as the authoritative source for DNS queries coming from the public web, directing users to your resources globally.

Learning Objectives

After studying this guide, you should be able to:

• Define and create a Public Hosted Zone in Route 53.
• Differentiate between Public and Private hosted zones.
• Identify the default records created by AWS (NS and SOA).
• Configure various resource record types (A, AAAA, MX, Alias).
• Implement query logging to monitor DNS traffic via CloudWatch.

Key Terms & Glossary

• Hosted Zone: A container for records that determine how you want to route traffic for a domain and its subdomains.
• Authoritative DNS: A DNS server that actually holds the DNS records for a specific domain.
• NS Record (Name Server): Identifies the name servers that are authoritative for a hosted zone.
• SOA Record (Start of Authority): Contains information about the domain and the corresponding Route 53 hosted zone (e.g., admin email, serial number).
• Alias Record: An AWS-specific record type that routes traffic to AWS resources (like ELBs or S3 buckets) without a performance penalty.

The "Big Idea"

Think of a Public Hosted Zone as a digital phonebook for the entire world. While a VPC-based private zone is like an internal office directory, the public zone is what allows any user on the planet to find your application by typing a URL into their browser. It is the bridge between human-readable domain names and the machine-readable IP addresses of your global infrastructure.

Formula / Concept Box

Hierarchical Outline

1. Foundations of Public Hosted Zones
   • Creation: Occurs automatically during Domain Registration or manually for transferred domains.
   • Authoritative Source: Responds to queries from the public internet.
   • Global Nature: Route 53 is a global service; it does not reside in a single VPC or Region.
2. Critical Records
   • NS Records: Four unique name servers provided by AWS to ensure high availability.
   • SOA Records: Metadata about the zone and refresh intervals.
3. Traffic Management
   • Routing Policies: Latency, Weighted, Multivalue, and Geolocation.
   • Health Checks: Integration to skip unhealthy endpoints.
4. Operations & Security
   • Query Logging: Sending DNS query logs to CloudWatch Logs.
   • DNSSEC: Enabling cryptographic signing for DNS integrity.

Visual Anchors

Public DNS Resolution Flow

Route 53 Service Hierarchy

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, fill=blue!10, text centered, rounded corners, minimum height=1cm, minimum width=3cm}]

\end{tikzpicture}

Definition-Example Pairs

• Alias Record: A pointer to an AWS resource that Route 53 recognizes internally.
  • Example: Instead of using a CNAME to point www.example.com to an ALB DNS name, use an Alias A record. This allows the root domain (example.com) to point to the ALB, which is normally not allowed with standard CNAMEs.
• TTL (Time to Live): The duration a recursive resolver should cache a DNS query result.
  • Example: Setting a TTL of 60 seconds for a record you plan to change soon ensures traffic migrates to the new IP quickly.

Worked Examples

Scenario: Configuring Query Logging

Goal: Monitor who is querying your public domain to detect potential DDoS or unauthorized access attempts.

1. Navigate: Open Route 53 Console > Hosted Zones > Select your domain.
2. Configure: Locate "Configure query logging" in the zone details.
3. Log Group: Select an existing CloudWatch Log Group or create a new one (e.g., /aws/route53/example.com).
4. Permissions: AWS may prompt you to update the Resource Policy. Click "Grant Permissions" to allow Route 53 to write to CloudWatch.
5. Verification: After 5-10 minutes, check CloudWatch Logs to see incoming DNS queries including timestamp, client IP, and query type.

Checkpoint Questions

1. What are the two records Route 53 creates automatically when a new hosted zone is generated?
2. Why would an architect choose an Alias record over a CNAME record for an S3 static website?
3. True or False: Route 53 public hosted zones are associated with a specific VPC.
4. How many name servers (NS) are typically assigned to a public hosted zone for redundancy?

▶Click for Answers

1. NS (Name Server) and SOA (Start of Authority).
2. Alias records are free of charge for AWS resources, support the zone apex (root domain), and offer better performance.
3. False. Public zones are global and accessible via the internet. Private zones are associated with VPCs.
4. Four (4).

Muddy Points & Cross-Refs

• Zone Apex Limitation: Many students get confused why they can't use a CNAME for the "naked" domain (e.g., example.com). Cross-Ref: Review RFC 1035. Route 53 solves this using Alias Records.
• Global vs. Regional: While Route 53 is a global service, it often shows up in the console under the N. Virginia region or a "Global" label. This does not mean your DNS is only in Virginia; the data is replicated to hundreds of edge locations worldwide.

Comparison Tables

Public vs. Private Hosted Zones