https://aws.amazon.com/blogs/aws/dns-over-https-is-now-available-in-amazon-route-53-resolver/ Skip to Main Content Click here to return to Amazon Web Services homepage Contact Us Support English My Account Sign In Create an AWS Account * re:Invent * Products * Solutions * Pricing * Documentation * Learn * Partner Network * AWS Marketplace * Customer Enablement * Events * Explore More [ ] Close * `rby * Bahasa Indonesia * Deutsch * English * Espanol * Francais * Italiano * Portugues * Tieng Viet * Turkce * Russkii * aithy * Ri Ben Yu * hangugeo * Zhong Wen (Jian Ti ) * Zhong Wen (Fan Ti ) Close * My Profile * Sign out of AWS Builder ID * AWS Management Console * Account Settings * Billing & Cost Management * Security Credentials * AWS Personal Health Dashboard Close * Support Center * Expert Help * Knowledge Center * AWS Support Overview * AWS re:Post Click here to return to Amazon Web Services homepage Get Started for Free Contact Us [ ] * re:Invent * Products * Solutions * Pricing * Introduction to AWS * Getting Started * Documentation * Training and Certification * Developer Center * Customer Success * Partner Network * AWS Marketplace * Support * AWS re:Post * Log into Console * Download the Mobile App AWS Blog Home Blogs Editions Close Architecture AWS Cloud Operations & Migrations AWS for Games AWS Insights AWS Marketplace AWS News AWS Partner Network AWS Smart Business Big Data Business Intelligence Business Productivity Cloud Enterprise Strategy Cloud Financial Management Compute Contact Center Containers Database Desktop & Application Streaming Developer Tools DevOps Front-End Web & Mobile HPC Industries Integration & Automation Internet of Things Machine Learning Media Messaging & Targeting Microsoft Workloads on AWS .NET on AWS Networking & Content Delivery Open Source Public Sector Quantum Computing Robotics SAP Security Spatial Computing Startups Storage Supply Chain & Logistics Training & Certification Close * Zhong Guo Ban * Ri Ben Ban * hangug edisyeon * gisul beulrogeu * Edisi Bahasa Indonesia * AWS Thai Blog * Edition Francaise * Deutsche Edition * Edicao em Portugues * Edicion en Espanol * Versiia na russkom * Turkce Surum AWS News Blog DNS over HTTPS is now available in Amazon Route 53 Resolver by Danilo Poccia | on 20 DEC 2023 | in Amazon Route 53, Announcements , Hybrid Cloud Management, Launch, Networking & Content Delivery, News, Security, Security, Identity, & Compliance | Permalink | Comments | Share * * * * * [https://aws.amazon.c] Voiced by Polly Starting today, Amazon Route 53 Resolver supports using the DNS over HTTPS (DoH) protocol for both inbound and outbound Resolver endpoints. As the name suggests, DoH supports HTTP or HTTP/2 over TLS to encrypt the data exchanged for Domain Name System (DNS) resolutions. Using TLS encryption, DoH increases privacy and security by preventing eavesdropping and manipulation of DNS data as it is exchanged between a DoH client and the DoH-based DNS resolver. This helps you implement a zero-trust architecture where no actor, system, network, or service operating outside or within your security perimeter is trusted and all network traffic is encrypted. Using DoH also helps follow recommendations such as those described in this memorandum of the US Office of Management and Budget (OMB). DNS over HTTPS support in Amazon Route 53 Resolver You can use Amazon Route 53 Resolver to resolve DNS queries in hybrid cloud environments. For example, it allows AWS services access for DNS requests from anywhere within your hybrid network. To do so, you can set up inbound and outbound Resolver endpoints: * Inbound Resolver endpoints allow DNS queries to your VPC from your on-premises network or another VPC.Amazon Route 53 Resolver inbound endpoint architecture. * Outbound Resolver endpoints allow DNS queries from your VPC to your on-premises network or another VPC.Amazon Route 53 Resolver outbound endpoint architecture. After you configure the Resolver endpoints, you can set up rules that specify the name of the domains for which you want to forward DNS queries from your VPC to an on-premises DNS resolver (outbound) and from on-premises to your VPC (inbound). Now, when you create or update an inbound or outbound Resolver endpoint, you can specify which protocols to use: * DNS over port 53 (Do53), which is using either UDP or TCP to send the packets. * DNS over HTTPS (DoH), which is using TLS to encrypt the data. * Both, depending on which one is used by the DNS client. * For FIPS compliance, there is a specific implementation (DoH-FIPS ) for inbound endpoints. Let's see how this works in practice. Using DNS over HTTPS with Amazon Route 53 Resolver In the Route 53 console, I choose Inbound endpoints from the Resolver section of the navigation pane. There, I choose Create inbound endpoint. I enter a name for the endpoint, select the VPC, the security group, and the endpoint type (IPv4, IPv6, or dual-stack). To allow using both encrypted and unencrypted DNS resolutions, I select Do53, DoH, and DoH-FIPS in the Protocols for this endpoint option. Console screenshot. After that, I configure the IP addresses for DNS queries. I select two Availability Zones and, for each, a subnet. For this setup, I use the option to have the IP addresses automatically selected from those available in the subnet. After I complete the creation of the inbound endpoint, I configure the DNS server in my network to forward requests for the amazonaws.com domain (used by AWS service endpoints) to the inbound endpoint IP addresses. Similarly, I create an outbound Resolver endpoint and and select both Do53 and DoH as protocols. Then, I create forwarding rules that tell for which domains the outbound Resolver endpoint should forward requests to the DNS servers in my network. Now, when the DNS clients in my hybrid environment use DNS over HTTPS in their requests, DNS resolutions are encrypted. Optionally, I can enforce encryption and select only DoH in the configuration of inbound and outbound endpoints. Things to know DNS over HTTPS support for Amazon Route 53 Resolver is available today in all AWS Regions where Route 53 Resolver is offered, including GovCloud Regions and Regions based in China. DNS over port 53 continues to be the default for inbound or outbound Resolver endpoints. In this way, you don't need to update your existing automation tooling unless you want to adopt DNS over HTTPS. There is no additional cost for using DNS over HTTPS with Resolver endpoints. For more information, see Route 53 pricing. Start using DNS over HTTPS with Amazon Route 53 Resolver to increase privacy and security for your hybrid cloud environments. -- Danilo Danilo Poccia Danilo Poccia Danilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of AWS Lambda in Action from Manning. Comments View Comments Resources * Getting Started * What's New * Top Posts * Official AWS Podcast * Case Studies --------------------------------------------------------------------- Follow * Twitter * Facebook * LinkedIn * Twitch * RSS Feed * Email Updates Sign In to the Console Learn About AWS * What Is AWS? * What Is Cloud Computing? * AWS Inclusion, Diversity & Equity * What Is DevOps? * What Is a Container? * What Is a Data Lake? * What is Generative AI? * AWS Cloud Security * What's New * Blogs * Press Releases Resources for AWS * Getting Started * Training and Certification * AWS Solutions Library * Architecture Center * Product and Technical FAQs * Analyst Reports * AWS Partners Developers on AWS * Developer Center * SDKs & Tools * .NET on AWS * Python on AWS * Java on AWS * PHP on AWS * JavaScript on AWS Help * Contact Us * Get Expert Help * File a Support Ticket * AWS re:Post * Knowledge Center * AWS Support Overview * Legal * AWS Careers Create an AWS Account Amazon is an Equal Opportunity Employer: Minority / Women / Disability / Veteran / Gender Identity / Sexual Orientation / Age. * Language * `rby * Bahasa Indonesia * Deutsch * English * Espanol * Francais * Italiano * Portugues * Tieng Viet * Turkce * Russkii * aithy * Ri Ben Yu * hangugeo * Zhong Wen (Jian Ti ) * Zhong Wen (Fan Ti ) * Privacy * | * Site Terms * | * Cookie Preferences * | * (c) 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.