DNS with Route 53 in AWS: Hosted Zones, Records & Routing
Route 53 is AWS’s DNS service. It translates domain names into the IP addresses that browsers need to reach your servers. Beyond basic DNS, Route 53 integrates natively with AWS resources, supports health-check-aware routing that removes unhealthy endpoints automatically, and provides routing policies for latency-based, geographic, and failover traffic control. This page explains how Route 53 works end to end: hosted zones, record types, Alias vs CNAME, routing policies, TTL, and the setup step beginners most often skip.
Simple explanation
Think of DNS like a phone book. When your browser navigates to app.example.com, it needs to find out which IP address to call. It asks a DNS resolver (usually your ISP’s or a public one like 8.8.8.8), which looks up the answer from the authoritative DNS server for your domain. If you have configured Route 53 for your domain, Route 53 is that authoritative source.
Route 53 is not hosting your application. It answers the question “what IP address does this domain name point to?” and then exits. Your servers, load balancers, and CDN endpoints sit separately. Route 53 tells clients where to go; it does not carry the traffic itself.
You interact with Route 53 through two main things: hosted zones (containers that hold all DNS records for a domain) and records (the actual mappings: A, CNAME, Alias, MX, and so on). When you change a record, the change propagates to resolvers worldwide within the TTL window, after which clients start reaching the new destination.
What Route 53 actually does
Route 53 handles three practical jobs:
- Authoritative DNS for your domain. When a resolver asks “what is the IP for app.example.com?”, Route 53 is the source of truth. It returns whatever records you have configured in the hosted zone.
- Health-check-aware routing. Route 53 can continuously monitor your endpoints and only return records for endpoints that are currently healthy. If your primary endpoint fails a health check, Route 53 stops returning its IP automatically.
- Traffic distribution at the DNS level. Routing policies (weighted, latency-based, geolocation, failover) let you distribute traffic across multiple endpoints or regions before a single HTTP request has been made.
Route 53 answers the DNS query and exits. After that, all HTTP traffic travels directly between the client and your ALB or CloudFront distribution. Route 53 does not proxy, inspect, or slow down your application traffic in any way.
Route 53 is not a load balancer. A load balancer operates at the HTTP or TCP layer and routes individual requests between backend servers. Route 53 only answers the DNS query and then exits. The actual HTTP request travels from the client directly to the IP Route 53 returned. For HTTP request routing, use an Application Load Balancer.
How Route 53 works end to end
Here is a complete walkthrough from owning a domain to a user reaching your application:
- You own or register a domain. The domain can be registered through Route 53 or through any other registrar (GoDaddy, Namecheap, Cloudflare, etc.).
- You create a hosted zone in Route 53. A hosted zone is the container for all DNS records associated with your domain. Creating the hosted zone does not automatically link it to your domain — that requires updating your registrar.
- Route 53 assigns four NS records. When Route 53 creates a hosted zone, it generates four name server records. These are the addresses the wider internet uses to find your DNS records.
- You update nameservers at your registrar. Go to your domain registrar and replace its default nameservers with Route 53’s four NS records. This is what makes Route 53 authoritative for your domain.
Updating nameservers at the registrar is the step beginners most often forget. If your domain is not resolving after setup, this is almost always the reason. Check that the NS records at your registrar match the four NS records inside your Route 53 hosted zone exactly.
- You add DNS records to the hosted zone. Create A, Alias, CNAME, TXT, or other records, each mapping a domain name to a target (IP address, ALB DNS name, CloudFront distribution, etc.).
- Recursive resolvers query Route 53. When a user navigates to your domain, their resolver follows the DNS delegation chain (root, TLD, your nameservers) and arrives at Route 53 for the answer.
- Route 53 returns the record. It returns the IP or alias target along with the TTL value.
- The client connects to the target. The browser opens an HTTP/HTTPS connection to the returned IP: an ALB, a CloudFront edge location, an S3 website endpoint, or any other configured target.
- TTL controls how long the answer is cached. Resolvers hold the cached answer for TTL seconds before re-querying. Until the TTL expires, users see the same answer even if you update the record in Route 53.
Creating a hosted zone and registering a domain are separate steps. Many beginners create a hosted zone, add records, and wonder why DNS is not resolving. They never updated the nameservers at their registrar. The Route 53 setup guide walks through this end to end.
When to use Route 53
- Pointing a custom domain at an ALB or CloudFront. The most common use case. Create an Alias A record for your domain pointing to the ALB’s DNS name.
- Using a root domain with an AWS service. You cannot use a CNAME at the zone apex (example.com). Route 53’s Alias record solves this: it works at the apex and supports ALB, CloudFront, S3 static website endpoints, and more.
- Internal DNS for services inside a VPC. A private hosted zone lets you assign human-readable names like db.internal.example.com to private IPs, visible only within specified VPCs.
- Multi-region failover. Failover routing automatically redirects traffic to a backup region when your primary endpoint fails health checks.
- Canary deployments and traffic shifting. Weighted routing lets you gradually move a percentage of traffic to a new version without changing infrastructure.
- Data residency requirements. Geolocation routing keeps EU users on EU endpoints regardless of latency, which satisfies data sovereignty rules.
Public vs private hosted zones
Route 53 has two types of hosted zones. The choice depends on who needs to resolve your records.
| Public hosted zone | Private hosted zone | |
|---|---|---|
| Accessible from | Anywhere on the internet | Only within associated VPCs |
| Who queries it | Any browser or resolver worldwide | Resources inside specified VPCs only |
| Common use case | Public websites, APIs, SaaS products | Internal service discovery, database endpoints, microservice-to-microservice DNS |
| Cost | $0.50/month per hosted zone | $0.50/month per hosted zone per VPC association |
Public hosted zone example: You own example.com. You create a public hosted zone and add an Alias A record pointing example.com to a CloudFront distribution. Anyone on the internet can resolve this record and reach your site.
Private hosted zone example: You have an RDS instance with a private IP. You create a private hosted zone for internal.example.com, associate it with your VPC, and add an A record mapping db.internal.example.com to the RDS private IP. EC2 instances inside the VPC can resolve this name; nothing outside can. See Private Hosted Zones in Route 53 for configuration details.
A private hosted zone only resolves within VPCs you explicitly associate with it. If you later add a second VPC and forget to associate it, DNS resolution fails for resources in that VPC. Association is a manual step even when both VPCs are in the same account.
Common DNS record types in Route 53
| Record type | Purpose | Example |
|---|---|---|
| A | Maps a domain name to an IPv4 address | app.example.com → 54.0.0.1 |
| AAAA | Maps a domain name to an IPv6 address | app.example.com → 2600:1f18::1 |
| CNAME | Maps a domain name to another domain name. Subdomains only, not the apex | www.example.com → example.com |
| Alias | AWS-specific: maps to an AWS resource endpoint; works at the apex; free to query | example.com → my-alb.us-east-1.elb.amazonaws.com |
| MX | Mail server routing; specifies which servers accept email for the domain | example.com MX → mail.example.com (priority 10) |
| TXT | Freeform text; used for domain verification, SPF, DKIM, and DMARC | ”v=spf1 include:amazonses.com ~all” |
| NS | Specifies authoritative name servers; auto-created by Route 53 for each hosted zone | ns-1234.awsdns-12.com |
| SOA | Start of Authority; zone metadata managed automatically by Route 53 | Managed automatically |
Alias vs CNAME
Both Alias and CNAME records point a domain name at something other than a raw IP address, but they are not interchangeable. This distinction trips up most beginners.
A useful way to think about it: a CNAME is like a “forwarding note” that says “go ask that other name instead.” The DNS specification bans forwarding notes on the main door (the zone apex), because the main door has to hold the building’s official records (NS and SOA). An Alias record is different: Route 53 looks up the answer itself and hands the IP directly to the client. No forwarding, no restriction at the apex.
| Alias | CNAME | |
|---|---|---|
| Works at the zone apex? | Yes (example.com) | No. Subdomains only (www.example.com) |
| Target type | AWS resources only (ALB, CloudFront, S3 website, Global Accelerator, etc.) | Any domain name |
| DNS query charges | Free | Charged per query |
| Tracks IP changes? | Yes. Route 53 resolves the target and returns current IPs automatically | No. You manage the target domain name yourself |
| TTL control | Determined by Route 53 based on the target resource | You set it |
When in doubt, use Alias. It is free, works at the root domain, and automatically follows ALB IP changes as the load balancer scales. The only reason to use CNAME is when the target is not an AWS resource (e.g. a third-party SaaS domain).
ALBs are DNS-based and their underlying IPs change as they scale. An Alias record always returns the current IPs without any manual updates. A CNAME pointing to the ALB domain name would still work, but it costs more per query and cannot be placed at the root domain.
Routing policies in Route 53
Routing policies control which record or records Route 53 returns for a given DNS query. The default is simple routing. The more advanced policies give you traffic control at the DNS layer without touching your infrastructure.
Simple routing returns a single record. If you add multiple values, Route 53 returns them all in random order and the client picks one. No health checks, no conditional logic. Use this for straightforward single-endpoint setups.
Weighted routing distributes traffic between multiple records in proportions you define. Set weight 90 on the stable endpoint and weight 10 on the new version. That means 10% of DNS queries resolve to the new version. Shift the weight gradually as confidence grows. This is how you run a canary deployment at the DNS layer. For multi-region patterns using weighted routing, see Global Load Balancing with Route 53.
Latency-based routing routes each user to the AWS region that provides the lowest latency for their location. Route 53 maintains latency data between AWS regions and makes the decision automatically. A user in Tokyo is sent to ap-northeast-1; a user in London goes to eu-west-1. Best for global applications where response time matters most.
Geolocation routing routes traffic based on the geographic location of the user’s resolver, regardless of latency. You can send users from Germany to a EU endpoint to satisfy data residency requirements, even if a US endpoint would respond faster. A default record is required for users whose location cannot be determined.
Failover routing designates one endpoint as primary and one as secondary. Route 53 continuously health-checks the primary. If checks fail, it automatically returns the secondary record. When the primary recovers and passes health checks again, Route 53 fails back automatically. This is active/passive disaster recovery at the DNS level with no manual intervention.
Multivalue answer routing returns up to eight records for a single query, each with its own health check. Route 53 only returns records for healthy endpoints. This is not a substitute for a load balancer (Route 53 exits after the DNS response), but it gives clients multiple addresses to try and improves availability by excluding unhealthy targets.
Less commonly needed policies: Geoproximity routing (available through Route 53 Traffic Flow) routes based on geographic distance and lets you bias routing toward or away from specific regions. IP-based routing routes based on the client’s IP CIDR range. Both are useful in specific enterprise scenarios but are not where most beginners should start.
Health checks
Route 53 health checks monitor endpoint availability by sending periodic requests from multiple global locations. You configure a target (IP address or domain name), a protocol (HTTP, HTTPS, or TCP), a path to check, and failure thresholds. Route 53 marks an endpoint unhealthy when a configured number of checks fail across those locations.
Health checks integrate directly with routing policies:
- Failover routing uses a health check to decide when to cut over from primary to secondary. Route 53 makes the switch automatically when the primary fails and reverts when it recovers.
- Weighted routing can exclude unhealthy endpoints from rotation. Records whose health checks are failing receive zero traffic until they recover.
- Multivalue answer routing only returns records that pass their associated health check in each response.
Health checks can also monitor CloudWatch alarms rather than raw endpoints. This lets you trigger DNS failover based on application-level metrics (error rates, CPU, latency thresholds) rather than just TCP connectivity.
Cost note: Each Route 53 health check is billed per check per month (roughly $0.50/month for basic endpoint checks, more for HTTPS or string-matching checks). For large deployments, audit health checks periodically and remove ones no longer attached to active routing policies.
TTL and DNS propagation
Every DNS record has a TTL (Time To Live) value in seconds. Think of TTL like a sticky note with an expiry date. Route 53 writes the answer on the note and marks it “valid for 300 seconds.” Every resolver that receives the note uses the cached answer until the label expires. When it expires, they ask Route 53 for a fresh one.
A TTL of 86400 means up to 24 hours of delay before a change reaches all resolvers. A TTL of 300 means 5 minutes. Lower TTLs produce fresher data but generate slightly more query load.
If your current TTL is 86400 (the default for many records) and you need to migrate a domain, start the TTL reduction at least 24 hours before the planned change. Wait for the old TTL to expire before making the record change, then raise TTL back up afterward. Skipping this step is the most common cause of prolonged propagation delays during migrations.
The standard cutover workflow:
- Lower the record’s TTL to 60 seconds well before the planned change. Start at least as many hours early as the current TTL value (e.g. if TTL is 24 hours, begin 24+ hours ahead).
- Wait for the current TTL to expire. This ensures all resolvers have re-queried and are caching the new short TTL rather than the old long one.
- Make the DNS change (update the record to the new IP or target).
- Verify the change has propagated using
digornslookup. - Raise the TTL back to a normal value (300 to 3600 for most records).
Alias records behave differently. Their TTL is determined by Route 53 based on the target resource and is not configurable. This is generally fine since Alias targets are managed AWS services.
Route 53 applies changes globally within seconds on its own side. What takes time is resolver caches expiring worldwide. Those caches respect the TTL you set, which is why the TTL value you chose last week matters a lot when you need to make a change today.
Common beginner mistakes
- Using CNAME at the zone apex. You cannot create a CNAME record for the root domain (example.com). The DNS specification prohibits it because the apex must contain NS and SOA records, which are incompatible with CNAMEs. Use an Alias record instead when pointing your root domain to an AWS resource.
- Forgetting to update nameservers at the registrar. Creating a hosted zone in Route 53 does nothing until you update the NS records at your domain registrar to match the four NS records Route 53 assigned. This is the single most common reason Route 53 appears broken after initial setup.
- Confusing hosted zone creation with domain registration. A hosted zone is a DNS container, not proof of domain ownership. You can create a hosted zone without owning the domain. Delegating DNS to Route 53 and registering a domain are separate actions.
- Not lowering TTL before a planned DNS change. Making a change with a TTL of 86400 active means some users see the old record for up to 24 hours. Lower TTL in advance, wait for it to propagate, make the change, then restore the TTL.
- Pointing directly to an EC2 public IP. EC2 public IPs are ephemeral. They change when the instance stops and starts. If your domain points to a raw EC2 IP and the instance restarts, the domain breaks until you manually update the record. Use an Application Load Balancer with an Alias record, or assign an Elastic IP first.
- Misunderstanding private hosted zones. A private hosted zone only resolves within the VPCs you explicitly associate with it. If you add a second VPC later without associating it, DNS resolution fails inside that VPC, even within the same AWS account. See the private hosted zones guide for the association steps.
- Forgetting health-check costs. Health checks are billed per check per month. Large deployments can accumulate meaningful charges. Audit regularly and remove health checks that are no longer attached to active routing policies.
Route 53 vs your domain registrar
These two services handle different responsibilities and are easy to conflate.
A useful analogy: the registrar is like a hotel concierge who knows which room number to send guests to. Route 53 is the person actually in that room who answers questions. The concierge does not know your DNS records. Route 53 does not know who legally owns your domain. They each do their part.
A domain registrar is where you buy and manage ownership of a domain name. The registrar stores your contact information, controls domain expiration, and critically stores which nameservers are authoritative for DNS. Common registrars include GoDaddy, Namecheap, Cloudflare, and Google Domains. Route 53 can also act as a registrar.
A DNS provider (like Route 53) stores the actual DNS records and answers queries. It is authoritative because the registrar has been told to delegate authority to it via NS records.
The delegation chain: the registrar stores NS records pointing to Route 53’s name servers. When the internet looks up your domain, it follows that NS delegation to Route 53. Route 53 returns the A, CNAME, Alias, or other records you configured.
You can register a domain anywhere and use Route 53 for DNS. You can also register through Route 53 and use a different DNS provider. The only requirement is that the nameservers stored at the registrar match the NS records of your Route 53 hosted zone.
Route 53 vs ALB vs CloudFront
These three services each handle a different layer. Beginners often confuse them because all three sit “in front of” the application.
- Route 53 handles DNS. It tells clients which IP or endpoint to connect to. After the DNS response is returned, Route 53 is done. It is not in the HTTP request path.
- Application Load Balancer handles HTTP/HTTPS request routing. It receives actual HTTP requests, applies content-based routing rules (path, host header, query string), and forwards requests to backend target groups. See the Application Load Balancer guide for how this layer works.
- CloudFront is a CDN. It caches content at edge locations globally, terminates TLS at the edge, and reduces load on your origin. It handles delivery, not DNS resolution.
A typical production setup uses all three: Route 53 resolves the domain name, the response points to a CloudFront distribution or ALB, CloudFront caches static content and passes dynamic requests to the ALB, and the ALB routes requests to EC2, ECS, or Lambda targets.
Worked example: custom domain to an AWS application
Here is a compact walkthrough for pointing a custom domain at an ALB with HTTPS.
- Domain registered at any registrar (or directly through Route 53).
- Create a hosted zone in Route 53 for your domain (e.g. example.com). Note the four NS records Route 53 assigns.
- Update nameservers at your registrar to match those four NS records. Allow up to 48 hours for the change to propagate, though in practice it is usually much faster.
- Request a certificate in ACM for your domain (e.g. *.example.com). Use DNS validation: ACM gives you a CNAME record to add to your hosted zone, then validates automatically. See SSL Certificates with ACM for the full process.
- Attach the ACM certificate to your ALB’s HTTPS listener.
- Create an Alias A record in Route 53 pointing app.example.com to the ALB’s DNS name. In the console, select the ALB from the alias target dropdown and Route 53 fills in the ALB’s hosted zone ID automatically.
- Verify propagation using dig or nslookup.
# Check what Route 53 is returning for your domain
dig app.example.com
# Query a specific resolver to check propagation
dig @8.8.8.8 app.example.com
# Confirm nameserver delegation is pointing to Route 53
dig NS example.com
# Quick check: just return the resolved IPs
dig app.example.com +short
# Windows users
nslookup app.example.com 8.8.8.8If dig NS example.com does not return Route 53’s nameservers, the registrar NS update has not propagated yet or the values were entered incorrectly. If Route 53’s NS records show up but your record is still returning the old IP, the TTL on the old record has not expired yet. Wait it out. The Route 53 setup guide has a full step-by-step walkthrough, and the AWS VPC troubleshooting guide covers DNS resolution failures inside VPCs.
Summary
- Route 53 is AWS’s authoritative DNS service. It answers DNS queries and is not in the HTTP request path after responding.
- A hosted zone holds all DNS records for your domain. Creating one in Route 53 is separate from domain registration. You must update NS records at your registrar to make Route 53 authoritative.
- Public hosted zones are accessible from anywhere. Private hosted zones resolve only within associated VPCs and require explicit VPC association.
- Alias records are AWS-specific: they work at the zone apex, point to AWS resource endpoints, are free to query, and track target IP changes automatically. Use them instead of CNAMEs whenever the target is an AWS service.
- Routing policies (weighted, latency-based, geolocation, failover, multivalue) give you traffic control at the DNS level, including canary deployments, multi-region routing, and automatic disaster recovery.
- TTL controls how long resolvers cache your records. Lower TTL well before any planned DNS change to minimize the propagation window.
- Health checks let Route 53 automatically exclude unhealthy endpoints. Each check has a per-month cost that should be audited on large deployments.
Frequently asked questions
Do I need to register my domain with Route 53 to use Route 53 for DNS?
No. Route 53 DNS is independent of domain registration. You can register a domain anywhere (GoDaddy, Namecheap, Cloudflare) and still use Route 53 as the authoritative DNS provider. You just need to update the nameservers at your registrar to point to the four NS records Route 53 assigned to your hosted zone.
What is the difference between an Alias record and a CNAME record in Route 53?
A CNAME maps one domain name to another, but it can only be used on subdomains, not the root domain (e.g. example.com). An Alias record is AWS-specific: it maps a domain to an AWS resource like an ALB, CloudFront, or S3 endpoint, works at the root domain, is free to query, and automatically tracks the target IP changes. Use Alias whenever you are pointing to an AWS service endpoint.
Why are my DNS changes not visible immediately?
DNS resolvers cache records for the TTL (Time To Live) value set on the record. If the TTL was 86400 (24 hours) when you made the change, resolvers that already cached the old record will not re-query for up to 24 hours. The fix is to lower TTL to 60 seconds well before a planned change, wait for the current TTL to expire so all resolvers refresh to the new short TTL, make the change, then raise the TTL back up.
Can I use Route 53 for internal-only DNS inside a VPC?
Yes. Route 53 private hosted zones let you define custom DNS names that resolve only within specified VPCs. For example, db.internal.example.com can resolve to an RDS private IP inside your VPC but be completely invisible on the public internet. This is the standard approach for internal service discovery in AWS.
Should I point my domain directly to an EC2 instance IP address?
No. EC2 public IP addresses change every time an instance stops and starts. If you point your domain to a raw EC2 IP and the instance restarts, your domain stops resolving until you manually update the record. Instead, put an Application Load Balancer in front of the instance and create an Alias A record pointing to the ALB DNS name, or attach an Elastic IP to the instance first.