AWS 已公开预览 Amazon Route 53 全局解析器,这是一项旨在简化和提高全局 DNS 解析可靠性的新服务。该服务旨在消除与管理混合 DNS 相关的运维开销,传统上这需要手动同步分割视界基础设施、复杂的转发规则和冗余的 VPC 解析器端点。Route 53 全局解析器通过任播 IP 地址整合 DNS 解析,将查询路由到最近的 AWS 区域,从而减少延迟并确保即使在区域中断期间也能保持高可用性。它支持多种协议,例如基于 UDP 的 DNS (Do53)、基于 HTTPS 的 DNS (DoH) 和基于 TLS 的 DNS (DoT)。这项创新对于拥有分布式客户端群体和多区域部署的组织特别有益,为解析公共和私有域提供了更具弹性和高效的解决方案。
AWS recently announced the public preview of Amazon Route 53 Global Resolver, a new service that provides secure, reliable DNS resolution globally. Organizations can use the service to resolve DNS queries to public domains on the internet and private domains associated with Route 53 private hosted zones.
Managing hybrid DNS has historically introduced significant operational overhead. In traditional regional setups, administrators must manually synchronize split-horizon infrastructures and manage complex forwarding rules. This often requires maintaining redundant VPC Resolver endpoints and duplicating security policies across multiple Regions to ensure failover.
Route 53 Global Resolver addresses these challenges by eliminating the need for separate split-DNS forwarding. As Esra Kayabali, senior solutions architect at AWS, explains:
It provides DNS resolution through multiple protocols, including DNS over UDP (Do53), DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT). Each deployment provides a single set of common IPv4 and IPv6 anycast IP addresses that route queries to the nearest AWS Region, reducing latency for distributed client populations.
(Source: AWS News Blog Post)
The service integrates security features equivalent to the Route 53 Resolver DNS Firewall, enabling centralized policy enforcement. Key security capabilities include:
- Managed Filtering: Administrators use AWS Managed Domain Lists to block threats such as malware and phishing, or to restrict specific web content.
- Behavioral Protection: The resolver detects and blocks Domain Generation Algorithm (DGA) patterns and DNS tunneling attempts.
- Encrypted Transport: Support for DoH and DoT protects queries from unauthorized access during transit.
To support Zero-Trust architectures, Global Resolver only accepts traffic from authenticated clients. Beyond standard IP/CIDR allowlists, the service introduces token-based authentication for DoH and DoT connections. This provides granular control, allowing administrators to assign and revoke tokens for specific client groups or individual remote devices.
Abhijeet Kulkarni notes in a LinkedIn post that while traditional DNS relies on region-bound resolvers, where failures can amplify outages, Global Resolver introduces a fundamentally different operating model.
By moving resolution to the edge via anycast, DNS becomes globally distributed by default. Kulkarni emphasizes that this provides "failure isolation at the resolution layer," ensuring that regional outages are absorbed at the DNS layer rather than cascading through the network. This effectively transforms DNS from a regional dependency into a resilient global system boundary.
The preview is currently available in several global Regions, including US East (N. Virginia, Ohio), US West (N. California, Oregon), Europe (Frankfurt, Ireland, London), and Asia Pacific (Mumbai, Singapore, Tokyo, Sydney). Pricing details are available on the official Route 53 pricing page.
