Comment
Author: Admin | 2025-04-28
Customers frequently use on-premises DNS infrastructure to resolve DNS queries for internal domains. In 2018, we announced Amazon Route 53 Resolver endpoints, which enable customers to integrate Route 53 with their on-premises DNS infrastructure for hybrid DNS resolution. In 2023, we improved this integration by providing customers the ability to encrypt DNS queries and responses using DNS over HTTPS (DoH). DoH can help enhance privacy by protecting DNS queries from eavesdropping and manipulation from unauthorized users. The DoH protocol (not to be confused with DNSSEC) encrypts the connection between a client and a DNS resolver or from one DNS resolver to another, which improves the confidentiality and integrity of DNS queries and responses. Customers can use this functionality to encrypt: DNS queries from your on-premises clients and resolvers to Amazon Route 53 Resolver inbound endpoints DNS queries to on-premises DNS resolvers from your clients within Amazon VPC using Amazon Route 53 Resolver outbound endpoints This capability provides customers with the ability to meet compliance requirements to encrypt DNS traffic, such as the requirement for US Federal Agencies to encrypt DNS traffic in Office of Management and Budget (OMB) Memorandum M-22-09 Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. In this post, we walk you through how to set up DoH using Route 53 Resolver endpoints and Resolver query logging to verify that DoH is being used for DNS resolution and configure EC2 instances running Ubuntu 22 and Microsoft Windows Server 2022 to demonstrate the feature. This post assumes the reader has pre-existing experience setting up and configuring VPCs and on-premises DNS resolvers. Setup walkthrough Route 53 Resolver supports DoH for both inbound and outbound endpoints. To start encrypting our DNS queries, we will: Create inbound and outbound endpoints that support DoH. Configure Amazon Elastic Compute Cloud (Amazon EC2) instances
Add Comment