AWS re:Invent 2025 - Secure Global DNS resolution: Introducing Route 53 Global Resolver (NET217)

AWS re:Invent 2025 - Secure Global DNS Resolution: Introducing Route 53 Global Resolver

Key Challenges Addressed

• Split DNS Management: Customers struggled to maintain forwarding rules and DNS resolution views across multiple locations, data centers, and client types.
• DNS Exfiltration Prevention: Customers needed a way to filter out malicious domains and prevent data exfiltration over DNS.
• Centralized Logging and Compliance: Customers required a single location to store and audit all DNS query logs for compliance purposes.
• Failover and High Availability: Customers needed resilient, highly available DNS resolution for critical applications and clients.

Introduction to Route 53 Global Resolver

• Global Resolver is a new anycast DNS resolver service from AWS that provides:
  • Unified DNS resolution for both private and public domains
  • Integrated DNS security and filtering capabilities
  • Centralized logging and observability
  • Optimized for low latency and high availability

Key Features and Benefits

Simplified Split DNS Management

• Global Resolver allows you to manage split DNS resolution for private and public domains from a single service.
• You can create logical "DNS Views" to apply different resolution and security policies to different client groups.
• This eliminates the need to maintain forwarding rules and DNS configurations across multiple locations.

Secure DNS Access and Traffic Filtering

• Global Resolver only allows authenticated clients to access the service using IP-based access sources or access tokens.
• Integrated DNS firewall provides pre-configured domain categories for blocking, alerting, or allowing traffic based on threat intelligence.
• Advanced protections detect and mitigate DNS tunneling and domain generation algorithm (DGA) attacks in real-time.
• Encrypted DNS protocols (DoH, DoT) protect DNS queries in transit.

Centralized Logging and Observability

• All DNS queries are logged to a centralized S3 bucket of your choice, enabling easy auditing and compliance.
• Logs can be used to investigate security incidents and optimize DNS policies over time.

Resilient, Low-Latency DNS Resolution

• Global Resolver is an anycast service, automatically routing traffic to the closest available AWS region.
• Customers configure at least two regions for failover, ensuring high availability even in the event of a regional outage.
• The service is optimized for low latency, providing fast DNS resolution for clients around the world.

Positioning and Use Cases

• Global Resolver is recommended for:
  1. Consistent DNS resolution across multiple locations (data centers, branch offices, remote clients)
  2. Securing and controlling DNS access for disconnected sites
  3. Providing highly available DNS resolution for critical applications
• Global Resolver complements the existing Route 53 Resolver (now renamed VPC Resolver) for internal VPC-based DNS resolution.

Just Walkout Stores Case Study

• Just Walkout Stores, an Amazon technology for cashierless shopping, uses Global Resolver to:
  • Simplify network architecture and reduce operational overhead
  • Support dynamic IP addresses for new store deployments
  • Enhance security with encrypted DNS and integrated filtering
  • Achieve low-latency, highly available DNS resolution globally

Availability and Pricing

• Global Resolver is available in preview in 11 regions across North America, Europe, Asia Pacific, and Australia.
• Pricing is based on the number of regions used and the volume of DNS queries, with the first billion queries per month free during the preview period.