A Route 53 Private Hosted Zone isn’t just a DNS zone for your VPC; it’s a fundamentally different kind of DNS resolution that bypasses public internet lookups entirely for your internal resources.
Let’s see it in action. Imagine you have a VPC named my-vpc and you want to resolve an internal EC2 instance named app-server within a private hosted zone called internal.example.com.
Here’s a typical setup:
VPC:
vpc-0123456789abcdef0- CIDR:
10.0.0.0/16
Route 53 Private Hosted Zone:
- Domain Name:
internal.example.com - Associated VPCs:
vpc-0123456789abcdef0
EC2 Instance:
- Private IP:
10.0.1.100 - DNS Name (from EC2):
ip-10-0-1-100.ec2.internal
Route 53 Record Set:
- Name:
app-server.internal.example.com - Type:
A - Value:
10.0.1.100
Now, from an EC2 instance within vpc-0123456789abcdef0, if you run dig app-server.internal.example.com, you’ll get a response pointing to 10.0.1.100. The magic here is that this dig command never hits the public internet. The VPC’s DNS resolver (which is, by default, a managed DNS server at the .2 address of your VPC’s CIDR, e.g., 10.0.0.2) is configured to query Route 53 for zones associated with that VPC.
This system solves the problem of needing reliable, internal-only DNS resolution for services that shouldn’t be exposed to the public internet. Without it, you’d be managing hosts files across instances or relying on less scalable, more complex DNS solutions. Internally, Route 53 private hosted zones provide A, AAAA, CNAME, MX, SRV, and TXT records, just like public zones, but their resolution is scoped to the VPCs they’re associated with.
The internal DNS resolver in your VPC, which is essentially a managed DNS server provided by AWS, is what makes this work. When a client in the VPC initiates a DNS query, it’s sent to this resolver. If the query is for a domain that matches a private hosted zone associated with that VPC, the resolver forwards the request to Route 53. Route 53 then returns the answer directly to the resolver, which passes it back to the client. If the domain doesn’t match a private hosted zone, the resolver forwards the query to the public DNS servers (like 8.8.8.8 or 1.1.1.1) unless you’ve configured custom DNS settings or VPC endpoint for Route 53.
The key levers you control are:
- Hosted Zone Creation: Defining the domain name (e.g.,
internal.example.com). - VPC Association: Linking the hosted zone to specific VPCs. This is the critical step that restricts resolution to within those VPCs.
- Record Set Management: Creating and updating DNS records (like
Arecords for IP addresses,CNAMErecords for aliases) within the hosted zone.
Crucially, you can associate a single private hosted zone with multiple VPCs. This allows you to have a unified internal DNS namespace across different VPCs, which is incredibly useful for multi-VPC architectures or for connecting services between peered VPCs. The resolution works because the DNS resolver in each associated VPC knows about the private hosted zone.
A common point of confusion is that even though you associate a private hosted zone with a VPC, the DNS resolver for that VPC is still technically located at the .2 IP address of the VPC’s CIDR block (e.g., 10.0.0.2 for a 10.0.0.0/16 VPC). This resolver acts as the gateway, intercepting queries for your private zones and routing them appropriately.
The next step in mastering internal DNS is understanding how to use VPC endpoints for Route 53 to enable private DNS resolution for services that might be hosted outside your VPC but within your AWS account.