Amazon Route 53 is excited to release the accelerated recovery option for managing DNS records in public hosted zones. Accelerated recovery targets a 60-minute recovery time objective (RTO) for regaining the ability to make DNS changes to your DNS records in Route 53 public hosted zones, if AWS services in US East (N. Virginia) become temporarily unavailable. The Route 53 public DNS service API is used by customers today for making changes to DNS records in order to facilitate software deployments, run infrastructure operations, and onboard new users. Customers in banking, financial technology (FinTech), and software-as-a-service (SaaS) in particular need a predictable and short RTO for meeting business continuity and disaster recovery objectives. In the past, if AWS services in US East (N. Virginia) became unavailable, customers would not be able to modify or recreate DNS records to point users and internal services to updated endpoints. Now, when you enable the accelerated recovery option on your Route 53 public hosted zone, you can make changes to Route 53 public DNS records (Resource Record Sets) in that hosted zone soon after such an interruption, most often in less than one hour. Accelerated recovery for managing public DNS records is available globally, except in AWS GovCloud and Amazon Web Services in China. There is no additional charge for using this feature. To learn more about the accelerated recovery option, visit our documentation.

Amazon Route 53 Profiles now supports AWS PrivateLink. Customers can now access and manage their Profiles privately, without going through the public internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely over the Amazon network. When Route 53 Profiles is accessed via AWS PrivateLink, all operations, such as creating, deleting, editing, and listing of Profiles, can be handled via the Amazon private network.  Route 53 Profiles allows you to define a standard DNS configuration, in the form of a Profile, that may include Route 53 private hosted zone (PHZ) associations, Route 53 Resolver rules, and Route 53 Resolver DNS Firewall rule groups, and apply this configuration to multiple VPCs in your account. Profiles can also be used to enforce DNS settings for your VPCs, with configurations for DNSSEC validations, Resolver reverse DNS lookups, and the DNS Firewall failure mode. You can share Profiles with AWS accounts in your organization using AWS Resource Access Manager (RAM). Customers can use Profiles with AWS PrivateLink in regions where Route 53 Profiles is available today, including the AWS GovCloud (US) Regions. For more information about the AWS Regions where Profiles is available, see here. To learn more about configuring Route 53 Profiles, please refer to the service documentation.

Today, AWS announced Amazon Route 53 Resolver DNS Firewall Advanced, a new set of capabilities on Route 53 Resolver DNS Firewall that allow you to monitor and block suspicious DNS traffic associated with advanced DNS threats, such as DNS tunneling and Domain Generation Algorithms (DGAs), that are designed to avoid detection by threat intelligence feeds or are difficult for threat intelligence feeds alone to track and block in time. Today, Route 53 Resolver DNS Firewall helps you block DNS queries made for domains identified as low-reputation or suspected to be malicious, and to allow queries for trusted domains. With DNS Firewall Advanced, you can now enforce additional protections that monitor and block your DNS traffic in real-time based on anomalies identified in the domain names being queried from your VPCs. To get started, you can configure one or multiple DNS Firewall Advanced rule(s), specifying the type of threat (DGA, DNS tunneling) to be inspected. You can add the rule(s) to a DNS Firewall rule group, and enforce it on your VPCs by associating the rule group to each desired VPC directly or by using AWS Firewall Manager, AWS Resource Access Manager (RAM), AWS CloudFormation, or Route 53 Profiles. Route 53 Resolver DNS Firewall Advanced is available in all AWS Regions, including the AWS GovCloud (US) Regions. To learn more about the new capabilities and the pricing, visit the Route 53 Resolver DNS Firewall webpage and the Route 53 pricing page. To get started, visit the Route 53 documentation.

Starting today, you can use Amazon Route 53 Resolver DNS Firewall and DNS Firewall Advanced in the Asia Pacific (Thailand) and Mexico (Central) Regions, to govern and filter outbound DNS traffic for your Amazon Virtual Private Cloud (VPC). Route 53 Resolver DNS Firewall is a managed service that enables you to block DNS queries made for domains identified as low-reputation or suspected to be malicious, and to allow queries for trusted domains. In addition, Route 53 Resolver DNS Firewall Advanced is a capability of DNS Firewall that allows you to detect and block DNS traffic associated with Domain Generation Algorithms (DGA) and DNS Tunneling threats. DNS Firewall can be enabled only for Route 53 Resolver, which is a recursive DNS server that is available by default in all Amazon Virtual Private Clouds (VPCs). The Route 53 Resolver responds to DNS queries from AWS resources within a VPC for public DNS records, VPC-specific domain names, and Route 53 private hosted zones. See here for the list of AWS Regions where Route 53 Resolver DNS Firewall is available. Visit our product page and documentation to learn more about Amazon Route 53 Resolver DNS Firewall and its pricing.

You can now use https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html for hybrid cloud configurations in the Asia Pacific (Thailand) and Mexico (Central) Regions. With this launch, you also have the option to enable Route 53 Resolver endpoints in the Asia Pacific (Thailand) and Mexico (Central) Regions with DNS-over-HTTPS (DoH). Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) service. Amazon Route 53 Resolver endpoints make hybrid cloud configurations easier to manage by enabling seamless DNS query resolution across your entire hybrid cloud. Create Route 53 Resolver endpoints and conditional forwarding rules to allow resolution of DNS namespaces between your on-premises data center and Amazon Virtual Private Cloud (Amazon VPC). You can also opt-in to use DoH on the endpoints (both inbound and outbound) and create rules to forward DoH traffic to destinations of your choice, to ensure DNS traffic across your hybrid cloud is encrypted via DoH. Visit the https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ to see all AWS Regions where Amazon Route 53 Resolver is available. Please visit our https://aws.amazon.com/route53/resolver/ to learn more about Amazon Route 53 Resolver and pricing.

Amazon Route 53 Profiles now supports https://aws.amazon.com/privatelink/. Customers can now access and manage their Profiles privately, without going through the public internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely over the Amazon network. When Route 53 Profiles is accessed via AWS PrivateLink, all operations, such as creating, deleting, editing, and listing of Profiles, can be handled via the Amazon private network.  Route 53 Profiles allows you to define a standard DNS configuration, in the form of a Profile, that may include Route 53 private hosted zone (PHZ) associations, Route 53 Resolver rules, and Route 53 Resolver DNS Firewall rule groups, and apply this configuration to multiple VPCs in your account. Profiles can also be used to enforce DNS settings for your VPCs, with configurations for DNSSEC validations, Resolver reverse DNS lookups, and the DNS Firewall failure mode. You can share Profiles with AWS accounts in your organization using AWS Resource Access Manager (RAM). Customers can use Profiles with AWS PrivateLink in regions where Route 53 Profiles is available today, including the AWS GovCloud (US) Regions. For more information about the AWS Regions where Profiles is available, see https://docs.aws.amazon.com/general/latest/gr/r53.html. To learn more about configuring Route 53 Profiles, please refer to the service https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Route_53_Profiles.html.

Today, we are announcing the availability of Route 53 Resolver Query Logging in Asia Pacific (New Zealand), enabling you to log DNS queries that originate in your Amazon Virtual Private Cloud (Amazon VPC). With query logging enabled, you can see which domain names have been queried, the AWS resources from which the queries originated - including source IP and instance ID - and the responses that were received.  Route 53 Resolver is the Amazon provided DNS server that is available by default in all Amazon VPCs. Route 53 Resolver responds to DNS queries from AWS resources within a VPC for public DNS records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones. With Route 53 Resolver Query Logging, customers can log DNS queries and responses for queries originating from within their VPCs, whether those queries are answered locally by Route 53 Resolver, or are resolved over the public internet, or are forwarded to on-premises DNS servers via Resolver Endpoints. You can share your query logging configurations across multiple accounts using AWS Resource Access Manager (RAM). You can also choose to send your query logs to Amazon S3, Amazon CloudWatch Logs, or Amazon Data Firehose.  There is no additional charge to use Route 53 Resolver Query Logging, although you may incur usage charges from Amazon S3, Amazon CloudWatch, or Amazon Data Firehose. To learn more about Route 53 Resolver Query Logging or to get started, visit the Route 53 Resolver product page or the Route 53 documentation.

Simplify hybrid DNS management with a unified service that resolves public and private domains globally through secure, anycast-based resolution while reducing operational overhead and maintaining consistent...

Starting today, you can enable Route 53 Resolver DNS Firewall Advanced to monitor and block queries associated with Dictionary-based Domain Generation Algorithm (DGA) attacks, that generate domain names by pseudo-randomly concatenating words from a predefined dictionary, creating human-readable strings to evade detection. Route 53 DNS Firewall Advanced is an offering on Route 53 DNS Firewall that enables you to enforce protections to monitor and block your DNS traffic in real-time based on anomalies identified in the domain names being queried from your VPCs. These include protections for DNS tunneling and DGA attacks. With this launch, you can also enforce protections for Dictionary-based DGA attacks, which is a variant of the DGA attack, where domain names are generated to mimic and blend with legitimate domain names, to resist detection. To get started, you can configure one or multiple DNS Firewall Advanced rule(s), specifying Dictionary DGA as the threat to be inspected. You can add the rule(s) to a DNS Firewall rule group, and enforce it on your VPCs by associating the rule group to each desired VPC directly or by using AWS Firewall Manager, AWS Resource Access Manager (RAM), AWS CloudFormation, or Route 53 Profiles. Route 53 Resolver DNS Firewall Advanced support for Dictionary DGA is available in all AWS Regions, including the AWS GovCloud (US) Regions. To learn more about the new capabilities and the pricing, visit the Route 53 Resolver DNS Firewall https://aws.amazon.com/route53/resolver-dns-firewall/ and the https://aws.amazon.com/route53/pricing/. To get started, visit the Route 53 https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/firewall-advanced.html.

Amazon Route 53 now offers Accelerated recovery for managing public DNS records, a new business continuity feature designed to provide a 60-minute recovery time objective (RTO) during service disruptions...

Starting today, you can enable Amazon CloudWatch metric (ResolverEndpointCapacityStatus) to monitor the status of the query capacity for Elastic Network Interfaces (ENIs) associated with your Route 53 Resolver endpoint in Amazon Virtual Private Cloud (VPC). The new metric enables you to quickly view whether the Resolver endpoint is at the risk of meeting the service limit for query capacity, and take remediation steps like instantiating additional ENIs to meet the capacity needs. Before today, you could enable CloudWatch to monitor the number of DNS queries that were forwarded by Route 53 Resolver endpoints, over a default five-minute interval, and make further estimations on when your endpoints will meet the query limits. With this launch, you can now enable the new metric to get direct alerts on the current status of your Resolver endpoint capacity, without requiring you to make additional estimations for calculating capacity of each endpoint. The status is reported for each Resolver endpoint, indicating whether the endpoint is operating within the normal capacity limit (0 - OK), has at least one ENI exceeding 50% capacity utilization (1 - Warning), or has at least one ENI exceeding 75% capacity utilization (2 - Critical). The new metric simplifies capacity management for Route 53 Resolver endpoints by providing clear, actionable signals for scaling decisions, without requiring additional analysis on the query volume. To learn more about the launch, read the documentation or visit the Route 53 Resolver page. There is no charge for the metric, although you will incur charges for usage of Resolver endpoints.

Amazon Route 53 Profiles introduces dual stack support for the Route 53 Profiles API endpoints, enabling you to connect using Internet Protocol Version 6 (IPv6), Internet Protocol Version 4 (IPv4), or dual stack clients. The existing Route 53 Profiles endpoints supporting IPv4 will remain available for backwards compatibility. Route 53 Profiles makes it easy for you can create one or more configurations for VPC-related DNS settings, such as private hosted zones and Route 53 Resolver rules, and share them across VPCs and AWS accounts. The urgency to transition to Internet Protocol version 6 (IPv6) is driven by the continued growth of internet, which is exhausting available Internet Protocol version 4 (IPv4) addresses. With simultaneous support for both IPv4 and IPv6 clients on Route 53 Profiles endpoints, you are able to gradually transition from IPv4 to IPv6 based systems and applications, without needing to switch all over at once. This enables you to meet IPv6 compliance requirements and removes the need for expensive networking equipment to handle the address translation between IPv4 and IPv6. Support for IPv6 on Route 53 Profiles is available in all AWS Commercial and AWS GovCloud (US) Regions where Route 53 Profiles is available. See here for a full listing of our Regions. You can get started with the feature through AWS CLI or AWS Management Console. To learn more about Route 53 Profiles, visit the Route 53 documentation. To learn more about pricing, you can visit the Route 53 pricing page.

Amazon Route 53 now supports AWS PrivateLink for API requests to the route53.amazonaws.com service endpoint, allowing your AWS workloads to make changes to critical DNS infrastructure, including hosted zones, records, and health checks, without using the public internet. With this release, you can set up private connectivity between your virtual private clouds (VPCs) and the Route 53 API, from your VPC on the AWS backbone, in any AWS Region. The Route 53 API is used by customers for domain name system (DNS) operations, which are a foundational layer of their cloud infrastructure automation, user-facing applications, and internal services. This integration simplifies cloud architecture by removing the need for customers to setup and manage complex networking services that connect resources in their virtual private clouds (VPCs) privately to the Route 53 API. Now, customers can use a VPC endpoint within their VPC to establish connectivity to the Route 53 API. Customers outside the us-east-1 can use cross-region Interface VPC endpoints to natively connect to Route53 from other Regions, without the need to send traffic over the public internet or set up inter-region connectivity like VPC peering. Route 53 support for PrivateLink is available globally, except in AWS GovCloud and Amazon Web Services in China. To learn more about this feature, or to get started, visit the AWS PrivateLink documentation. To learn about pricing, visit the PrivateLink pricing page.

Starting today, Route 53 Profiles is available in Asia Pacific (Thailand), Mexico (Central), and Asia Pacific (Malaysia) Regions. Route 53 Profiles allows you to define a standard DNS configuration (Profile), that may include Route 53 private hosted zone (PHZ) associations, Route 53 Resolver rules, and Route 53 Resolver DNS Firewall rule groups, and apply this configuration to multiple VPCs in your account. Route 53 Profiles can also be used to enforce DNS settings for your VPCs, with configurations for DNSSEC validations, Resolver reverse DNS lookups, and the DNS Firewall failure mode. You can share Profiles with AWS accounts in your organization using AWS Resource Access Manager (RAM). Route 53 Profiles simplifies the association of Route 53 resources and VPC-level settings for DNS across VPCs and AWS accounts in a Region with a single configuration, minimizing the complexity of having to manage each resource association and setting per VPC. Route 53 Profiles is available in the AWS Regions mentioned https://docs.aws.amazon.com/general/latest/gr/r53.html. To get started with this feature, visit the Route 53 https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html. To learn more about pricing, you can visit the https://aws.amazon.com/route53/pricing/.  

Amazon Route 53 Profiles introduces dual stack support for the Route 53 Profiles API endpoints, enabling you to connect using Internet Protocol Version 6 (IPv6), Internet Protocol Version 4 (IPv4), or dual stack clients. The existing Route 53 Profiles endpoints supporting IPv4 will remain available for backwards compatibility. Route 53 Profiles makes it easy for you can create one or more configurations for VPC-related DNS settings, such as private hosted zones and Route 53 Resolver rules, and share them across VPCs and AWS accounts. The urgency to transition to Internet Protocol version 6 (IPv6) is driven by the continued growth of internet, which is exhausting available Internet Protocol version 4 (IPv4) addresses. With simultaneous support for both IPv4 and IPv6 clients on Route 53 Profiles endpoints, you are able to gradually transition from IPv4 to IPv6 based systems and applications, without needing to switch all over at once. This enables you to meet IPv6 compliance requirements and removes the need for expensive networking equipment to handle the address translation between IPv4 and IPv6. Support for IPv6 on Route 53 Profiles is available in all AWS Commercial and AWS GovCloud (US) Regions where Route 53 Profiles is available. See https://docs.aws.amazon.com/general/latest/gr/r53.html#r53_region for a full listing of our Regions. You can get started with the feature through AWS CLI or https://console.aws.amazon.com/rds/home. To learn more about Route 53 Profiles, visit the Route 53 https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html. To learn more about pricing, you can visit the https://aws.amazon.com/route53/pricing/.

Starting today, domain name system (DNS) delegation for private hosted zone subdomains can be used with Route 53 inbound and outbound Resolver endpoints. This allows you to delegate the authority for a subdomain from your on-premises infrastructure to the Route 53 Resolver cloud service and vice versa, enabling a simplified cloud experience across namespaces in AWS and on your own local infrastructure. AWS customers allow multiple organizations within their enterprise to individually manage their respective subdomains and subzones, whereas apex domains and parent hosted zones are typically overseen by a central team. Previously, these customers had to create and maintain conditional forwarding rules in their existing network infrastructure to enable services to discover one another across subdomains. However, conditional forwarding rules are difficult to maintain across large organizations and, in many cases, are not supported by on-premises infrastructure. With today’s release, customers can instead delegate authority of subdomains to Route 53 using name server records and vice versa, achieving compatibility with common, on-premises DNS infrastructure and removing the need for teams to use conditional forwarding rules throughout their organization. Inbound and outbound delegation for Resolver endpoints is available globally in all AWS Regions, where Resolver endpoints are available, except in AWS GovCloud and Amazon Web Services in China. Inbound and outbound delegation is provided at no additional cost to Resolver endpoints usage. For more details on pricing, visit the Route 53 pricing page, and to learn more about this feature, visit the developer guide.

Starting today, you can enable Route 53 Resolver DNS Firewall Advanced to monitor and block queries associated with Dictionary-based Domain Generation Algorithm (DGA) attacks, that generate domain names by pseudo-randomly concatenating words from a predefined dictionary, creating human-readable strings to evade detection. Route 53 DNS Firewall Advanced is an offering on Route 53 DNS Firewall that enables you to enforce protections to monitor and block your DNS traffic in real-time based on anomalies identified in the domain names being queried from your VPCs. These include protections for DNS tunneling and DGA attacks. With this launch, you can also enforce protections for Dictionary-based DGA attacks, which is a variant of the DGA attack, where domain names are generated to mimic and blend with legitimate domain names, to resist detection. To get started, you can configure one or multiple DNS Firewall Advanced rule(s), specifying Dictionary DGA as the threat to be inspected. You can add the rule(s) to a DNS Firewall rule group, and enforce it on your VPCs by associating the rule group to each desired VPC directly or by using AWS Firewall Manager, AWS Resource Access Manager (RAM), AWS CloudFormation, or Route 53 Profiles. Route 53 Resolver DNS Firewall Advanced support for Dictionary DGA is available in all AWS Regions, including the AWS GovCloud (US) Regions. To learn more about the new capabilities and the pricing, visit the Route 53 Resolver DNS Firewall webpage and the Route 53 pricing page. To get started, visit the Route 53 documentation.

Today, AWS announced support for VPC endpoints in Amazon Route 53 Profiles, allowing you to create, manage, and share private hosted zones (PHZs) for interface VPC endpoints across multiple VPCs and AWS accounts within your organization. With this enhancement, Amazon Route 53 Profiles simplifies the management of VPC endpoints by streamlining the process of creating and associating interface VPC endpoint managed PHZs with VPCs and AWS accounts, and without requiring you to manually associate them. Route 53 Profiles makes it easy for you to create one or more configurations for VPC-related DNS settings, such as private hosted zones and Route 53 Resolver rules, and share them across VPCs and AWS accounts. The new capability helps you centralize the management of PHZs associated with interface VPC endpoints, reducing administrative overhead and minimizing the risk of configuration errors. This feature eliminates the need for creation and manual association of PHZs for VPC endpoints with individual VPCs and accounts, saving time and effort for network administrators. Additionally, it improves security and consistency by providing a centralized approach to managing DNS resolution for VPC endpoints across an organization's AWS infrastructure. Route 53 Profiles support for VPC endpoints is now available in the AWS Regions mentioned https://docs.aws.amazon.com/general/latest/gr/r53.html. To learn more about the capability and how it can benefit your organization, visit the Amazon Route 53 https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html. You can get started by accessing the Amazon Route 53 console in your AWS Management Console or through AWS CLI. To learn more about pricing of Route 53 Profiles, see https://aws.amazon.com/route53/pricing/.  

Simplify hybrid DNS management with a unified service that resolves public and private domains globally through secure, anycast-based resolution while reducing operational overhead and maintaining consistent security controls.

Amazon API Gateway now offers IPv6 support across all endpoint types, custom domains, and management APIs in all commercial and AWS GovCloud regions, enabling dual-stack configuration options as a solution to growing IPv4 address scarcity.

Starting today, you can use Amazon Route 53 Resolver DNS Firewall and DNS Firewall Advanced in the Asia Pacific (Thailand) and Mexico (Central) Regions, to govern and filter outbound DNS traffic for your Amazon Virtual Private Cloud (VPC). Route 53 Resolver DNS Firewall is a managed service that enables you to block DNS queries made for domains identified as low-reputation or suspected to be malicious, and to allow queries for trusted domains. In addition, Route 53 Resolver DNS Firewall Advanced is a capability of DNS Firewall that allows you to detect and block DNS traffic associated with Domain Generation Algorithms (DGA) and DNS Tunneling threats. DNS Firewall can be enabled only for Route 53 Resolver, which is a recursive DNS server that is available by default in all Amazon Virtual Private Clouds (VPCs). The Route 53 Resolver responds to DNS queries from AWS resources within a VPC for public DNS records, VPC-specific domain names, and Route 53 private hosted zones. See https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-availability.html for the list of AWS Regions where Route 53 Resolver DNS Firewall is available. Visit our https://aws.amazon.com/route53/resolver-dns-firewall/ and https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html to learn more about Amazon Route 53 Resolver DNS Firewall and its pricing.

Today, AWS announced the preview of Amazon Route 53 Global Resolver, a new internet-reachable DNS resolver that provides easy, secure, and reliable DNS resolution from anywhere for queries made by your authorized clients. With Global Resolver, authorized clients in your organization can achieve split DNS resolution by resolving public domains on the internet and private domains associated with Route 53 private hosted zones, from anywhere. Global Resolver also allows you to create rules that protects your clients from DNS-based data exfiltration attacks. Using DNS Firewall rules for Global Resolver, you can filter queries for domains based on threat categories (e.g. Malware, Spam), web-content (e.g. Adult and Mature Content, Gambling), or advanced DNS threats (DNS tunneling, Domain Generation Algorithms), and log all queries centrally for easy auditing. Global Resolver enables you to achieve high availability of DNS resolution for your clients, by allowing you to select two or more regions for anycast DNS resolution with automatic failover to the closest available region. With the launch of Global Resolver, we are renaming Route 53 Resolver to Route 53 VPC Resolver, to help clarify the distinction between the two services. Route 53 VPC Resolver allows you to resolve DNS queries from AWS resources in your Amazon VPCs for public domain names, VPC-specific DNS names, and Amazon Route 53 private hosted zones, and is available by default in each VPC. You can also associate Resolver endpoints with the VPC Resolver to forward DNS queries between your on-premises and Amazon VPCs. Visit the service page for Global Resolver pricing and feature details. During the preview, Global Resolver will be available at no additional cost. For more information about AWS Regions where Global Resolver is available during preview, see here. To get started with a step-by-step walkthrough, see the AWS News Blog or documentation.

AWS Security Hub now supports Amazon Route 53 Resolver DNS Firewall, allowing you to receive security findings for DNS queries made from your Amazon VPCs for domains suspected as malicious or identified as low-reputation. Route 53 Resolver DNS Firewall is a managed firewall that enables you to block DNS queries made for malicious domains and to allow queries for trusted domains. Today, AWS Security Hub gives you a comprehensive view of your security alerts and compliance status across your AWS accounts. This integration allows you to enable three new finding types for Security Hub. You can now receive security findings for queries blocked or alerted on for domains associated with AWS Managed Domain Lists, customer domain lists, and threats identified by Route 53 Resolver DNS Firewall Advanced. With this launch, you now have a single place to view security findings for your accounts that may be associated with malicious DNS queries, alongside findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. The feature is available in all AWS Regions where Amazon Route 53 Resolver DNS Firewall is available. See here for the list of AWS Regions where Route 53 Resolver DNS Firewall is available. To learn more about AWS Security Hub capabilities, see the AWS Security Hub documentation. To learn more about Route 53 Resolver DNS Firewall, see the product page or documentation.

The Amazon Route 53 authoritative DNS service for public hosted zones is now generally available in the AWS GovCloud (US-East and US-West) Regions. With today’s release, AWS customers and AWS Partners who rely on public DNS for their applications in the AWS GovCloud (US) Regions can now take advantage of most of the features they have come to expect of Route 53 in commercial AWS Regions. Previously, customers used Route 53 authoritative DNS served from commercial AWS Regions for routing traffic to their applications in the AWS GovCloud (US) Regions. Now, you can serve DNS queries to your public hosted zones from locations within the AWS GovCloud (US) Regions and without dependency on commercial AWS Region accounts. Features include authoritative DNS query logging, DNSSEC signing on AWS GovCloud (US) public hosted zones, and support for all Route 53 routing types except for IP-based routing. It also includes alias records to the following other AWS services: Amazon API Gateway, Amazon S3, Amazon VPC endpoints, AWS Elastic Beanstalk, and Elastic Load Balancing (ELB) load balancers. Getting started with Route 53 in the AWS GovCloud (US) Regions is easy. All customers in the AWS GovCloud (US) Regions can use Route 53 authoritative DNS via the AWS Management Console and API in the AWS GovCloud (US-West) Region. For more information, visit the Route 53 documentation or review migration recommendations in the Route 53 Developer Guide. For details on pricing, visit section Authoritative DNS on the Route pricing page.

Starting today, you can enable Amazon CloudWatch metric (ResolverEndpointCapacityStatus) to monitor the status of the query capacity for Elastic Network Interfaces (ENIs) associated with your Route 53 Resolver endpoint in Amazon Virtual Private Cloud (VPC). The new metric enables you to quickly view whether the Resolver endpoint is at the risk of meeting the service limit for query capacity, and take remediation steps like instantiating additional ENIs to meet the capacity needs. Before today, you could enable CloudWatch to monitor the number of DNS queries that were forwarded by Route 53 Resolver endpoints, over a default five-minute interval, and make further estimations on when your endpoints will meet the query limits. With this launch, you can now enable the new metric to get direct alerts on the current status of your Resolver endpoint capacity, without requiring you to make additional estimations for calculating capacity of each endpoint. The status is reported for each Resolver endpoint, indicating whether the endpoint is operating within the normal capacity limit (0 - OK), has at least one ENI exceeding 50% capacity utilization (1 - Warning), or has at least one ENI exceeding 75% capacity utilization (2 - Critical). The new metric simplifies capacity management for Route 53 Resolver endpoints by providing clear, actionable signals for scaling decisions, without requiring additional analysis on the query volume. To learn more about the launch, read the https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-resolver-with-cloudwatch.html#cloudwatch-metrics-resolver-endpoint or visit the https://aws.amazon.com/route53/resolver/. There is no charge for the metric, although you will incur https://aws.amazon.com/route53/pricing/ for usage of Resolver endpoints.