AWS Security ChangesHomeSearch

AWS Route53 documentation change

Service: Route53 · 2025-06-25 · Documentation low

File: Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.md

Summary

Removed detailed configuration steps for outbound endpoints and forwarding rules, including security group requirements, protocol options (Do53/DoH), IPv6 restrictions, and operational notes. Added a 'Configuring outbound forwarding' heading without supporting content.

Security assessment

While the removed content included security-related configurations (security groups, DoH encryption, IPv6 restrictions), there's no explicit evidence this change addresses a specific vulnerability. The removal appears to be documentation restructuring rather than patching a security issue. However, deleting security configuration guidance could indirectly impact security posture if users lose access to important hardening information.

Diff

diff --git a/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.md b/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.md
index ca22f1bef..bd774dd26 100644
--- a//Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.md
+++ b//Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.md
@@ -5,2 +4,0 @@
-Configuring outbound forwardingValues that you specify when you create or edit outbound endpointsValues that you specify when you create or edit rules
-
@@ -34,229 +31,0 @@ For more information, see the following topics:
-## Configuring outbound forwarding
-
-To configure Resolver to forward DNS queries that originate in your VPC to your network, perform the following procedures.
-
-###### Important
-
-After you create an outbound endpoint, you must create one or more rules and associate them with one or more VPCs. Rules specify the domain names of the DNS queries that you want to forward to your network.
-
-###### To create an outbound endpoint
-
-  1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
-
-  2. In the navigation pane, choose **Outbound endpoints**.
-
-  3. On the navigation bar, choose the Region where you want to create an outbound endpoint.
-
-  4. Choose **Create outbound endpoint**.
-
-  5. Enter the applicable values. For more information, see Values that you specify when you create or edit outbound endpoints.
-
-  6. Choose **Create**.
-
-###### Note
-
-Creating an outbound endpoint takes a minute or two. You can't create another outbound endpoint until the first one is created.
-
-  7. Create one or more rules to specify the domain names of the DNS queries that you want to forward to your network. For more information, see the next procedure.
-
-
-
-
-To create one or more forwarding rules, perform the following procedure.
-
-###### To create forwarding rules and associate the rules with one or more VPCs
-
-  1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
-
-  2. In the navigation pane, choose **Rules**.
-
-  3. On the navigation bar, choose the Region where you want to create the rule.
-
-  4. Choose **Create rule**.
-
-  5. Enter the applicable values. For more information, see Values that you specify when you create or edit rules.
-
-  6. Choose **Save**.
-
-  7. To add another rule, repeat steps 4 through 6. 
-
-
-
-
-## Values that you specify when you create or edit outbound endpoints
-
-When you create or edit an outbound endpoint, you specify the following values:
-
-**Outpost ID**
-    
-
-If you are creating the endpoint for a Resolver on an AWS Outposts VPC, this is the AWS Outposts ID.
-
-**Endpoint name**
-    
-
-A friendly name that lets you easily find an outbound endpoint on the dashboard.
-
-**VPC in the _region-name_ Region**
-    
-
-All outbound DNS queries will flow through this VPC on the way to your network.
-
-**Security group for this endpoint**
-    
-
-The ID of one or more security groups that you want to use to control access to this VPC. The security group that you specify must include one or more outbound rules. Outbound rules must allow TCP and UDP access on the port that you're using for DNS queries on your network. You can't change this value after you create an endpoint. 
-
-Some security group rules will cause your connection to be tracked and potentially impact the maximum queries per second from outbound endpoint to your target name server. To avoid connection tracking caused by a security group, see [Untracked connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections).
-
-For more information, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the _Amazon VPC User Guide_.
-
-**Endpoint type**
-    
-
-The endpoint type can be either IPv4, IPv6, or dual-stack IP addresses. For a dual-stack endpoint, the endpoint will have both IPv4 and IPv6 address that your DNS resolver on your network can forward DNS query to. 
-
-###### Note
-
-For security reasons, we are denying direct IPv6 traffic access to the public internet for all dual-stack and IPv6 IP addresses.
-
-**IP addresses**
-    
-
-The IP addresses in your VPC that you want Resolver to forward DNS queries to on the way to resolvers on your network. These are not the IP addresses of the DNS resolvers on your network; you specify resolver IP addresses when you create the rules that you associate with one or more VPCs. We require you to specify a minimum of two IP addresses for redundancy. 
-
-###### Note
-
-Resolver endpoint has a private IP address. These IP addresses will not change through the course of an endpoint's life.
-
-Note the following:
-
-**Multiple Availability Zones**
-    
-
-We recommend that you specify IP addresses in at least two Availability Zones. You can optionally specify additional IP addresses in those or other Availability Zones.
-
-**IP addresses and Amazon VPC elastic network interfaces**
-    
-
-For each combination of Availability Zone, Subnet, and IP address that you specify, Resolver creates an Amazon VPC elastic network interface. For the current maximum number of DNS queries per second per IP address in an endpoint, see [Quotas on Route 53 Resolver](./DNSLimitations.html#limits-api-entities-resolver). For information about pricing for each elastic network interface, see "Amazon Route 53" on the [Amazon Route 53 pricing page](https://aws.amazon.com/route53/pricing/).
-
-**Order of IP addresses**
-    
-
-You can specify IP addresses in any order. When forwarding DNS queries, Resolver doesn't choose IP addresses based on the order that the IP addresses are listed in.
-
-For each IP address, specify the following values. Each IP address must be in an Availability Zone in the VPC that you specified in **VPC in the _region-name_ Region**.
-
-**Availability Zone**
-    
-
-The Availability Zone that you want DNS queries to pass through on the way to your network. The Availability Zone that you specify must be configured with a subnet.
-
-**Subnet**
-    
-
-The subnet that contains the IP address that you want DNS queries to originate from on the way to your network. The subnet must have an available IP address.
-
-The subnet IP address must match the **Endpoint type**.
-
-**IP address**
-    
-
-The IP address that you want DNS queries to originate from on the way to your network.
-
-Choose whether you want Resolver to choose an IP address for you from among the available IP addresses in the specified subnet, or you want to specify the IP address yourself.
-
-If you choose to specify the IP address yourself, enter an IPv4 or IPv6 address, or both.
-
-**Protocols**
-    
-
-Endpoint protocol determines how data is transmitted from the outbound endpoint. Choose a protocol, or protocols, depending on the level of security needed.
-
-  * **Do53:** (Default) The data is relayed using the Route 53 Resolver without additional encryption. While the data cannot be read by external parties, it can be viewed within the AWS networks.
-
-  * **DoH:** The data is transmitted over an encrypted HTTPS session. DoH adds an added level of security where data can't be decrypted by unauthorized users, and can't be read by anyone except the intended recipient.
-
-
-
-
-For an outbound endpoint you can apply the protocols as follows:
-
-  * Do53 and DoH in combination.
-
-  * Do53 alone.
-
-  * DoH alone.
-
-  * None, which is treated as Do53.
-
-
-
-
-**Tags**
-    
-
-Specify one or more keys and the corresponding values. For example, you might specify **Cost center** for **Key** and specify **456** for **Value**.
-
-## Values that you specify when you create or edit rules
-
-When you create or edit a forwarding rule, you specify the following values:
-
-**Rule name**
-    
-
-A friendly name that lets you easily find a rule on the dashboard.
-
-**Rule type**
-    
-
-Choose the applicable value:
-
-  * **Forward** – Choose this option when you want to forward DNS queries for a specified domain name to resolvers on your network.
-
-  * **System** – Choose this option when you want Resolver to selectively override the behavior that is defined in a forwarding rule. When you create a system rule, Resolver resolves DNS queries for specified subdomains that would otherwise be resolved by DNS resolvers on your network.
-
-
-
-
-By default, forwarding rules apply to a domain name and all its subdomains. If you want to forward queries for a domain to a resolver on your network but you don't want to forward queries for some subdomains, you create a system rule for the subdomains. For example, if you create a forwarding rule for example.com but you don't want to forward queries for acme.example.com, you create a system rule and specify acme.example.com for the domain name.
-
-**VPCs that use this rule**