AWS Security ChangesHomeSearch

AWS Route53 documentation change

Service: Route53 · 2026-05-07 · Documentation medium

File: Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries-endpoint-values.md

Summary

Added IPv6 internet access toggle and security guidance for outbound endpoints

Security assessment

Introduces new security documentation about network controls (security groups/NACLs) to protect endpoints when enabling IPv6 access. While not fixing a specific vulnerability, it proactively addresses security risks of public IPv6 exposure.

Diff

diff --git a/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries-endpoint-values.md b/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries-endpoint-values.md
index 7ad26ba84..e19c17f5f 100644
--- a//Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries-endpoint-values.md
+++ b//Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries-endpoint-values.md
@@ -42 +42 @@ The endpoint type can be either IPv4, IPv6, or dual-stack IP addresses. For a du
-For security reasons, we are denying direct IPv6 traffic access to the public internet for all dual-stack and IPv6 IP addresses.
+For security reasons, we are denying direct IPv6 traffic access to the public internet for all dual-stack and IPv6 IP addresses by default. To enable this access, turn on **IPv6 internet access** when you create or edit the endpoint.
@@ -117,0 +118,9 @@ For an outbound endpoint you can apply the protocols as follows:
+**IPv6 internet access**
+    
+
+Enable IPv6 internet access to allow the outbound endpoint to forward DNS queries to public IPv6 targets through an internet gateway. When enabled, the endpoint elastic network interfaces (ENIs) can send DNS queries to public IPv6 resolvers.
+
+###### Important
+
+When you enable IPv6 internet access, use network controls like security groups, NACLs, or egress-only internet gateways to protect the endpoint ENIs from unsolicited ingress traffic. Be aware that some network controls can affect DNS query throughput due to connection tracking. For more information, see [Amazon EC2 security group connection tracking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html) and [Resolver endpoint scaling](best-practices-resolver-endpoint-scaling.html).
+