# Working with private hosted zones
<a name="hosted-zones-private"></a>

A *private hosted zone* is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service. Here's how private hosted zones work:

1. You create a private hosted zone, such as example.com, and specify the VPC that you want to associate with the hosted zone. After you create the hosted zone you can associate more VPCs with it.

1. You create records in the hosted zone that determine how Route 53 responds to DNS queries for your domain and subdomains within and among your VPCs. For example, suppose you have a database server that runs on an EC2 instance in the VPC that you associated with your private hosted zone. You create an A or AAAA record, such as db.example.com, and you specify the IP address of the database server. 

   For more information about records, see [Working with records](rrsets-working-with.md). For information about the Amazon VPC requirements for using private hosted zones, see [Using private hosted zones](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-private-hosted-zones) in the *Amazon VPC User Guide*.

1. When an application submits a DNS query for db.example.com, Route 53 returns the corresponding IP address. To get an answer from a private hosted zone you also have to be running an EC2 instance in one of the associated VPCs (or have an inbound endpoint from a hybrid setup.) If you try to query a private hosted zone from outside the VPCs or your hybrid setup, the query will be recursively resolved on the internet.

1. The application uses the IP address that it got from Route 53 to establish a connection with the database server.

When you create a private hosted zone, the following name servers are used:
+ ns-0.awsdns-00.com
+ ns-512.awsdns-00.net
+ ns-1024.awsdns-00.org
+ ns-1536.awsdns-00.co.uk

These name servers are used because the DNS protocol requires that every hosted zone must have an NS record set. These name servers are reserved and never used by Route 53 public hosted zones. You can only query those zones via VPC Resolver in a VPC that has been associated to the hosted zone by using an inbound endpoint connected to the VPCs specified in the private hosted zone.

 While the name servers are visible on the internet, VPC Resolver doesn't connect to the name server addresses. Further, the private hosted zone information is not returned if you directly query the name servers over the internet. Instead, the VPC Resolver detects that queries are within a private namespace based on VPC to hosted zone associations and uses direct, private connectivity to reach the private DNS servers.

**Note**  
You can change the NS record set in a private hosted zone if you want and private DNS resolution will still work. We don't recommend doing so, but if you choose to, you should use reserved domain names which are not used by public DNS servers.

If you want to route traffic for your domain on the internet, you use a Route 53 *public* hosted zone. For more information, see [Working with public hosted zones](AboutHZWorkingWith.md).

**Topics**
+ [Considerations when working with a private hosted zone](hosted-zone-private-considerations.md)
+ [Creating a private hosted zone](hosted-zone-private-creating.md)
+ [Listing private hosted zones](hosted-zone-private-listing.md)
+ [Associating more VPCs with a private hosted zone](hosted-zone-private-associate-vpcs.md)
+ [Associating an Amazon VPC and a private hosted zone that you created with different AWS accounts](hosted-zone-private-associate-vpcs-different-accounts.md)
+ [Disassociating VPCs from a private hosted zone](hosted-zone-private-disassociate-vpcs.md)
+ [Deleting a private hosted zone](hosted-zone-private-deleting.md)
+ [VPC permissions](hosted-zone-private-vpc-permissions.md)

# Considerations when working with a private hosted zone
<a name="hosted-zone-private-considerations"></a>

When using private hosted zones, note the following considerations.
+ [Amazon VPC settings](#hosted-zone-private-considerations-vpc-settings)
+ [Route 53 health checks](#hosted-zone-private-considerations-health-checks)
+ [Supported routing policies for records in a private hosted zone](#hosted-zone-private-considerations-routing-policies)
+ [Split-view DNS](#hosted-zone-private-considerations-split-view-dns)
+ [Public and private hosted zones that have overlapping namespaces](#hosted-zone-private-considerations-public-private-overlapping)
+ [Private hosted zones that have overlapping namespaces](#hosted-zone-private-considerations-private-overlapping)
+ [Private hosted zones and Route 53 VPC Resolver rules](#hosted-zone-private-considerations-resolver-rules)
+ [Delegating responsibility for a subdomain](#hosted-zone-private-considerations-delegating-subdomain)
+ [Custom DNS servers](#hosted-zone-private-considerations-custom-dns)
+ [Required IAM permissions](#hosted-zone-private-considerations-required-permissions)

**Amazon VPC settings**  
To use private hosted zones, you must set the following Amazon VPC settings to `true`:  
+ `enableDnsHostnames`
+ `enableDnsSupport`
For more information, see [View and update DNS attributes for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns-updating.html) in the *Amazon VPC User Guide*.

**Route 53 health checks**  
In a private hosted zone, you can associate Route 53 health checks only with failover, multivalue answer, weighted, latency, geolocation, and geoproximity records records. For information about associating health checks with failover records, see [Configuring failover in a private hosted zone](dns-failover-private-hosted-zones.md).

**Supported routing policies for records in a private hosted zone**  
You can use the following routing policies when you create records in a private hosted zone:  
+ [Simple routing](routing-policy-simple.md)
+ [Failover routing](routing-policy-failover.md)
+ [Multivalue answer routing](routing-policy-multivalue.md)
+ [Weighted routing](routing-policy-weighted.md)
+ [Latency-based routing](routing-policy-latency.md)
+ [Geolocation routing](routing-policy-geo.md)
+ [Geoproximity routing](routing-policy-geoproximity.md)
Creating records in a private hosted zone using other routing policies is not supported.

**Split-view DNS**  
You can use Route 53 to configure split-view DNS, also known as split-horizon DNS. In split-view DNS, you use the same domain name (example.com) for internal uses (accounting.example.com) and external uses, such as your public website (www.example.com). You might also want to use the same subdomain name internally and externally, but serve different content or require different authentication for internal and external users.  
To configure split-view DNS, you perform the following steps:  

1. Create public and private hosted zones that have the same name. (Split-view DNS still works if you're using another DNS service for the public hosted zone.)

1. Associate one or more Amazon VPCs with the private hosted zone. Route 53 VPC Resolver uses the private hosted zone to route DNS queries in the specified VPCs.

1. Create records in each hosted zone. Records in the public hosted zone control how internet traffic is routed, and records in the private hosted zone control how traffic is routed in your Amazon VPCs.
If you need to perform name resolution of both your VPC and on-premises workloads, you can use Route 53 VPC Resolver. For more information, see [What is Route 53 VPC Resolver?](resolver.md).

**Public and private hosted zones that have overlapping namespaces**  
If you have private and public hosted zones that have overlapping namespaces, such as example.com and accounting.example.com, VPC Resolver routes traffic based on the most specific match. When users are logged into an EC2 instance in an Amazon VPC that you have associated with the private hosted zone, here's how Route 53 VPC Resolver handles DNS queries:  

1. VPC Resolver evaluates whether the name of the private hosted zone matches the domain name in the request, such as accounting.example.com. A match is defined as either of the following:
   + An identical match
   + The name of the private hosted zone is a parent of the domain name in the request. For example, suppose the domain name in the request is the following:

     **seattle.accounting.example.com**

     The following hosted zones match because they're parents of seattle.accounting.example.com:
     + **accounting.example.com**
     + **example.com**

   If there's no matching private hosted zone, then VPC Resolver forwards the request to a public DNS resolver, and your request is resolved as a regular DNS query.

1. If there's a private hosted zone name that matches the domain name in the request, the hosted zone is searched for a record that matches the domain name and DNS type in the request, such as an A record for accounting.example.com.
**Note**  
If there's a matching private hosted zone but there's no record that matches the domain name and type in the request, VPC Resolver doesn't forward the request to a public DNS resolver. Instead, it returns NXDOMAIN (non-existent domain) to the client.

**Private hosted zones that have overlapping namespaces**  
If you have two or more private hosted zones that have overlapping namespaces, such as example.com and accounting.example.com, VPC Resolver routes traffic based on the most specific match.   
If you have a private hosted zone (example.com) and a Route 53 VPC Resolver rule that routes traffic to your network for the same domain name, the VPC Resolver rule takes precedence. See [Private hosted zones and Route 53 VPC Resolver rules](#hosted-zone-private-considerations-resolver-rules).
When users are logged into an EC2 instance in an Amazon VPC that you have associated with all of the private hosted zones, here's how VPC Resolver handles DNS queries:  

1. VPC Resolver evaluates whether the domain name in the request, such as accounting.example.com, matches the name of one of the private hosted zones.

1. If there is no hosted zone that exactly matches the domain name in the request, VPC Resolver checks for a hosted zone that has a name that is the parent of the domain name in the request. For example, suppose the domain name in the request is the following:

   `seattle.accounting.example.com`

   The following hosted zones match because they're parents of `seattle.accounting.example.com`:
   + `accounting.example.com`
   + `example.com`

   VPC Resolver chooses `accounting.example.com` because it's more specific than `example.com`.

1. VPC Resolver searches the `accounting.example.com` hosted zone for a record that matches the domain name and DNS type in the request, such as an A record for `seattle.accounting.example.com`.

   If there's no record that matches the domain name and type in the request, VPC Resolver returns NXDOMAIN (non-existent domain) to the client.

**Private hosted zones and Route 53 VPC Resolver rules**  
If you have a private hosted zone (example.com) and a VPC Resolver rule that routes traffic to your network for the same domain name, the VPC Resolver rule takes precedence.   
For example, suppose you have the following configuration:  
+ You have a private hosted zone called example.com, and you associate it with a VPC.
+ You create a Route 53 VPC Resolver rule that forwards traffic for example.com to your network, and you associate the rule with the same VPC.
In this configuration, the VPC Resolver rule takes precedence over the private hosted zone. DNS queries are forwarded to your network instead of being resolved based on the records in the private hosted zone.

**Delegating responsibility for a subdomain**  
You can now create NS records in a private hosted zone to delegate responsibility for a subdomain. For more information, see [Resolver delegation rules tutorial](outbound-delegation-tutorial.md).

**Custom DNS servers**  
If you have configured custom DNS servers on Amazon EC2 instances in your VPC, you must configure those DNS servers to route your private DNS queries to the IP address of the Amazon-provided DNS servers for your VPC. This IP address is the IP address at the base of the VPC network range "plus two." For example, if the CIDR range for your VPC is 10.0.0.0/16, the IP address of the DNS server is 10.0.0.2.  
If you want to route DNS queries between VPCs and your network, you can use VPC Resolver. For more information, see [What is Route 53 VPC Resolver?](resolver.md).

**Required IAM permissions**  
To create private hosted zones, you need to grant IAM permissions for Amazon EC2 actions in addition to permissions for Route 53 actions. For more information, see [Actions, resources, and condition keys for Route 53](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html) in the *Service Authorization Reference*.

# Creating a private hosted zone
<a name="hosted-zone-private-creating"></a>

A private hosted zone is a container for records for a domain that you host in one or more Amazon virtual private clouds (VPCs). You create a hosted zone for a domain (such as example.com), and then you create records to tell Amazon Route 53 how you want traffic to be routed for that domain within and among your VPCs.

**Important**  
When you create a private hosted zone, you must associate a VPC with the hosted zone, and the VPC that you specify must have been created by using the same account that you're using to create the hosted zone. After you create the hosted zone, you can associate additional VPCs with it, including VPCs that you created by using a different AWS account.  
To associate VPCs that you created by using one account with a private hosted zone that you created by using a different account, you must authorize the association and then make the association programmatically. For more information, see [Associating an Amazon VPC and a private hosted zone that you created with different AWS accounts](hosted-zone-private-associate-vpcs-different-accounts.md).

For information about creating a private hosted zone by using the Route 53 API, see the [Amazon Route 53 API Reference](https://docs.aws.amazon.com/Route53/latest/APIReference/).

**To create a private hosted zone using the Route 53 console**

1. For each VPC that you want to associate with the Route 53 hosted zone, change the following VPC settings to `true`:
   + `enableDnsHostnames`
   + `enableDnsSupport`

   For more information, see [Updating DNS support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating) in the *Amazon VPC User Guide*.

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. If you're new to Route 53, choose **Get started**

   If you're already using Route 53, choose **Hosted zones** in the navigation pane.

1. Choose **Create hosted zone**.

1. In the **Create private hosted zone** pane, enter a domain name and, optionally, a comment.

   For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see [DNS domain name format](DomainNameFormat.md).

1. In the **Type** list, choose **Private hosted zone**.

1. In the **VPC ID** list, choose the VPC that you want to associate with the hosted zone.
**Note**  
If the console displays the following message, you're trying to associate a hosted zone that uses the same name space as that of another hosted zone within the same VPC:  
"A conflicting domain is already associated with the given VPC or Delegation Set."  
For example, if hosted zone A and hosted zone B both have the same domain name, such as `example.com`, you can't associate both hosted zones with the same VPC.

1. Choose **Create hosted zone**.

# Listing private hosted zones
<a name="hosted-zone-private-listing"></a>

You can use the Amazon Route 53 console to list all of the hosted zones that you created with the current AWS account. For information about how to list hosted zones using the Route 53 API, see [ListHostedZones](https://docs.aws.amazon.com/Route53/latest/APIReference/API_ListHostedZones.html) in the *Amazon Route 53 API Reference*. 

**To list the hosted zones associated with an AWS account**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Hosted zones**.

   The **Hosted Zones** page automatically displays a list of all of the hosted zones that were created using the current AWS account. The **Type** column indicates whether a hosted zone is private or public. Choose the column heading to group all private hosted zones and all public hosted zones.

# Associating more VPCs with a private hosted zone
<a name="hosted-zone-private-associate-vpcs"></a>

You can use the Amazon Route 53 console to associate more VPCs with a private hosted zone if you created the hosted zone and the VPCs by using the same AWS account.

**Important**  
If you want to associate VPCs that you created by using one account with a private hosted zone that you created by using a different account, you first must authorize the association. In addition, you can't use the AWS console either to authorize the association or associate the VPCs with the hosted zone. For more information, see [Associating an Amazon VPC and a private hosted zone that you created with different AWS accounts](hosted-zone-private-associate-vpcs-different-accounts.md).

For information about how to associate more VPCs with a private hosted zone using the Route 53 API, see [AssociateVPCWithHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html) in the *Amazon Route 53 API Reference*.

**To associate additional VPCs with a private hosted zone using the Route 53 console**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Hosted zones**.

1. Choose the radio button for the private hosted zone that you want to associate more VPCs with.

1. Choose **Edit**.

1. Choose **Add VPC**.

1. Choose the Region and the ID of the VPC that you want to associate with this hosted zone.

1. To associate more VPCs with this hosted zone, repeat steps 5 and 6.

1. Choose **Save changes**.

# Associating an Amazon VPC and a private hosted zone that you created with different AWS accounts
<a name="hosted-zone-private-associate-vpcs-different-accounts"></a>

If you want to associate a VPC that you created with one AWS account with a private hosted zone that you created with a different account, perform the following procedure: 

**To associate an Amazon VPC and a private hosted zone that you created with different AWS accounts**

1. Using the account that created the hosted zone, authorize the association of the VPC with the private hosted zone by using one of the following methods:
   + **AWS CLI** – See [create-vpc-association-authorization](https://docs.aws.amazon.com/cli/latest/reference/route53/create-vpc-association-authorization.html) in the *AWS CLI Command Reference*
   + ** AWSSDK** or **AWS Tools for Windows PowerShell** – See the applicable documentation on the [AWSDocumentation](https://docs.aws.amazon.com/) page 
   + **Amazon Route 53 API** – See [CreateVPCAssociationAuthorization](https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html) in the *Amazon Route 53 API Reference*

   Note the following:
   + If you want to associate multiple VPCs that you created with one account with a hosted zone that you created with a different account, you must submit one authorization request for each VPC.
   + When you authorize the association, you must specify the hosted zone ID, so the private hosted zone must already exist.
   + You can't use the Route 53 console either to authorize the association of a VPC with a private hosted zone or to make the association.

1. Using the account that created the VPC, associate the VPC with the hosted zone. As with authorizing the association, you can use the AWS SDK, Tools for Windows PowerShell, the AWS CLI, or the Route 53 API. If you're using the API, use the [AssociateVPCWithHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html) action. 

1. *Recommended* – Delete the authorization to associate the VPC with the hosted zone. Deleting the authorization does not affect the association, it just prevents you from reassociating the VPC with the hosted zone in the future. If you want to reassociate the VPC with the hosted zone, you'll need to repeat steps 1 and 2 of this procedure.
**Important**  
The `ListHostedZonesByVPC` returns the hosted zones given a VPC and `GetHostedZone` API returns the VPCs associated to the hosted zone. These APIs only consider the hosted zone to VPC association that are created by `AssociateVPCWithHostedZone` API or when the private hosted zone is created. If you want a complete list of hosted zone associations to a VPC, also call [ListProfileResourceAssociations](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_ListProfileResourceAssociations.html).
**Note**  
For the maximum number of authorizations that you can create, see [Quotas on entities](DNSLimitations.md#limits-api-entities).

# Disassociating VPCs from a private hosted zone
<a name="hosted-zone-private-disassociate-vpcs"></a>

You can use the Amazon Route 53 console to disassociate VPCs from a private hosted zone. This causes Route 53 to stop routing traffic using records in the hosted zone for DNS queries that originate in the VPC. For example, if the example.com hosted zone is associated with a VPC and you disassociate the hosted zone from that VPC, Route 53 stops resolving DNS queries for example.com or any of the other records in the example.com hosted zone. 

**Note**  
You can't disassociate the last VPC from a private hosted zone. If you want to disassociate that VPC, you must first associate another VPC with the hosted zone.

**To disassociate VPCs from a private hosted zone**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Hosted zones**.

1. Choose the radio button for the private hosted zone that you want to disassociate one or more VPCs from.

1. Choose **Edit**.

1. Choose **Remove VPC** next to the VPC that you want to disassociate from this hosted zone.

1. Choose **Save changes**.

# Deleting a private hosted zone
<a name="hosted-zone-private-deleting"></a>

This section explains how to delete a private hosted zone using the Amazon Route 53 console.

You can delete a private hosted zone only if there are no records other than the default SOA and NS records. If your hosted zone contains other records, you must delete them before you can delete your hosted zone. This prevents you from accidentally deleting a hosted zone that still contains records.

**Topics**
+ [Deleting private hosted zones that were created by another service](#delete-private-hosted-zone-created-by-another-service)
+ [Using the Route 53 console to delete a private hosted zone](#delete-private-hosted-zone-procedure)

## Deleting private hosted zones that were created by another service
<a name="delete-private-hosted-zone-created-by-another-service"></a>

If a private hosted zone was created by another service, you can't delete it using the Route 53 console. Instead, you need to use the applicable process for the other service:
+ **AWS Cloud Map** – To delete a hosted zone that AWS Cloud Map created when you created a private DNS namespace, delete the namespace. AWS Cloud Map deletes the hosted zone automatically. For more information, see [Deleting namespaces](https://docs.aws.amazon.com/cloud-map/latest/dg/deleting-namespaces.html) in the *AWS Cloud Map Developer Guide*.
+ **Amazon Elastic Container Service (Amazon ECS) Service Discovery** – To delete a private hosted zone that Amazon ECS created when you created a service using service discovery, delete the Amazon ECS services that are using the namespace, and delete the namespace. For more information, see [Deleting a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/delete-service.html) in the *Amazon Elastic Container Service Developer Guide*.

## Using the Route 53 console to delete a private hosted zone
<a name="delete-private-hosted-zone-procedure"></a>

To use the Route 53 console to delete a private hosted zone, perform the following procedure.

**To delete a private hosted zone using the Route 53 console**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. Confirm that the hosted zone that you want to delete contains only an NS and an SOA record. If it contains additional records, delete them:

   1. Choose the name of the hosted zone that you want to delete.

   1. On the **Record** page, if the list of records includes any records for which the value of the **Type** column is something other than **NS** or **SOA**, choose the row, and choose **Delete**.

      To select multiple, consecutive records, choose the first row, press and hold the **Shift** key, and choose the last row. To select multiple, non-consecutive records, choose the first row, press and hold the **Ctrl** key, and choose the remaining rows. 

1. On the Hosted Zones page, choose the row for the hosted zone that you want to delete.

1. Choose **Delete**.

1. Type the confirmation key and choose **Delete**.

# VPC permissions
<a name="hosted-zone-private-vpc-permissions"></a>

VPC permissions use Identity and Access management (IAM) policy condition to allow you to set granular permissions for VPCs when using [AssociateVPCWithHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html), [DisassociateVPCFromHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_DisassociateVPCFromHostedZone.html), [CreateVPCAssociationAuthorization](https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html), [DeleteVPCAssociationAuthorization](https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteVPCAssociationAuthorization.html), [CreateHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateHostedZone.html), and [ListHostedZonesByVPC](https://docs.aws.amazon.com/Route53/latest/APIReference/API_ListHostedZonesByVPC.html) APIs.

With the IAM policy condition, `route53:VPCs`, you can grant granular administrative rights to other AWS users. This allows you to grant someone permissions to associate hosted zone with, disassociate hosted zone from, create VPC association authorization for, delete VPC association authorization for, create hosted zone with or list hosted zones for:
+ A single VPC.
+ Any VPCs within the same Region.
+ Multiple VPCs.

For more information about VPC permissions, see [Using IAM policy conditions for fine-grained access control](specifying-conditions-route53.md).

To learn how to authenticate AWS users, see [Authenticating with identities](security-iam.md#security_iam_authentication) and to learn how to control access to Route 53 resources, see [Access control](security-iam.md#access-control).