# Forwarding outbound DNS queries to your network
<a name="resolver-forwarding-outbound-queries"></a>

To forward DNS queries that originate on Amazon EC2 instances in one or more VPCs to your network, you create an outbound endpoint and one or more rules:

**Outbound endpoint**  
To forward DNS queries from your VPCs to your network, you create an outbound endpoint. An outbound endpoint specifies the IP addresses that queries originate from. Those IP addresses, which you choose from the range of IP addresses available to your VPC, aren't public IP addresses. This means that, for each outbound endpoint, you need to connect your VPC to your network using Direct Connect connection, a VPN connection, or a network address translation (NAT) gateway. Note that you can use the same outbound endpoint for multiple VPCs in the same Region, or you can create multiple outbound endpoints. If you want your outbound endpoint to use DNS64, you can enable DNS64 using Amazon Virtual Private Cloud. For more information, see [DNS64 and NAT64](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64) in the *Amazon VPC User Guide*.  
The target IP from the VPC Resolver rule is chosen at random by VPC Resolver and there is no preference on choosing a particular target IP over the other. If a target IP does not respond to the DNS request forwarded, the VPC Resolver will retry to a random IP address among the target IPs.  
Make sure that all the target IP addresses are reachable from the Resolver endpoints. If VPC Resolver is not able forward outbound DNS queries to any of the target IP, it can lead to extended DNS resolution times. 

**Rules**  
To specify the domain names of the queries that you want to forward to DNS resolvers on your network, you create one or more rules. Each forwarding rule specifies one domain name. You then associate rules with the VPCs for which you want to forward queries to your network.   
Outbound delegation rules follow specific delegation principles that differ from standard forwarding rules. When you create a delegation rule, VPC Resolver evaluates the delegation records in the rule against the NS records in DNS responses to determine if delegation should occur. The VPC Resolver will delegate authority to your on-premises resolvers only when there's a match between the delegation rule configuration and the actual NS records returned in the DNS response. Unlike forwarding rules that redirect queries based on domain name matching, delegation rules respect the DNS delegation chain and only activate when the authoritative name servers in the response match the delegation configuration.  
For more information, see the following topics:  
+ [Private hosted zones that have overlapping namespaces](hosted-zone-private-considerations.md#hosted-zone-private-considerations-private-overlapping)
+ [Private hosted zones and Route 53 VPC Resolver rules](hosted-zone-private-considerations.md#hosted-zone-private-considerations-resolver-rules)

# Configuring outbound forwarding
<a name="resolver-forwarding-outbound-queries-configuring"></a>

To configure VPC Resolver to forward DNS queries that originate in your VPC to your network, perform the following procedures.

**Important**  
After you create an outbound endpoint, you must create one or more rules and associate them with one or more VPCs. Rules specify the domain names of the DNS queries that you want to forward to your network.<a name="resolver-forwarding-outbound-queries-configuring-create-endpoint-procedure"></a>

**To create an outbound endpoint**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Outbound endpoints**.

1. On the navigation bar, choose the Region where you want to create an outbound endpoint.

1. Choose **Create outbound endpoint**.

1. Enter the applicable values. For more information, see [Values that you specify when you create or edit outbound endpoints](resolver-forwarding-outbound-queries-endpoint-values.md).

1. Choose **Create**.
**Note**  
Creating an outbound endpoint takes a minute or two. You can't create another outbound endpoint until the first one is created.

1. Create one or more rules to specify the domain names of the DNS queries that you want to forward to your network. For more information, see the next procedure.

To create one or more forwarding rules, perform the following procedure.<a name="resolver-forwarding-outbound-queries-configuring-create-rule-procedure"></a>

**To create forwarding rules and associate the rules with one or more VPCs**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rules**.

1. On the navigation bar, choose the Region where you want to create the rule.

1. Choose **Create rule**.

1. Enter the applicable values. For more information, see [Values that you specify when you create or edit rules](resolver-forwarding-outbound-queries-rule-values.md).

1. Choose **Save**.

1. To add another rule, repeat steps 4 through 6. 

# Values that you specify when you create or edit outbound endpoints
<a name="resolver-forwarding-outbound-queries-endpoint-values"></a>

When you create or edit an outbound endpoint, you specify the following values:

**Outpost ID**  
If you are creating the endpoint for a VPC Resolver on an AWS Outposts VPC, this is the AWS Outposts ID.

**Endpoint name**  
A friendly name that lets you easily find an outbound endpoint on the dashboard.

**VPC in the *region-name* Region**  
All outbound DNS queries will flow through this VPC on the way to your network.

**Security group for this endpoint**  
The ID of one or more security groups that you want to use to control access to this VPC. The security group that you specify must include one or more outbound rules. Outbound rules must allow TCP and UDP access on the port that you're using for DNS queries on your network. You can't change this value after you create an endpoint.   
Some security group rules will cause your connection to be tracked and potentially impact the maximum queries per second from outbound endpoint to your target name server. To avoid connection tracking caused by a security group, see [Untracked connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections).  
For more information, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide*.

**Endpoint type**  
The endpoint type can be either IPv4, IPv6, or dual-stack IP addresses. For a dual-stack endpoint, the endpoint will have both IPv4 and IPv6 address that your DNS resolver on your network can forward DNS query to.   
For security reasons, we are denying direct IPv6 traffic access to the public internet for all dual-stack and IPv6 IP addresses.

**IP addresses**  
The IP addresses in your VPC that you want VPC Resolver to forward DNS queries to on the way to resolvers on your network. These are not the IP addresses of the DNS resolvers on your network; you specify resolver IP addresses when you create the rules that you associate with one or more VPCs. We require you to specify a minimum of two IP addresses for redundancy.   
Resolver endpoint has a private IP address. These IP addresses will not change through the course of an endpoint's life.
Note the following:    
**Multiple Availability Zones**  
We recommend that you specify IP addresses in at least two Availability Zones. You can optionally specify additional IP addresses in those or other Availability Zones.  
**IP addresses and Amazon VPC elastic network interfaces**  
For each combination of Availability Zone, Subnet, and IP address that you specify, VPC Resolver creates an Amazon VPC elastic network interface. For the current maximum number of DNS queries per second per IP address in an endpoint, see [Quotas on Route 53 VPC Resolver](DNSLimitations.md#limits-api-entities-resolver). For information about pricing for each elastic network interface, see "Amazon Route 53" on the [Amazon Route 53 pricing page](https://aws.amazon.com/route53/pricing/).  
**Order of IP addresses**  
You can specify IP addresses in any order. When forwarding DNS queries, VPC Resolver doesn't choose IP addresses based on the order that the IP addresses are listed in.
For each IP address, specify the following values. Each IP address must be in an Availability Zone in the VPC that you specified in **VPC in the *region-name* Region**.    
**Availability Zone**  
The Availability Zone that you want DNS queries to pass through on the way to your network. The Availability Zone that you specify must be configured with a subnet.  
**Subnet**  
The subnet that contains the IP address that you want DNS queries to originate from on the way to your network. The subnet must have an available IP address.  
The subnet IP address must match the **Endpoint type**.  
**IP address**  
The IP address that you want DNS queries to originate from on the way to your network.  
Choose whether you want VPC Resolver to choose an IP address for you from among the available IP addresses in the specified subnet, or you want to specify the IP address yourself.  
If you choose to specify the IP address yourself, enter an IPv4 or IPv6 address, or both.

**Protocols**  
Endpoint protocol determines how data is transmitted from the outbound endpoint. Choose a protocol, or protocols, depending on the level of security needed.  
+ **Do53:** (Default) The data is relayed using the Route 53 VPC Resolver without additional encryption. While the data cannot be read by external parties, it can be viewed within the AWS networks.
+ **DoH:** The data is transmitted over an encrypted HTTPS session. DoH adds an added level of security where data can't be decrypted by unauthorized users, and can't be read by anyone except the intended recipient.
For an outbound endpoint you can apply the protocols as follows:  
+  Do53 and DoH in combination.
+ Do53 alone.
+ DoH alone.
+ None, which is treated as Do53.

**Tags**  
Specify one or more keys and the corresponding values. For example, you might specify **Cost center** for **Key** and specify **456** for **Value**.

# Values that you specify when you create or edit rules
<a name="resolver-forwarding-outbound-queries-rule-values"></a>

When you create or edit a forwarding rule, you specify the following values:

**Rule name**  
A friendly name that lets you easily find a rule on the dashboard.

**Rule type**  
Choose the applicable value:  
+ **Forward** – Choose this option when you want to forward DNS queries for a specified domain name to resolvers on your network.
+ **Delegate** – Choose this option when you want to delegate authority for a subdomain, hosted in a private hosted zone, to your on-premises resolver (or to a VPC Resolver on another VPC).
+ **System** – Choose this option when you want VPC Resolver to selectively override the behavior that is defined in a forwarding rule. When you create a system rule, VPC Resolver resolves DNS queries for specified subdomains that would otherwise be resolved by DNS resolvers on your network.
By default, forwarding rules apply to a domain name and all its subdomains. If you want to forward queries for a domain to a resolver on your network but you don't want to forward queries for some subdomains, you create a system rule for the subdomains. For example, if you create a forwarding rule for example.com but you don't want to forward queries for acme.example.com, you create a system rule and specify acme.example.com for the domain name.

**Delegation record – for delegate rule only**  
DNS queries that mach to this domain are forwarded to the resolvers on your network.  
As a prerequisite for a delegate rule you must create NS records in the private hosted zone, when using private hosted zone to outbound delegation The record is: NS - Nameservers to delegate via the Resolver outbound endpoint with delegate rule. For more information, see [NS record type](ResourceRecordTypes.md#NSFormat).

**VPCs that use this rule**  
The VPCs that use this rule to forward DNS queries for the specified domain name or names. You can apply a rule to as many VPCs as you want.

**Domain name – for forward rule only**  
DNS queries for this domain name are forwarded to the IP addresses that you specify in **Target IP addresses**. For example, you can specify a specific domain (example.com), a top-level domain (com), or a dot (.) to forward all DNS queries. For more information, see [How VPC Resolver determines whether the domain name in a query matches any rules](resolver-overview-forward-vpc-to-network-domain-name-matches.md).

**Outbound endpoint**  
VPC Resolver forwards DNS queries through the outbound endpoint that you specify here to the IP addresses that you specify in **Target IP addresses**.

**Target IP addresses**  
When a DNS query matches the name that you specify in **Domain name**, the outbound endpoint forwards the query to the IP addresses that you specify here. These are typically the IP addresses for DNS resolvers on your network.  
**Target IP addresses** is available only when the value of **Rule type** is **Forward**.  
Specify IPv4 or IPv6 addresses, the protocols, and ServerNameIndication you want to use for the endpoint. ServerNameIndication is applicable only when selected protocol is DoH.  
Resolving the target IP address of the FQDN of a DoH resolver on your network over the outbound endpoint is not supported. Outbound endpoints need the target IP address of DoH resolver on your network to forward the DoH queries to. If the DoH resolver on your network needs the FQDN in the TLS SNI and in the HTTP Host header, ServerNameIndication must be provided.

**ServerNameIndication**  
The Server Name Indication of the DoH server that you want to forward queries to. This is only used if the Protocol is DoH.

**Tags**  
Specify one or more keys and the corresponding values. For example, you might specify **Cost center** for **Key** and specify **456** for **Value**.  
These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill. For more information about using tags for cost allocation, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*.

# Managing outbound endpoints
<a name="resolver-forwarding-outbound-queries-managing"></a>

To manage outbound endpoints, perform the applicable procedure.

**Topics**
+ [

## Viewing and editing outbound endpoints
](#resolver-forwarding-outbound-queries-managing-viewing)
+ [

## Viewing the status for outbound endpoints
](#resolver-forwarding-outbound-queries-managing-viewing-status)
+ [

## Deleting outbound endpoints
](#resolver-forwarding-outbound-queries-managing-deleting)

## Viewing and editing outbound endpoints
<a name="resolver-forwarding-outbound-queries-managing-viewing"></a>

To view and edit settings for an outbound endpoint, perform the following procedure.<a name="resolver-forwarding-outbound-queries-managing-viewing-procedure"></a>

**To view and edit settings for an outbound endpoint**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Outbound endpoints**.

1. On the navigation bar, choose the Region where you created the outbound endpoint.

1. Choose the option for the endpoint that you want to view settings for or want to edit.

1. Choose **View details** or **Edit**.

   For information about the values for outbound endpoints, see [Values that you specify when you create or edit outbound endpoints](resolver-forwarding-outbound-queries-endpoint-values.md).

1. If you chose **Edit**, enter the applicable values, and then choose **Save**.

## Viewing the status for outbound endpoints
<a name="resolver-forwarding-outbound-queries-managing-viewing-status"></a>

To view the status for an outbound endpoint, perform the following procedure.<a name="resolver-forwarding-outbound-queries-managing-viewing-status-procedure"></a>

**To view the status for an outbound endpoint**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Outbound endpoints**.

1. On the navigation bar, choose the Region where you created the outbound endpoint. The **Status** column contains one of the following values:  
**Creating**  
VPC Resolver is creating and configuring one or more Amazon VPC network interfaces for this endpoint.  
**Operational**  
The Amazon VPC network interfaces for this endpoint are correctly configured and able to pass inbound or outbound DNS queries between your network and VPC Resolver.  
**Updating**  
VPC Resolver is associating or disassociating one or more network interfaces with this endpoint.  
**Auto recovering**  
VPC Resolver is trying to recover one or more of the network interfaces that are associated with this endpoint. During the recovery process, the endpoint functions with limited capacity because of the limit on the number of DNS queries per IP address (per network interface). For the current limit, see [Quotas on Route 53 VPC Resolver](DNSLimitations.md#limits-api-entities-resolver).  
**Action needed**  
This endpoint is unhealthy, and VPC Resolver can't automatically recover it. To resolve the problem, we recommend that you check each IP address that you associated with the endpoint. For each IP address that isn't available, add another IP address and then delete the IP address that isn't available. (An endpoint must always include at least two IP addresses.) A status of **Action needed** can have a variety of causes. Here are two common causes:  
   + One or more of the network interfaces that are associated with the endpoint were deleted using Amazon VPC.
   + The network interface couldn't be created for some reason that's outside the control of VPC Resolver.  
**Deleting**  
VPC Resolver is deleting this endpoint and the associated network interfaces.

## Deleting outbound endpoints
<a name="resolver-forwarding-outbound-queries-managing-deleting"></a>

Before you can delete an endpoint, you must first delete any rules that are associated to a VPC.

To delete an outbound endpoint, perform the following procedure.

**Important**  
If you delete an outbound endpoint, VPC Resolver stops forwarding DNS queries from your VPC to your network for rules that specify the deleted outbound endpoint.<a name="resolver-forwarding-outbound-queries-managing-deleting-procedure"></a>

**To delete an outbound endpoint**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Outbound endpoints**.

1. On the navigation bar, choose the Region where you created the outbound endpoint.

1. Choose the option for the endpoint that you want to delete.

1. Choose **Delete**.

1. To confirm that you want to delete the endpoint, enter the name of the endpoint, and then choose **Submit**.

# Managing forwarding rules
<a name="resolver-rules-managing"></a>

If you want VPC Resolver to forward queries for specified domain names to your network, you create one forwarding rule for each domain name and specify the name of the domain for which you want to forward queries.

**Topics**
+ [

## Viewing and editing forwarding rules
](#resolver-rules-managing-viewing)
+ [

## Creating forwarding rules
](#resolver-rules-managing-creating-rules)
+ [

## Adding rules for reverse lookup
](#add-reverse-lookup)
+ [

## Associating forwarding rules with a VPC
](#resolver-rules-managing-associating-rules)
+ [

## Disassociating forwarding rules from a VPC
](#resolver-rules-managing-disassociating-rules)
+ [

## Sharing Resolver rules with other AWS accounts and using shared rules
](#resolver-rules-managing-sharing)
+ [

## Deleting forwarding rules
](#resolver-rules-managing-deleting)
+ [

## Forwarding rules for reverse DNS queries in VPC Resolver
](#resolver-automatic-forwarding-rules-reverse-dns)

## Viewing and editing forwarding rules
<a name="resolver-rules-managing-viewing"></a>

To view and edit settings for a forwarding rule, perform the following procedure.<a name="resolver-rules-managing-viewing-procedure"></a>

**To view and edit settings for a forwarding rule**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rules**.

1. On the navigation bar, choose the Region where you created the rule.

1. Choose the option for the rule that you want to view settings for or want to edit.

1. Choose **View details** or **Edit**.

   For information about the values for forwarding rules, see [Values that you specify when you create or edit rules](resolver-forwarding-outbound-queries-rule-values.md).

1. If you chose **Edit**, enter the applicable values, and then choose **Save**.

## Creating forwarding rules
<a name="resolver-rules-managing-creating-rules"></a>

To create one or more forwarding rules, perform the following procedure.<a name="resolver-rules-managing-creating-rules-procedure"></a>

**To create forwarding rules and associate the rules with one or more VPCs**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rules**.

1. On the navigation bar, choose the Region where you want to create the rule.

1. Choose **Create rule**.

1. Enter the applicable values. For more information, see [Values that you specify when you create or edit rules](resolver-forwarding-outbound-queries-rule-values.md).

1. Choose **Save**.

1. To add another rule, repeat steps 4 through 6. 

## Adding rules for reverse lookup
<a name="add-reverse-lookup"></a>

If you need to control reverse lookups in your VPC, you can add rules to your outbound resolver endpoint.

**To create the reverse lookup rule**

1. Follow the steps in the previous procedure, up to step 5.

1. When you specify your rule, enter the PTR record for the IP address or addresses that you want a reverse lookup forwarding rule for.

   For example, if you need to forward lookups for addresses in the 10.0.0.0/23 range, enter two rules:
   + 0.0.10.in-addr.arpa
   + 1.0.10.in-addr.arpa

   Any IP address in those subnets will be referenced as a subdomain of those PTR records—for example, 10.0.1.161 will have a reverse lookup address of 161.1.0.10.in-addr.arpa, which is a subdomain of 1.0.10.in-addra.arpa.

1. Specify the server to forward these lookups to.

1. Add these rules to your outbound resolver endpoint.

Note that turning on `enableDNSHostNames` for your VPC automatically adds PTR records. See [What is Route 53 VPC Resolver?](resolver.md). The previous procedure is required only if you want to explicitly specify a resolver for given IP ranges—for example, when forwarding queries to an Active Directory server.

## Associating forwarding rules with a VPC
<a name="resolver-rules-managing-associating-rules"></a>

After you create a forwarding rule, you must associate the rule with one or more VPCs. The rules will only work after they are associated with a VPC. When you associate a rule with a VPC, VPC Resolver starts to forward DNS queries for the domain name that's specified in the rule to the DNS resolvers that you specified in the rule. The queries pass through the outbound endpoint that you specified when you created the rule.<a name="resolver-rules-managing-associating-procedure"></a>

**To associate a forwarding rule with one or more VPCs**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rules**.

1. On the navigation bar, choose the Region where you created the rule.

1. Choose the name of the rule that you want to associate with one or more VPCs.

1. Choose **Associate VPC**.

1. Under **VPCs that use this rule**, choose the VPCs that you want to associate the rule with.

1. Choose **Add**.

## Disassociating forwarding rules from a VPC
<a name="resolver-rules-managing-disassociating-rules"></a>

You disassociate a forwarding rule from a VPC in the following circumstances:
+ For DNS queries that originate in this VPC, you want VPC Resolver to stop forwarding queries for the domain name specified in the rule to your network. 
+ You want to delete the forwarding rule. If a rule is currently associated with one or more VPCs, you must disassociate the rule from all VPCs before you can delete it.

If you want to disassociate a forwarding rule from one or more VPCs, perform the following procedure.<a name="resolver-rules-managing-disassociating-procedure"></a>

**To disassociate a forwarding rule from a VPC**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rules**.

1. On the navigation bar, choose the Region where you created the rule.

1. Choose the name of the rule that you want to disassociate from one or more VPCs.

1. Choose the option for the VPC that you want to disassociate the rule from.

1. Choose **Disassociate**.

1. Type **disassociate** to confirm.

1. Choose **Submit**.

## Sharing Resolver rules with other AWS accounts and using shared rules
<a name="resolver-rules-managing-sharing"></a>

You can share the Resolver rules that you created using one AWS account with other AWS accounts. To share rules, the Route 53 VPC Resolver console integrates with AWS Resource Access Manager. For more information about Resource Access Manager, see the [Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).

Note the following:

**Associating shared rules with VPCs**  
If another AWS account has shared one or more rules with your account, you can associate the rules with your VPCs the same way that you associate rules that you created with your VPCs. For more information, see [Associating forwarding rules with a VPC](#resolver-rules-managing-associating-rules).

**Deleting or unsharing a rule**  
If you share a rule with other accounts and then either delete the rule or stop sharing it, and if the rule was associated with one or more VPCs, Route 53 VPC Resolver starts to process DNS queries for those VPCs based on the remaining rules. The behavior is the same as if you disassociate the rule from the VPC.  
If a rule is shared to an Organizational Unit (OU) and an account in the OU is moved to a different OU, all associations with the shared rule to any VPC in the account will be deleted. However, if the VPC Resolver rule was already shared with destination OU, then the VPC association will stay intact and will not be dissociated.

**Maximum number of rules and associations**  
When an account creates a rule and shares it with one or more other accounts, the maximum number of rules per AWS Region applies to the account that created the rule.  
When an account that a rule is shared with associates the rule with one or more VPCs, the maximum number of associations between rules and VPCs per Region applies to the account that the rule is shared with.  
For current VPC Resolver quotas, see [Quotas on Route 53 VPC Resolver](DNSLimitations.md#limits-api-entities-resolver).

**Permissions**  
To share a rule with another AWS account, you must have permission to use the [PutResolverRulePolicy](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_PutResolverRulePolicy.html) action.

**Restrictions on the AWS account that a rule is shared with**  
The account that a rule is shared with can't change or delete the rule. 

**Tagging**  
Only the account that created a rule can add, delete, or see tags on the rule.

To view the current sharing status of a rule (including the account that shared the rule or the account that a rule is shared with), and to share rules with another account, perform the following procedure.<a name="resolver-rules-managing-sharing-procedure"></a>

**To view sharing status and share rules with another AWS account**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rules**.

1. On the navigation bar, choose the Region where you created the rule.

   The **Sharing status** column shows the current sharing status of rules that were created by the current account or that are shared with the current account:
   + **Not shared**: The current AWS account created the rule, and the rule is not shared with any other accounts.
   + **Shared by me**: The current account created the rule and shared it with one or more accounts.
   + **Shared with me**: Another account created the rule and shared it with the current account.

1. Choose the name of the rule that you want to display sharing information for or that you want to share with another account.

   On the **Rule: *rule name*** page, the value under **Owner** displays ID of the account that created the rule. That's the current account unless the value of **Sharing status** is **Shared with me**. In that case, **Owner** is the account that created the rule and shared it with the current account.

1. Choose **Share** to view additional information or to share the rule with another account. A page in the Resource Access Manager console appears, depending on the value of **Sharing status**:
   + **Not shared**: The **Create resource share** page appears. For information about how to share the rule with another account, OU, or organization, skip to step 6.
   + **Shared by me**: The **Shared resources** page shows the rules and other resources that are owned by the current account and shared with other accounts.
   + **Shared with me**: The **Shared resources** page shows the rules and other resources that are owned by other accounts and shared with the current account.

1. To share a rule with another AWS account, OU, or organization, specify the following values.
**Note**  
You can't update sharing settings. If you want to change any of the following settings, you must reshare a rule with the new settings and then remove the old sharing settings.  
**Description**  
Enter a short description that helps you remember why you shared the rule.  
**Resources**  
Choose the check box for the rule that you want to share.  
**Principals**  
Enter the AWS account number, OU name, or organization name.  
**Tags**  
Specify one or more keys and the corresponding values. For example, you might specify **Cost center** for **Key** and specify **456** for **Value**.  
These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill; you can use also tags for other purposes. For more information about using tags for cost allocation, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*.

## Deleting forwarding rules
<a name="resolver-rules-managing-deleting"></a>

To delete a forwarding rule, perform the following procedure.

Note the following:
+ If the forwarding rule is associated with any VPCs, you must disassociate the rule from the VPCs before you can delete the rule. For more information, see [Disassociating forwarding rules from a VPC](#resolver-rules-managing-disassociating-rules).
+ You can't delete the default **Internet Resolver** rule, which has a value of **Recursive** for **Type**. This rule causes Route 53 VPC Resolver to act as a recursive resolver for any domain names that you didn't create custom rules for and that VPC Resolver didn't create autodefined rules for. For more information about how rules are categorized, see [Using rules to control which queries are forwarded to your network](resolver-overview-forward-vpc-to-network-using-rules.md).<a name="resolver-rules-managing-deleting-procedure"></a>

**To delete a forwarding rule**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rules**.

1. On the navigation bar, choose the Region where you created the rule.

1. Choose the option for the rule that you want to delete.

1. Choose **Delete**.

1. To confirm that you want to delete the rule, enter the name of the rule and choose **Submit**.

## Forwarding rules for reverse DNS queries in VPC Resolver
<a name="resolver-automatic-forwarding-rules-reverse-dns"></a>

When the `enableDnsHostnames` and `enableDnsSupport` are set to `true` for a virtual private cloud (VPC) from Amazon VPC, VPC Resolver automatically creates auto-defined system rules for reverse DNS queries. For more information about these settings, see [DNS attributes in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support) in the *Amazon VPC Developer Guide*.

Forwarding rules for reverse DNS queries are particularly useful for services like SSH or Active Directory, which have an option to authenticate users by performing a reverse DNS lookup for the IP address from which a customer is attempting to connect to a resource. For more information about auto-defined system rules, see [Domain names that VPC Resolver creates autodefined system rules for](resolver-overview-forward-vpc-to-network-autodefined-rules.md). 

You can turn off these rules and modify all reverse DNS queries so that they are, for example, forwarded to your on-premises name servers for resolution.

After you turn off the automatic rules, create rules to forward the queries as needed to your on-premises resources. For more information about how to manage forwarding rules, see [Managing forwarding rules](#resolver-rules-managing).<a name="resolver-automatic-reverse-rules-disable-procedure"></a>

**To turn off auto-defined rules**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, under **VPC Resolver** choose **VPCs**, and then choose a VPC ID.

1. Under **Autodefined rules for reverse DNS resolution**, deselect the check box. If the check box is already deselected, you can select it to turn on auto-defined reverse DNS resolution.

For the related APIs, see [VPC Resolver configuration APIs](https://docs.aws.amazon.com/Route53/latest/APIReference/API-actions-by-function.html#actions-by-function-resolver-configuration).