You have a CloudFront distribution serving your frontend and an ACM certificate attached to it. The distribution works at its d111111abcdef8.cloudfront.net URL, but nobody ships a CloudFront domain to production. In this exercise, you’ll wire up your own domain so users visit example.com and get your site served through CloudFront.

Why It Matters

DNS is the final piece of the static hosting stack. Without it, your deployment is functional but unreachable at a real domain. Once you complete this exercise, you’ll have a full end-to-end deployment: S3 stores the files, CloudFront distributes them, ACM secures the connection, and Route 53 makes the whole thing reachable at your domain name. This is the same stack that production frontend applications run on.

Prerequisites

• An AWS account with CLI access configured (see Setting Up the AWS CLI)
• A CloudFront distribution with your domain listed as an alternate domain name and an ACM certificate attached (see Creating a CloudFront Distribution and Attaching an SSL Certificate)
• A domain name you control, with DNS already hosted in Route 53 or delegated to a Route 53 hosted zone.

Confirm Your Hosted Zone

Before you add alias records, make sure you’re working in the right hosted zone. Replace example.com with your actual domain:

aws route53 list-hosted-zones-by-name \
  --dns-name example.com \
  --output json

From the response, note two things:

1. The hosted zone ID (e.g., /hostedzone/Z1234567890ABC). You will use the ID portion (Z1234567890ABC) in subsequent commands.
2. The domain name on the zone matches the domain you’re about to route.

If you do not have a hosted zone yet, stop here and create one using Hosted Zones and Record Types, then make sure your registrar points to the Route 53 nameservers before continuing.

Checkpoint

• The hosted zone exists in Route 53.
• You have the hosted zone ID saved.
• If your domain is registered externally, its nameservers already point at Route 53.

Create an A Alias Record for the Apex Domain

Create an alias A record that points your bare domain (example.com) to your CloudFront distribution. You’ll need:

• Your hosted zone ID from the previous step
• Your CloudFront distribution’s domain name (e.g., d111111abcdef8.cloudfront.net)

The CloudFront hosted zone ID for alias targets is always Z2FDTNDATAQYW2.

aws route53 change-resource-record-sets \
  --hosted-zone-id Z1234567890ABC \
  --output json \
  --change-batch '{
    "Changes": [
      {
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "example.com",
          "Type": "A",
          "AliasTarget": {
            "HostedZoneId": "Z2FDTNDATAQYW2",
            "DNSName": "d111111abcdef8.cloudfront.net",
            "EvaluateTargetHealth": false
          }
        }
      }
    ]
  }'

Checkpoint

• The command returned a ChangeInfo object with "Status": "PENDING".
• No errors about the alias target. If you see an error, verify that your CloudFront distribution lists example.com as an alternate domain name.

Create an AAAA Alias Record for IPv6

Create a matching AAAA record so your domain resolves over IPv6:

aws route53 change-resource-record-sets \
  --hosted-zone-id Z1234567890ABC \
  --output json \
  --change-batch '{
    "Changes": [
      {
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "example.com",
          "Type": "AAAA",
          "AliasTarget": {
            "HostedZoneId": "Z2FDTNDATAQYW2",
            "DNSName": "d111111abcdef8.cloudfront.net",
            "EvaluateTargetHealth": false
          }
        }
      }
    ]
  }'

Checkpoint

• The command succeeded with "Status": "PENDING".
• You now have both an A and an AAAA alias record for example.com.

Create Records for www (Optional but Recommended)

If you want www.example.com to work as well, create alias records for it. Make sure www.example.com is listed as an alternate domain name on your CloudFront distribution (or that your ACM certificate covers *.example.com).

Create both A and AAAA alias records for www.example.com pointing to the same CloudFront distribution.

Checkpoint

• If you created www records, you now have four alias records total: A and AAAA for both example.com and www.example.com.

Verify DNS Resolution

Wait about 60 seconds for Route 53 to propagate the changes, then verify:

Check the A record:

dig example.com A +short

You should see one or more IP addresses (these are CloudFront edge server IPs).

Check the AAAA record:

dig example.com AAAA +short

You should see one or more IPv6 addresses.

If the records aren’t resolving yet, query a Route 53 nameserver directly to confirm the records are correct at the source:

dig example.com A @ns-1234.awsdns-56.org +short

Replace the nameserver with one of the four from your hosted zone.

Checkpoint

• dig example.com A +short returns IP addresses.
• dig example.com AAAA +short returns IPv6 addresses.
• Opening https://example.com in a browser shows your frontend with a valid SSL certificate.

List All Records in Your Hosted Zone

Verify the complete state of your hosted zone:

aws route53 list-resource-record-sets \
  --hosted-zone-id Z1234567890ABC \
  --output json

You should see your NS and SOA records (auto-created), plus the A and AAAA alias records you just created. If you completed the ACM exercise, you may also see the CNAME validation record.

Checkpoint

• The output includes NS, SOA, A, and AAAA records for your domain.
• The A and AAAA records show AliasTarget with your CloudFront distribution’s domain name.

Failure Diagnosis

• The alias records look right in Route 53 but the domain does not resolve publicly: Your registrar is still pointing at old nameservers. Compare the registrar settings with the four Route 53 NS records from your hosted zone.
• The CloudFront domain works but https://example.com does not: The apex A and AAAA alias records are missing, or they point at the wrong distribution or hosted zone ID.
• example.com works but www.example.com fails: You created only the apex records. Add matching www alias records if you want both hostnames to resolve.

What You Built

You now have a complete DNS configuration: a hosted zone in Route 53 with alias records pointing your domain to your CloudFront distribution. Your frontend is accessible at https://example.com with a valid SSL certificate, global CDN distribution, and DNS resolution handled by Route 53.

This completes the foundation stack: S3 (storage) + CloudFront (CDN) + ACM (certificates) + Route 53 (DNS). I still get a little thrill seeing a real domain resolve to infrastructure I set up myself—it’s one of those moments where everything clicks.

Stretch Goals

• Test with nslookup: Run nslookup example.com and compare the output to dig. Notice how nslookup shows which nameserver answered the query.
• Check TTL behavior: Run dig example.com A (without +short) and look at the TTL value in the answer section. Run it again 30 seconds later and notice the TTL has decreased. This is the cache counting down.
• Query from different resolvers: Compare results from different public DNS resolvers to see if they all return the same answer:

  dig example.com A @1.1.1.1 +short
  dig example.com A @8.8.8.8 +short
  dig example.com A @9.9.9.9 +short

• Redirect www to apex: If you didn’t create www records, set up a simple S3 redirect bucket that sends www.example.com to example.com. This ensures users who type www still reach your site.