- creating a public Route 53 hosted zone for
rajesh.com - adding every common DNS record type (incl. Route 53 ALIAS)
- verifying each record with
dig/CLI so you know it’s correct
I’ll show console + CLI where useful and give a quick troubleshooting section at the end.
0) Prereqs
- You own the domain
rajesh.com(at any registrar). - You have AWS CLI configured (
aws sts get-caller-identityworks). - You’ve chosen a region (Route 53 itself is global).
1) Create a public hosted zone for rajesh.com
Console
Route 53 → Hosted zones → Create hosted zone
- Name:
rajesh.com - Type: Public hosted zone → Create
You’ll get an NS record (four name servers) and an SOA record automatically. (AWS Documentation)
CLI
aws route53 create-hosted-zone \
--name rajesh.com \
--caller-reference $(date +%s)
Code language: JavaScript (javascript)This returns a JSON with "Id": "/hostedzone/ZABCDEFGHIJKL"; save that ID. (AWS Documentation)
2) Delegate the domain to Route 53
At your registrar, set the domain’s name servers to the four NS values shown in the hosted zone. Until this is done (and propagated), public queries won’t reach Route 53. Verify delegation:
# What the world sees:
dig +short NS rajesh.com
# What Route 53 says for your zone:
aws route53 get-hosted-zone --id ZABCDEFGHIJKL \
--query 'DelegationSet.NameServers'
Code language: PHP (php)The two lists must match. If not, update at the registrar and wait for propagation (can be minutes to 48h). (AWS Documentation)
3) Quick dig primer (you’ll use this a lot)
# Ask Google’s resolver:
dig @8.8.8.8 A www.rajesh.com +short
# Ask Cloudflare’s:
dig @1.1.1.1 AAAA www.rajesh.com +short
# Ask the authoritative Route 53 server directly:
dig @ns-1234.awsdns-56.org A www.rajesh.com +short
Code language: PHP (php)Tip: prefer targeted queries over ANY (many DNS servers don’t honor ANY consistently anymore).
4) Add records (console & CLI), then verify
Replace
ZABCDEFGHIJKLwith your hosted zone ID.
Replace IPs/targets with your real values.
A — IPv4 address
- Console: Create record → Simple → Record name:
www→ Type:A→ Value:203.0.113.10 - CLI:
cat > a-www.json <<'JSON'
{
"Comment": "A record for www",
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "www.rajesh.com.",
"Type": "A",
"TTL": 300,
"ResourceRecords": [{"Value": "203.0.113.10"}]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://a-www.json
Code language: JavaScript (javascript)Verify: dig A www.rajesh.com +short → should return 203.0.113.10. (AWS Documentation)
AAAA — IPv6 address
# CLI (similar to A):
cat > aaaa-www.json <<'JSON'
{
"Comment": "AAAA record for www",
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "www.rajesh.com.",
"Type": "AAAA",
"TTL": 300,
"ResourceRecords": [{"Value": "2001:db8::10"}]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://aaaa-www.json
Code language: PHP (php)Verify: dig AAAA www.rajesh.com +short → 2001:db8::10. (AWS Documentation)
CNAME — canonical name (for subdomains only)
Map app.rajesh.com to app.example.net.
cat > cname-app.json <<'JSON'
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "app.rajesh.com.",
"Type": "CNAME",
"TTL": 300,
"ResourceRecords": [{"Value": "app.example.net."}]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://cname-app.json
Code language: JavaScript (javascript)Verify: dig CNAME app.rajesh.com +short → app.example.net.
(Then dig A app.example.net +short to see the final IPs.) (AWS Documentation)
TXT — text (SPF, DKIM, ACM validation, misc.)
# Example: ownership proof / SPF-like
cat > txt-root.json <<'JSON'
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "rajesh.com.",
"Type": "TXT",
"TTL": 300,
"ResourceRecords": [{"Value": "\"v=spf1 -all\""}]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://txt-root.json
Code language: PHP (php)Verify: dig TXT rajesh.com +short → should show "v=spf1 -all".
ACM DNS validation is a TXT-like workflow but uses a CNAME with a leading underscore that ACM gives you; always create exactly what ACM shows. Verify with
dig CNAME _<token>.rajesh.com +short→ should return...acm-validations.aws.(AWS Documentation)
MX — mail exchangers
cat > mx.json <<'JSON'
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "rajesh.com.",
"Type": "MX",
"TTL": 300,
"ResourceRecords": [
{"Value": "10 mail1.rajesh.com."},
{"Value": "20 mail2.rajesh.com."}
]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://mx.json
Code language: JavaScript (javascript)Verify: dig MX rajesh.com +short → 10 mail1.rajesh.com. etc. (AWS Documentation)
SRV — service records (e.g., SIP, LDAP)
# _service._proto.name TTL SRV priority weight port target
cat > srv-sip.json <<'JSON'
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "_sip._tcp.rajesh.com.",
"Type": "SRV",
"TTL": 300,
"ResourceRecords": [{"Value": "10 5 5060 sipserver.rajesh.com."}]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://srv-sip.json
Code language: PHP (php)Verify: dig SRV _sip._tcp.rajesh.com +short → 10 5 5060 sipserver.rajesh.com. (AWS Documentation)
CAA — certificate authority authorization
Only allow Amazon to issue certs for rajesh.com:
cat > caa.json <<'JSON'
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "rajesh.com.",
"Type": "CAA",
"TTL": 300,
"ResourceRecords": [
{"Value": "0 issue \"amazon.com\""}
]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://caa.json
Code language: JavaScript (javascript)Verify: dig CAA rajesh.com +short → 0 issue "amazon.com"
(Useful to avoid unexpected CAs; ACM respects CAA.) (AWS Documentation)
NS — delegate a subdomain (e.g., dev.rajesh.com)
Create another hosted zone dev.rajesh.com → copy its NS → add NS record in the parent zone:
cat > ns-dev.json <<'JSON'
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "dev.rajesh.com.",
"Type": "NS",
"TTL": 172800,
"ResourceRecords": [
{"Value": "ns-111.awsdns-22.com."},
{"Value": "ns-333.awsdns-44.net."},
{"Value": "ns-555.awsdns-66.org."},
{"Value": "ns-777.awsdns-88.co.uk."}
]
}
}]
}
JSON
aws route53 change-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL --change-batch file://ns-dev.json
Code language: JavaScript (javascript)Verify: dig NS dev.rajesh.com +short → those four NS. (AWS Documentation)
SOA — start of authority
Created/managed automatically by Route 53; you generally don’t edit it. Verify: dig SOA rajesh.com +short. (AWS Documentation)
ALIAS (Route 53-specific) — apex & AWS targets (CloudFront/ALB/S3/etc.)
ALIAS behaves like a CNAME but works at the zone apex and returns A/AAAA. Examples:
ALIAS A → CloudFront (for rajesh.com)
- Console: Create record → A – Routes traffic to an IPv4 address and some AWS resources → Alias: Yes → pick your CloudFront distribution → Create.
- Verify:
dig A rajesh.com +short # returns CloudFront edge IPs dig CNAME rajesh.com +short # should be empty (ALIAS is not a CNAME)(AWS Documentation)
ALIAS A → Application Load Balancer (for api.rajesh.com)
- Console: Create record → A → Alias: Yes → choose your ALB from the list → Create.
- Verify:
dig A api.rajesh.com +short # returns ALB IPs (may vary)(ALIAS lets you avoid hardcoding IPs and is the only way to point the apex at CloudFront/ALB/S3 website.) (AWS Documentation)
5) View everything you’ve created (CLI)
aws route53 list-resource-record-sets --hosted-zone-id ZABCDEFGHIJKL \
--query 'ResourceRecordSets[].{Name:Name,Type:Type,TTL:TTL,AliasTarget:AliasTarget}'
Code language: PHP (php)This is handy to confirm TTLs, targets, and names.
6) Common validation commands (cheat sheet)
# A / AAAA
dig A www.rajesh.com +short
dig AAAA www.rajesh.com +short
# CNAME
dig CNAME app.rajesh.com +short
dig +short app.rajesh.com # follows CNAME to show final IPs
# TXT (SPF/ownership)
dig TXT rajesh.com +short
dig TXT _github-challenge-rajesh.rajesh.com +short
# MX
dig MX rajesh.com +short
# SRV
dig SRV _sip._tcp.rajesh.com +short
# CAA
dig CAA rajesh.com +short
# NS (apex and delegated subdomain)
dig NS rajesh.com +short
dig NS dev.rajesh.com +short
# SOA
dig SOA rajesh.com +short
# ALIAS sanity (apex to CloudFront / subdomain to ALB)
dig A rajesh.com +short
dig A api.rajesh.com +short
Code language: PHP (php)7) Troubleshooting (fast)
- Delegation not done: Public queries don’t hit Route 53 until the registrar uses your Route 53 NS. Compare
dig +short NS rajesh.com(public) vs the zone’s NS list in Route 53. (AWS Documentation) - Wrong record type: ACM validation needs CNAME exactly as shown by ACM; TXT won’t work for ACM’s DNS method. (AWS Documentation)
- Apex CNAME: Not allowed. Use ALIAS A/AAAA for
rajesh.comto CloudFront/ALB/S3 website, etc. (AWS Documentation) - IPv6 missing: Use AAAA (not A) for IPv6 targets. (AWS Documentation)
- Private vs Public hosted zones: Public internet must query a public hosted zone; ACM also requires public DNS visibility for validation. (AWS Documentation)
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
