AWS Route 53 Integration
Monitor DNS query metrics, health check status, and latency-based routing. Instant health check failure alerts with endpoint correlation and AI DNS anomaly detection for your global DNS infrastructure.
How It Works
Deploy CloudFormation Stack
Launch the TigerOps CloudFormation template to configure Metric Streams for the AWS/Route53 namespace. Route 53 metrics are global and must be collected from us-east-1 regardless of your primary region.
Connect Health Checks
TigerOps reads your Route 53 health check configurations via the Route 53 API and maps each health check to the associated DNS record and endpoint. Health check status changes trigger incidents immediately.
Enable Query Logging
Enable Route 53 DNS query logging to CloudWatch Logs. TigerOps ingests the query logs to provide per-hosted-zone and per-record-name query volume, error distribution, and resolver location analysis.
Set Health Check Alerts
TigerOps fires alerts the moment a health check transitions from Healthy to Unhealthy, includes the failure reason from health check logs, and routes the incident to the team owning the DNS record.
What You Get Out of the Box
Health Check Status Monitoring
Real-time health check status tracking for HTTP, HTTPS, TCP, and calculated health checks. TigerOps alerts on any Unhealthy transition and tracks the health check failure history for SLA reporting.
DNS Query Volume
DNS query counts per hosted zone, record set, and query type (A, AAAA, CNAME, MX). TigerOps surfaces anomalous query volume spikes that may indicate misconfigured clients or DNS amplification attempts.
Latency-Based Routing Visibility
Per-region routing decision distribution for latency-based routing records. TigerOps shows which regions are receiving traffic and alerts when a region is consistently receiving more or less than expected.
Failover Record Tracking
Active/passive failover record status monitoring. TigerOps tracks the primary and secondary record health and alerts when a failover occurs, with the time from health check failure to DNS propagation.
Resolver Query Metrics
Route 53 Resolver inbound and outbound endpoint query volumes, resolver rule hit rates, and DNSSEC validation failures for private hosted zones in your VPCs.
AI DNS Anomaly Detection
TigerOps baselines normal DNS query patterns per hosted zone and alerts on statistically anomalous query volumes, NXDOMAIN spikes, or unusual geographic query distribution changes.
Route 53 Query Logging Setup
Enable DNS query logging and deploy the TigerOps Route 53 monitoring stack.
# Enable Route 53 DNS query logging
# Note: Route 53 metrics and query logging must be configured in us-east-1
aws route53 create-query-logging-config \
--hosted-zone-id Z1234567890ABC \
--cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789:log-group:/aws/route53/queries
# Deploy TigerOps Route 53 monitoring stack (must run in us-east-1)
AWS_DEFAULT_REGION=us-east-1 aws cloudformation deploy \
--template-url https://tigerops-cfn.s3.amazonaws.com/route53-integration.yaml \
--stack-name tigerops-route53 \
--capabilities CAPABILITY_IAM \
--parameter-overrides \
TigerOpsApiKey=${TIGEROPS_API_KEY} \
EnableQueryLogIngestion=true \
QueryLogGroup=/aws/route53/queries \
HealthCheckAlertOnFirstFailure=true
# List health checks to verify monitoring coverage
aws route53 list-health-checks \
--query 'HealthChecks[*].{Id:Id,Type:HealthCheckConfig.Type,Target:HealthCheckConfig.FullyQualifiedDomainName}'Common Questions
Why do Route 53 metrics need to be collected from us-east-1?
Route 53 is a global service and its CloudWatch metrics are only available in the us-east-1 region. The TigerOps CloudFormation stack creates the Metric Stream in us-east-1 regardless of your primary AWS region and forwards the data to your TigerOps workspace.
How fast does TigerOps detect a Route 53 health check failure?
Route 53 health check status changes are reflected in CloudWatch metrics within 60 seconds of the health check transitioning state. TigerOps processes the Metric Stream data and fires an alert within 90 seconds of the health check failure.
Does TigerOps support Route 53 private hosted zones?
Yes. DNS query logging for private hosted zones routes logs to CloudWatch Logs in the VPC region. TigerOps subscribes to these log groups and provides the same query volume and error analysis as for public hosted zones.
Can TigerOps monitor DNSSEC status for Route 53 hosted zones?
Yes. TigerOps monitors the DNSSECStatus for hosted zones that have DNSSEC signing enabled and alerts if the status changes from SIGNING to a degraded state. DNSSEC validation failures in Route 53 Resolver are also tracked.
How does TigerOps correlate Route 53 health check failures with application incidents?
TigerOps links Route 53 health check failures to the application services running on the unhealthy endpoints. When a health check for an EC2 instance fails, TigerOps shows the EC2 instance metrics (CPU, network, system checks) in the same incident view.
Know the Moment a Health Check Fails
Instant health check alerts, DNS query analysis, and failover tracking. Connect Route 53 in minutes.