AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 375

A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution.
The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.
What is the MOST reliable way to implement DNS in this scenario?

Answer options

• A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.
• B. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.
• C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.
• D. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.

Correct answer: B

Explanation

Amazon Route 53 Resolver is a fully managed, highly available service that natively provides Availability Zone isolation and scales automatically to handle transient workloads across hundreds of VPCs. Relying on on-premises DNS servers over Direct Connect introduces a single point of failure and high latency for cloud-native resolution. Deploying and managing custom DNS proxy fleets, whether centralized or distributed, adds unnecessary operational overhead and fails to match the built-in resilience of Route 53.