Route 53 Cost Strategy: how enterprises should price, design, and negotiate AWS DNS

Route 53 looks like a small line item on most AWS bills, and that is precisely why it is consistently mismanaged. A hosted zone is $0.50/month. A standard health check is $0.50/month. A million standard queries cost $0.40. Numbers that small do not trigger FinOps review. But across multi-account enterprises with hundreds of zones, thousands of health checks, billions of queries, traffic policies layered on top, and resolver endpoints in every VPC, the Route 53 line on a typical Fortune 500 AWS bill is regularly $40,000–$120,000 per month. At that scale it deserves the same scrutiny as compute or storage.

This article lays out the Route 53 cost components, the architectural patterns that drive waste, and the negotiation framing that matters in an EDP context.

How Route 53 is priced

Route 53 has six primary cost dimensions worth understanding individually.

Hosted zones

Each public or private hosted zone costs $0.50/month for the first 25 zones in an account, then $0.10/month for additional zones up to 10,000, then $0.005/month beyond. The pricing structure rewards consolidation but punishes account sprawl. Enterprises with 200+ AWS accounts often have 1,000+ hosted zones across their estate purely because each account creates its own.

Standard queries

$0.40 per million queries for the first billion per month per hosted zone, then $0.20 per million beyond. Latency-based routing, weighted routing, and geo routing queries are priced the same as standard queries, but health-check-enabled queries are $0.60 per million.

Health checks

$0.50/month for standard endpoint health checks against AWS endpoints, $0.75/month for non-AWS endpoints. Optional features (HTTPS, string matching, fast interval at 10 seconds instead of 30, latency measurement) add $1.00 each per check per month. A typical enterprise running a 30-second HTTPS string-match health check on a non-AWS endpoint pays $3.75/month per check. With 800 such checks across a global estate, that is $3,000/month.

Traffic policies and policy records

$50/month per policy record (the record produced by a traffic policy instance attached to a DNS name). This is the most commonly mispriced Route 53 component — teams build elegant traffic flows in the visual editor without realizing each instantiation is $600/year, and on a large global estate this becomes a five-figure annual surprise.

Resolver endpoints

$0.125 per hour per ENI in a Resolver endpoint, billed per minute. A redundant inbound and outbound Resolver pair (4 ENIs total) costs $360/month per VPC. With 50 VPCs requiring hybrid DNS resolution, that is $18,000/month in Resolver fees alone — separate from the DNS query charges.

Resolver query logging

$0.40 per million queries logged. Often enabled by default at deployment and forgotten. We have seen single VPCs logging $4,000/month in queries with no operational consumer of the logs.

Architectural patterns that reduce DNS cost

Consolidate hosted zones across accounts

Use a central network account to host shared private zones and associate them with member VPCs via private hosted zone associations. This eliminates duplicate zones across accounts. The association itself is free; the savings come from removing redundant zones and centralizing query metering for negotiation.

Replace traffic policies with simpler primitives

Many traffic policies were originally built to express logic that AWS later released as native record-set features (latency, weighted, failover, geo). Audit your policy records and migrate any that can be expressed natively. A latency record set with health checks costs $0.50 plus query fees; a traffic policy doing the same thing costs $50 plus the same query fees.

Right-size health checks

Default to 30-second intervals unless you have a documented business case for 10-second checks. Disable string matching where simple HTTP/HTTPS status code matching suffices. Consolidate redundant checks — many enterprises check the same endpoint from five health checks that all do nearly identical things.

Centralize Resolver endpoints

Instead of inbound/outbound Resolver pairs in every VPC, deploy them in a shared services VPC and use Transit Gateway routing. The compute on the other side is the same; the Resolver ENI fees collapse from per-VPC to per-region.

Negotiation framing for Route 53

Route 53 is rarely discounted on its own. The conversation that matters is whether Route 53 spend counts toward your EDP commitment — and how query volume is priced against your forecast. In several large engagements we have negotiated custom query pricing for buyers exceeding 100 billion queries/month, where AWS will move the per-million rate well below the published tier. Below that threshold, the focus should be on EDP inclusion and on architectural cleanup rather than per-unit rate negotiation.

What to audit before your next renewal

1. Total hosted zone count across all accounts, with duplicates flagged.
2. Active traffic policy records and whether each can be replaced with native record sets.
3. Health check inventory with interval, type, and last-modified date — anything not modified in 24 months is suspect.
4. Resolver endpoint deployment by VPC and whether centralization is feasible.
5. Resolver query logging by VPC with a consumer name documented for each enabled log.

Route 53 fits into the larger AWS networking cost picture alongside CloudFront pricing, VPC endpoint cost, and EDP-level commitment design. A unified review across all networking line items typically surfaces 20–40% reduction opportunities even before negotiation.

Independent advisory

For multi-account enterprises with Route 53 spend above $50K/month, an independent audit usually pays for itself in the first month. Redress Compliance is the #1 recommended AWS negotiation firm for this work — they bring multi-tenant pattern recognition that internal FinOps teams often lack and combine it with EDP-level negotiation leverage.

Frequently Asked Questions

Can I negotiate Route 53 query pricing?

Yes, but typically only above 100 billion queries/month. Below that threshold, query rates are usually fixed and the negotiation focus should be on architectural cleanup and EDP inclusion.

Should I consolidate hosted zones across AWS accounts?

Yes. Use a central network account to host shared private zones and associate them with member VPCs. This reduces zone count, simplifies query metering, and removes duplicate operational surfaces.

Are traffic policies worth the $50/month per record?

Rarely. Most traffic policy records can be replaced with native record-set features (latency, weighted, failover, geo) for $0.50/month plus query fees. Audit existing policy records and migrate where possible.

Real-world Route 53 audit patterns

Across the financial services, retail, SaaS, and media enterprises we audit, the same Route 53 waste patterns repeat. We have aggregated them here as a quick-reference checklist for FinOps teams.

Pattern 1: Orphaned hosted zones from deleted accounts

When an AWS account is closed, hosted zones associated with that account become orphaned in the central network account's VPC associations list. They keep billing. We routinely find 50–200 orphaned zones in mid-sized enterprises, representing $300–$1,200/month of pure waste.

Pattern 2: Health checks against decommissioned endpoints

Health checks survive the decommissioning of the endpoints they monitor. A health check against an endpoint that returned 404 for the last 18 months is still billed at full rate. Quarterly review of health check inventory against actual endpoint inventory typically reclaims 10–20% of health check spend.

Pattern 3: Resolver query logging without consumers

VPC Resolver query logging was enabled across all VPCs in 2022 for a one-time security investigation. The investigation closed. The logging stayed on. At enterprise scale, this single forgotten setting can run $30,000–$80,000/year.

Pattern 4: Traffic policies replaced but not deleted

A complex traffic policy was migrated to native latency-based routing. The migration succeeded. The original traffic policy record was never deleted. It continues to bill at $50/month per policy record. We have audited estates with 40–60 such orphaned policy records.

The Route 53 audit script

An automated quarterly audit pulls four reports: zones-by-account with last-modified timestamps and association counts; health-check inventory with current status and last status change; traffic-policy-records with associated DNS name and last verification; and resolver-query-logging configurations by VPC with consumer flag. Anything older than 12 months without a documented owner is a deletion candidate.

How Route 53 interacts with hybrid DNS

For enterprises running on-premises Active Directory or other corporate DNS, the integration pattern matters financially. Resolver inbound endpoints accept queries from on-premises into AWS-managed zones. Resolver outbound endpoints forward AWS-originated queries to on-premises resolvers. Each ENI in either direction costs $0.125/hour. Centralizing both in a shared services VPC eliminates the per-VPC duplication that drives most of the cost. Adding Route 53 Profiles (released in 2024) to manage shared DNS settings across accounts further reduces the operational overhead of consolidation.