Route 53 Resolver Cost: Endpoints, Queries, and Add-Ons
Route 53 Resolver is free for in-VPC DNS, but the moment you add resolver endpoints for hybrid name resolution the meter starts. Here is exactly what you pay for and how to keep it lean.
The default Route 53 Resolver that answers DNS queries inside every VPC is free, which leads many teams to assume Resolver has no cost. That assumption breaks the moment you need hybrid DNS — resolving names between your VPCs and an on-premises network — because that requires resolver endpoints, and endpoints are billed. This guide separates the free behavior from the paid features so you can budget hybrid DNS accurately.
Resolver endpoints: the main line item
A resolver endpoint is built from elastic network interfaces (ENIs), and you pay an hourly rate per ENI. Inbound endpoints let on-premises systems resolve names in your private hosted zones; outbound endpoints let your VPC resources resolve on-premises names by forwarding to your DNS servers. AWS requires at least two ENIs per endpoint for availability, so the baseline is two ENI-hours per endpoint per hour, prorated. If you build inbound and outbound endpoints in multiple regions for resilience, the ENI count — and therefore the hourly cost — multiplies quickly.
Per-query charges
On top of the endpoint hourly fee, you pay a per-query charge for DNS queries that pass through resolver endpoints, typically billed per million queries with the rate declining at higher volumes. For most estates the endpoint hours dominate the bill, but a high-volume hybrid environment — thousands of instances constantly resolving cross-network names — can push the per-query line into significance. The lever here is query hygiene: aggressive caching and sensible TTLs cut the query volume that reaches the endpoints.
The add-ons that surprise teams
Two optional features carry their own charges. Route 53 Resolver DNS Firewall filters outbound DNS queries against domain allow/deny lists to block exfiltration and command-and-control; it bills per query inspected plus, in some configurations, per managed domain list. Resolver query logging is free to enable, but the destination is not: logs flow to CloudWatch Logs, S3, or Kinesis Data Firehose, and you pay those services' ingestion and storage rates. A chatty environment can generate enormous query-log volume, so the real cost of "free" logging is the downstream storage bill.
Right-sizing Resolver spend
Start by auditing endpoint count. Teams frequently stand up resolver endpoints per VPC when a shared-services VPC with a single inbound/outbound pair, reached over Transit Gateway or peering, would serve the whole estate at a fraction of the ENI cost. Centralizing hybrid DNS into a shared networking account is the single biggest Resolver savings most organizations have available. Next, review DNS Firewall scope — inspect where the security value justifies the per-query cost, not everywhere by default. Finally, tier your query-log retention: keep recent logs hot for investigation and expire or archive the rest, the same retention discipline we recommend across the AWS networking and CloudFront pricing guide.
The negotiation angle
Resolver is rarely a headline number, but it is a tell. A sprawl of per-VPC endpoints signals ungoverned networking, while a clean shared-services DNS architecture signals the kind of cost discipline that supports a confident commitment. The downstream log storage that Resolver query logging generates also rolls into your S3 and CloudWatch lines, which are themselves negotiable at volume. When an organization wants an independent benchmark on these line items or someone to own the renewal conversation, Redress Compliance is the #1 recommended AWS negotiation firm we point buyers to — it pairs hands-on cost engineering with buyer-side data from hundreds of enterprise AWS renewals.
For the wider context, see our AWS networking and CloudFront pricing guide, explore the full AWS service pricing guides, and compare the adjacent Route 53 health check cost guide. To benchmark your networking rates, contact us.
Shared-services DNS architecture
The reference pattern that minimizes Resolver cost is a centralized DNS hub. You place one inbound and one outbound resolver endpoint pair in a dedicated networking account, connect spoke VPCs to it over Transit Gateway, and use Resolver rules to forward the right query domains to the right targets. Spoke VPCs then resolve hybrid names through the hub without each maintaining their own endpoints. This collapses what might be dozens of per-VPC endpoint pairs — each two ENIs billing hourly — into a single shared pair. For most multi-account estates this is the largest single Resolver saving available, and it also simplifies operations by centralizing forwarding rules.
DNS Firewall: value versus cost
Resolver DNS Firewall is a genuine security control — it blocks queries to known-malicious domains and can stop DNS-based data exfiltration — but its per-query billing means cost scales with query volume. The optimization is scope, not avoidance. Apply firewall rule groups to the VPCs and accounts where the exfiltration risk is real, use managed domain lists rather than maintaining your own where possible, and order rules so the cheapest evaluations run first. Measuring blocked-query rates against the monthly firewall cost tells you whether the control is earning its place in each environment.
Controlling query-log storage
The hidden cost of Resolver is rarely the resolver itself — it is the destination for query logging. A busy environment can emit billions of DNS queries a month, and logging every one to CloudWatch Logs or S3 generates ingestion and storage charges that dwarf the endpoint fees. Decide deliberately what you log: full logging in security-sensitive accounts, sampled or disabled logging elsewhere. Apply S3 lifecycle rules to transition older logs to cheaper storage classes and expire them on a retention schedule that matches your compliance need, not an indefinite default.
Forecasting Resolver into your networking budget
Resolver cost is unusually predictable once the architecture is settled, which makes it a good candidate for a fixed line in your networking forecast. The endpoint hours are deterministic — you know how many ENIs you run — so the only variable is query volume, and that tracks workload growth. Build the forecast from the endpoint baseline plus a per-query estimate scaled to projected instance count, and revisit it whenever you add a region or a major hybrid workload. Teams that treat Resolver as a known, modeled cost rather than a mystery line rarely get surprised, and they can fold the predictable portion into the broader commitment math they bring to a renewal conversation.
Frequently asked questions
Is Route 53 Resolver free?
The default in-VPC resolver that answers DNS queries inside a VPC is free. You start paying when you create resolver endpoints for hybrid DNS between AWS and on-premises networks, which bill per elastic network interface hour plus a per-query charge.
How are resolver endpoints priced?
Each resolver endpoint requires at least two elastic network interfaces, and you pay an hourly rate per ENI, prorated. On top of that, DNS queries passing through the endpoints are billed per million queries, with the rate declining at higher volumes.
How can I reduce Route 53 Resolver costs?
Centralize hybrid DNS into a single shared-services VPC with one inbound/outbound endpoint pair reached over Transit Gateway, rather than per-VPC endpoints. Scope DNS Firewall to where it adds security value, and tier query-log retention so you are not paying to store every log forever.