Resolver endpoint scaling
Resolver endpoint security groups use connection tracking to gather information about traffic to and from the endpoints. Each endpoint interface has a maximum number of connections that can be tracked, and a high volume of DNS queries can exceed the connections and cause throttling and query loss. To reduce the number of connections that are tracked, implement security group rules that permit traffic based on the connection state of the traffic. For more information, see Security groups and Connection tracking in Amazon EC2 User Guide .
Connections made through applications like Network Load Balancer and AWS Lambda (for a full list see Automatically tracked connections ) are automatically tracked, even if the security group configuration does not otherwise require tracking.
If the connection tracking is enforced either by using restrictive security group rules or queries are routed through Network Load Balancer, the overall maximum queries per second per IP address for an endpoint can be as low as 1500.
Ingress and egress Security Group rule recommendations for the inbound Resolver endpoint
| Ingress rules | ||
|---|---|---|
| Protocol type | Port number | Source IP |
| TCP | 53 | 0.0.0.0/0 |
| UDP | 53 | 0.0.0.0/0 |
| Egress rules | ||
| Protocol type | Port number | Destination IP |
| TCP | All | 0.0.0.0/0 |
| UDP | All | 0.0.0.0/0 |
Ingress and egress security group rule recommendations for the outbound Resolver endpoint
| Ingress rules | ||
|---|---|---|
| Protocol type | Port number | Source IP |
| TCP | All | 0.0.0.0/0 |
| UDP | All | 0.0.0.0/0 |
| Egress rules | ||
| Protocol type | Port number | Destination IP |
| TCP | All | 0.0.0.0/0 |
| UDP | All | 0.0.0.0/0 |
Inbound Resolver endpoints
For clients using an inbound resolver endpoint, the capacity of the elastic network interface will be impacted if you have over 40,000 unique IP address and port combinations generating the DNS traffic.
