AWS recently announced that Amazon CloudFront now supports HTTPS DNS alias records in Amazon Route 53, which is a specialized form of the Service Binding (SVCB) DNS record (RFC 9460).
Traditionally, a client (e.g., a browser) would perform a DNS lookup to obtain an IP address, then connect to the server, and only then negotiate the HTTP protocol (such as HTTP/1.1, HTTP/2, or HTTP/3). The HTTPS record enables the DNS lookup to return not only the IP address but also information about supported protocols (e.g., HTTP/3), ports, and even alternative servers, thereby eliminating extra network round-trips for protocol negotiation and leading to faster initial page loads.
(Source: AWS Networking & Content Delivery blog post)
Furthermore, the enhanced security provided by upfront protocol details helps prevent downgrade attacks, ensuring a secure connection from the outset. Furthermore, with CloudFront alias records, Route 53 processes HTTPS DNS queries at no charge, effectively eliminating costs associated with the most common DNS record types: A, AAAA, and HTTPS – an approach that not only optimizes expenses but also benefits from broader browser support, as major browsers like Chrome, Safari, and Firefox already query HTTPS record types by default, improving both the efficiency and safety of internet connections.
Vadym Kazulkin, an AWS Hero, summarized the impact, tweeting:
This helps users improve performance and security, and simultaneously reduce operational expenses.
To enable HTTP/2 and/or HTTP/3 on CloudFront distributions, the user should navigate (using the AWS Management Console) to the Settings section of their existing distribution and select Edit. After allowing these protocols, they need to set up HTTPS alias records for custom domains in Route 53 by editing the Hosted Zone for their domain. The user should then select “Create Record,” enter the subdomain that corresponds to their CloudFront distribution, and create an alias record of type HTTPS. And finally, they should select Alias to a CloudFront distribution and choose their specific distribution. Once saved, CloudFront will begin responding with HTTPS records for the user’s domain.
(Source: AWS Networking & Content Delivery blog post)
Beyond AWS, other cloud providers and CDNs also support HTTPS records. For example, Google Cloud DNS fully supports the HTTPS record type, leveraging it to optimize connections for services such as Google Cloud CDN. Similarly, Cloudflare automatically generates these records for proxied domains where HTTP/2 or HTTP/3 is enabled.
Lastly, HTTPS record support on CloudFront is available in all edge locations.