DNS Backup for AWS Route53
Why back up Route53 DNS
Route53 is reliable infrastructure. But it has no built-in backup, no change history, and no zone file export button in the AWS console. If a Terraform apply overwrites your zone, or someone deletes records through the console, your only option is reconstructing from CloudTrail logs — if you have them enabled, and if you can parse them fast enough.
BackupMyDNS connects to Route53 with read-only IAM access, captures every zone snapshot on change, and stores full diffs. Every record, every version, downloadable as a standard BIND zone file.
What permissions we need
BackupMyDNS requires an IAM policy with exactly two permissions:
route53:ListHostedZones— enumerate your zonesroute53:ListResourceRecordSets— read the records in each zone
That’s it. No write access. No access to other AWS services. We recommend creating a dedicated IAM user or role with only this policy attached. The credentials are AES-256 encrypted in our storage.
What Route53’s native tooling misses
No export button. Unlike most DNS providers, Route53 has no “Download Zone File” option in the console. To get your records out, you need the AWS CLI or API. Most teams never do this.
Alias records don’t translate. Route53’s Alias records are a proprietary feature — they resolve to AWS resources (ELBs, CloudFront distributions, S3 buckets) but don’t exist in standard BIND format. A naive export loses this information. BackupMyDNS captures alias targets explicitly.
Routing policies are invisible in zone files. Weighted routing, latency-based routing, failover, and geolocation policies add complexity that a flat zone file can’t represent. If you’re using these, a simple record list isn’t enough — you need the full routing context. We capture and store it.
No change tracking. Route53 doesn’t tell you what changed or when. CloudTrail logs API calls but doesn’t show you a clean before/after diff of your zone. BackupMyDNS does.
Route53-specific gotchas
Alias vs CNAME. Teams frequently use Alias records at the zone apex (where CNAMEs aren’t allowed). During a migration away from AWS, these records need to be converted to A records or handled differently. Having a backup that clearly identifies which records are Aliases is critical.
Health checks tied to records. Route53 lets you attach health checks to DNS records for failover. These health check associations aren’t part of the zone data — they’re a separate resource. If you lose the zone and rebuild it, you also need to reconnect health checks.
Private hosted zones. Route53 supports private zones that only resolve within your VPC. These zones are often forgotten during audits because they don’t resolve publicly. BackupMyDNS backs up any zone the IAM credentials can access.
Split-horizon DNS. Running the same domain name with both a public and private hosted zone is common in AWS. Changes to one can be confused with the other. Separate snapshots for each zone prevent this confusion.
Pricing
Your first domain is free with daily checks and 30 days of retention. Pro plans start at $14/mo for up to 100 zones with hourly checks and 1 year of retention. Business plans at $49/mo cover 1,000 zones with 10-minute checks and unlimited retention.
All data is AES-256 encrypted at rest. Fort Knox mode available — we email you the backup and delete it from our systems.
Get started
Connect your AWS account with a read-only IAM policy. Setup takes under five minutes.