iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
⏱️

Trying Out Route 53 Support for CloudFront HTTPS Records: What Are the Benefits?

に公開
AWS
CloudFront
DNS
Route 53
https
tech

Introduction

On July 1, 2025, as mentioned in the title, Amazon CloudFront announced support for HTTPS DNS records.
Support for HTTPS records is a welcome update because it provides performance benefits.
https://aws.amazon.com/jp/about-aws/whats-new/2025/07/amazon-cloudfront-https-dns-records/

In this article, I will provide a brief explanation of HTTPS records, demonstrate how to configure them in CloudFront, and perform a performance comparison.

What are HTTPS Records?

First, I will briefly explain HTTPS records.
To understand the benefits of HTTPS records, some background information is necessary, so I will supplement that first.
If you are already familiar with this, please feel free to skip ahead.

HTTP has Several Versions

HTTP, which we use daily, exists in several versions.
Communication begins after the client and server negotiate which version to use.

Version Year Main Features Challenges
HTTP/1.0 1996 Basic request/response Disconnects after each connection; inefficient
HTTP/1.1 1997 Keep-Alive, Pipelining Head-of-Line Blocking
HTTP/2 2015 Binary, Stream multiplexing Constraints over TCP
HTTP/3 2022 QUIC (UDP) based Implementation and adoption challenges

Negotiation Method Comparison

There are three main methods for negotiating versions, and one of them is the HTTPS record. I will introduce the other methods before explaining the benefits of the HTTPS record.

1. ALPN (Application-Layer Protocol Negotiation)

ALPN is a mechanism for determining the application-layer protocol during the TLS handshake.

ALPN Characteristics:

  • Executed simultaneously with the TLS handshake
  • No additional round trips required
  • The standard negotiation method for HTTP/2

2. HTTP Alternative Services

HTTP Alternative Services is a mechanism for notifying that other protocols are available during communication. Since HTTP/2 was based on TCP connections, connections could be reused, but HTTP/3 is based on UDP and requires a different approach. By using HTTP Alternative Services, it is possible to let the client know during communication that they can also connect using HTTP/3.

Alternative Services Characteristics:

  • Upgrades the protocol on the next connection
  • Notifies via response headers or HTTP/2 ALTSVC frames

3. HTTPS Records

HTTPS records are a relatively new mechanism for pre-notifying service information and protocol support via DNS responses.
https://datatracker.ietf.org/doc/html/rfc9460

HTTPS Record Characteristics:

  • Protocol information is obtained at the DNS stage
  • The most suitable protocol is selected from the very first connection
    From the two points above, the number of round trips can be reduced.

Trying out CloudFront × HTTPS Records

In this section, I will try out a common static content delivery configuration using CloudFront + S3.

Environment Setup

Creating an S3 Bucket and Placing an HTML File

First, create an S3 bucket and place a sample HTML file.

index.html
<!-- index.html -->
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>CloudFront HTTPS RR Test</title>
  <style>
    body { font-family: sans-serif; text-align: center; margin-top: 4rem; }
    .info { font-size: 1.2rem; margin-top: 2rem; }
  </style>
</head>
<body>
  <h1>CloudFront HTTPS Record Test Page</h1>
  <p class="info">This is a static HTML file served via CloudFront.</p>
  <p class="info">Check HTTP version using browser dev tools or curl.</p>
  <script>
    // Show protocol if browser supports performance API
    if (performance.getEntriesByType) {
      const nav = performance.getEntriesByType("navigation")[0];
      const protocol = nav.nextHopProtocol;
      document.body.insertAdjacentHTML("beforeend", `<p class="info">Protocol used: <strong>${protocol}</strong></p>`);
    }
  </script>
</body>
</html>

CloudFront Configuration

Create a distribution with the S3 bucket created earlier as the origin.
To use HTTPS records, you must have HTTP/2 or HTTP/3 enabled.

Route 53 Configuration

Now, for the main event: configuring the HTTPS record.
Just like A or AAAA records, HTTPS can also be defined as an Alias record.
It's simple, as you just need to select the distribution. I will also define an A record along with it.

Testing Access

Let's try name resolution using dig right away.
You can see that the supported versions are returned in the ANSWER SECTION as https.[domain_name]. 60 IN HTTPS 1 . alpn="h2,h3".

$ dig https.[domain_name] HTTPS

; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> https.[domain_name] HTTPS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43798
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;https.[domain_name].      IN      HTTPS

;; ANSWER SECTION:
https.[domain_name]. 60    IN      HTTPS   1 . alpn="h2,h3"

;; Query time: 46 msec
;; SERVER: 10.255.255.254#53(10.255.255.254) (UDP)
;; WHEN: Wed Jul 02 14:29:07 JST 2025
;; MSG SIZE  rcvd: 78

Performance Comparison

As mentioned earlier, HTTPS records are expected to speed up the initial response by reducing the number of round trips. Let's compare it with an A record to see if it actually has that effect.

The command is as follows. 200 trials were performed after 10 warm-up runs.

hyperfine \
  --runs 200 \
  --warmup 10 \
  --style full \
  'curl -s --http2 https://https.[domain_name]/index.html' \
  'curl -s --http3 https://https.[domain_name]/index.html'

Performance Comparison Results

The results showed an improvement in performance for HTTP/3 when using HTTPS records. This confirms the advantage of HTTPS records.

Metric A Record HTTPS Record Difference HTTPS Advantage
HTTP/2 Average Time 83.7 ms 83.8 ms +0.1 ms ⚪ No difference
HTTP/2 Standard Deviation 101.3 ms 104.1 ms +2.8 ms ⚪ No difference
HTTP/3 Average Time 84.0 ms 70.8 ms -13.2 ms 🟢 15.7% improvement
HTTP/3 Standard Deviation 38.8 ms 26.8 ms -12.0 ms 🟢 30.9% improvement

Important Considerations

While the HTTPS records introduced in this article are a very useful mechanism, please note the following points when implementing them:

  • Differences in browser and OS support
    HTTPS records are a relatively new DNS record type, and as of 2025, they may not be processed correctly by some older browsers and operating systems (e.g., older iOS Safari, some Android browsers, etc.).

  • Potential for UDP (HTTP/3) being restricted by corporate networks or firewalls
    Since HTTP/3 is UDP-based, it may be blocked in corporate environments or under specific network settings (e.g., due to missing firewall rule definitions). Please check your usage environment in advance.

Summary

We have reviewed the mechanism and benefits of HTTPS records, and how to configure them in CloudFront.
Since they are very easy to set up, I would like to actively utilize them after conducting an impact assessment.

References

The first part of this article was inspired by the following book. It is a highly recommended book for systematically understanding everything from the history of HTTP to related knowledge.
"Real World HTTP 3rd Edition: Learning the Web and Internet Technologies through History and Code"
https://www.oreilly.co.jp/books/9784814400669/

Discussion