Yes, it is possible to do what you wanted. In fact, ease of correlation is one big advantage of Splunk and SPL. You may want to describe how route53 resolver log looks like, however. Without looking at actual data structure, it is rather hard to prescribe recipe. (This being a Splunk forum, not everyone knows what route53 is.)
This said, I'll make some simplifying assumptions. Assuming that you have a search with route53 that result in events containing peek_ip and poke_dns. The following pseudo code can be a direction to try.
| table peek_ip poke_dns ]
| eval peek_ip = if(isnull(peek_ip), dest_ip, peek_ip)
| eventstats values(poke_dns) as dest_DNS by peek_ip
| eval peek_ip = if(isnull(peek_ip), src_ip, peek_ip)
| eventstats values(poke_dns) as src_DNS by peek_ip
Among other caveats, this approach depends a lot on how stable that route53_search is, and whether the logs contain conflicting outputs. Efficiency-wise, you may want to replace eventstats with stats if you know the exact field list in the final results.