A Response Policy Rule is a selector that applies its behavior to queries that match the selector. Selectors are DNS names, which may be wildcards or exact matches. Each DNS query subject to a Response Policy matches at most one ResponsePolicyRule, as identified by the dnsName field with the longest matching suffix.
JSON representation
{"ruleName": string,"kind": string,// Union field selector can be only one of the following:"dnsName": string// End of list of possible types for union field selector.// Union field action can be only one of the following:"localData": {object (LocalData)},"behavior": enum (Behavior)// End of list of possible types for union field action.}
Fields
ruleName
string
An identifier for this rule. Must be unique with the ResponsePolicy.
kind
string
Union field selector.
selector can be only one of the following:
dnsName
string
The DNS name (wildcard or exact) to apply this rule to. Must be unique within the Response Policy Rule.
Answer this query directly with DNS data. These ResourceRecordSets override any other DNS behavior for the matched name; in particular they override private zones, the public internet, and GCP internal DNS. No SOA nor NS types are allowed.
All resource record sets for this selector, one per resource record type. The name must match the dnsName.
Behavior
Enums
behaviorUnspecified
bypassResponsePolicy
Skip a less-specific Response Policy Rule and let the query logic continue. This mechanism, when used with wildcard selectors, lets you exempt specific subdomains from a broader Response Policy Rule and direct the queries to the public internet instead. For example, if the following rules exist:
A query for foo.example.com skips the wildcard rule.
This functionality also facilitates allowlisting. Response Policy Zones (RPZs) can be applied at multiple levels within the hierarchy: for example, an organization, a folder, a project, or a VPC network. If an RPZ rule is applied at a higher level, adding a passthrough rule at a lower level will override it. Queries from affected virtual machines (VMs) to that domain bypass the RPZ and proceed with normal resolution.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-19 UTC."],[[["\u003cp\u003eResponse Policy Rules apply specific behaviors to DNS queries that match defined selectors, which can be exact DNS names or wildcards.\u003c/p\u003e\n"],["\u003cp\u003eEach Response Policy Rule includes a \u003ccode\u003eselector\u003c/code\u003e field that determines the DNS name it applies to and an \u003ccode\u003eaction\u003c/code\u003e field that specifies either \u003ccode\u003elocalData\u003c/code\u003e for direct DNS data responses or \u003ccode\u003ebehavior\u003c/code\u003e for custom actions.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eLocalData\u003c/code\u003e allows direct responses with provided DNS data, overriding other DNS settings, while \u003ccode\u003eBehavior\u003c/code\u003e enables custom actions like skipping less-specific rules or bypassing response policies.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ebehaviorUnspecified\u003c/code\u003e enum means there is no custom action applied, while the \u003ccode\u003ebypassResponsePolicy\u003c/code\u003e enum allows skipping less-specific rules, and can be used in combination with wildcard selectors for exceptions.\u003c/p\u003e\n"],["\u003cp\u003eAvailable methods for managing Response Policy Rules include creating, deleting, retrieving, listing, partially updating, and fully updating rules.\u003c/p\u003e\n"]]],[],null,["# REST Resource: responsePolicyRules\n\n- [Resource: ResponsePolicyRule](#ResponsePolicyRule)\n - [JSON representation](#ResponsePolicyRule.SCHEMA_REPRESENTATION)\n- [LocalData](#LocalData)\n - [JSON representation](#LocalData.SCHEMA_REPRESENTATION)\n- [Behavior](#Behavior)\n- [Methods](#METHODS_SUMMARY)\n\nResource: ResponsePolicyRule\n----------------------------\n\nA Response Policy Rule is a selector that applies its behavior to queries that match the selector. Selectors are DNS names, which may be wildcards or exact matches. Each DNS query subject to a Response Policy matches at most one ResponsePolicyRule, as identified by the dnsName field with the longest matching suffix.\n\nLocalData\n---------\n\nBehavior\n--------"]]
