Cloud DNS explained!
Lead Developer Advocate, Google
Cloud DNS Product Manager
How many times have you heard this:
"It’s not DNS."
"NO way it is DNS."
"It was the DNS!"
When you are building and managing cloud native or hybrid cloud applications you don’t want to add more stuff to your plate, especially not DNS. DNS is one of the necessary services for your application to function but you can rely on a managed service to take care of DNS requirements. Cloud DNS is a managed, low latency DNS service running on the same infrastructure as Google which allows you to easily publish and manage millions of DNS zones and records.
Click to enlarge
How does DNS work?
When a client requests a service, the first thing that happens is DNS resolution. Which means hostname to IP address translation. Here is how the request flow works:
Step 1 - A client makes a DNS request
Step 2 - The request is received by a recursive resolver which checks if it already knows the response to the request
Step 3 (a)- If yes, the recursive resolver responds to request if it has it stored in cache already.
Step 3 (b) - If no, the recursive resolver redirects request to other servers
Step 4 - The authoritative server then responds to requests
Step 5 - Recursive resolver caches the result for future queries.
Step 6 - And finally sends the information to the client
What does Cloud DNS offer?
- Global DNS Network: Managed Authoritative Domain Name System (DNS) service running on the same infrastructure as Google. You don’t have to manage your DNS server, Google does it for you.
- 100% Availability & Automatic Scaling: Cloud DNS uses Google’s global network of anycast name servers to serve your DNS zones from redundant locations around the world, providing high availability and lower latency for users. Allows customers to create, update, and serve millions of DNS records
- Private DNS Zones: Used for providing a namespace that is only visible inside the VPC or hybrid network environment. Example - a business organization has a domain dev.gcp.example.com, reachable only from within the company intranet
- Public DNS Zones: Used for providing authoritative DNS resolution to clients on the public internet. Example - a business has an external website, example.com accessible directly from the Internet. Not to be confused with Google Public DNS (188.8.131.52) which is just a public recursive resolver
- Split horizon DNS: Used to serve different answers (different resource record sets) for the same name depending on who is asking - internal or external network resource.
- DNS peering: DNS peering makes available a second method of sharing DNS data. All or a portion of the DNS namespace can be configured to be sent from one network to another and, once there, will respect all DNS configuration defined in the peered network.
- Security: Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It prevents attackers from manipulating or poisoning the responses to DNS requests.
Hybrid Deployments: DNS Forwarding
Google Cloud offers inbound and outbound DNS forwarding for private zones. You can configure DNS forwarding by creating a forwarding zone or a Cloud DNS server policy. The two methods - inbound and outbound. You can simultaneously configure inbound and outbound DNS forwarding for a VPC network.
Create an inbound server policy to enable an on-premises DNS client or server to send DNS requests to Cloud DNS. The DNS client or server can then resolve records according to a VPC network's name resolution order. On-premises clients use Cloud VPN or Cloud Interconnect to connect to the VPC network.
You can configure VMs in a VPC network to do the following:
- Send DNS requests to DNS name servers of your choice. The name servers can be located in the same VPC network, in an on-premises network, or on the internet.
- Resolve records hosted on name servers configured as forwarding targets of a forwarding zone authorized for use by your VPC network
- Create an outbound server policy for the VPC network to send all DNS requests an alternative name server.