This document describes how to configure and use DNS64 server policies with Virtual Private Cloud (VPC) networks.
Before you begin
- DNS64 server policies don't apply to dual-stack virtual machine (VM) instances, IPv4-only VM instances, serverless workloads, or requests sent to endpoints created by an inbound DNS server policy.
- Make sure that you have the required permissions to create a DNS64 server policy.
Create a DNS64 server policy
Create a DNS64 server policy to enable communication between IPv6-only workloads and IPv4-only destinations.
After you create a DNS64 server policy, the following occurs when
an IPv6 (AAAA) record is queried:
- If an
AAAADNS record exists, the DNS server returns an IPv6 address. Your workload connects by using that IPv6 address. - If no
AAAADNS record exists, Cloud DNS looks forArecords. Cloud DNS then creates IPv6 addresses for the IPv4 addresses in theArecord, by using the64:ff9b::/96IPv6 prefix.
To create a DNS64 server policy, follow these steps.
gcloud
To create a DNS64 server policy, run the gcloud dns policies
create command:
gcloud dns policies create NAME \
--description=DESCRIPTION \
--networks=VPC_NETWORK_LIST \
--enable-dns64-all-queries
Replace the following:
NAME: a name for the policyDESCRIPTION: a description for the policyVPC_NETWORK_LIST: a comma-delimited list of VPC networks that the DNS server policy binds to
Terraform
resource "google_dns_policy" "default" {
name = "NAME"
dns64_config {
scope {
all_queries = true
}
}
alternative_name_server_config {
target_name_servers {
ipv4_address = "PRIVATE_IP_ADDRESS"
forwarding_path = "private"
}
target_name_servers {
ipv4_address = "PUBLIC_IP_ADDRESS"
}
}
networks {
network_url = google_compute_network.default.id
}
}
resource "google_compute_network" "default" {
name = "network"
auto_create_subnetworks = false
}
Replace the following:
NAME: a name for the outbound DNS64 policyPRIVATE_IP_ADDRESS: the IP address of an alternative name server using a private forwarding pathPUBLIC_IP_ADDRESS: the IP address of a different alternative name server
API
To create a DNS64 server policy, use the
policies.create method:
POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/policies
{
"kind": "dns#policy",
"networks": [
{
"kind": "dns#policyNetwork",
"networkUrl": "NETWORK_URL"
}
],
"dns64Config":
{
"scope":
{
allQueries: true,
}
}
}
Replace the following:
PROJECT_ID: your project ID.NETWORK_URL: the fully qualified URL of the VPC network that your DNS server policy must bind to, formatted as follows:https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME. Specify the network that contains the IPv6-only subnets and instances.
Verify if a DNS64 server policy is enabled
gcloud
To list all DNS server policies in your project, run the
dns policies list command:
gcloud dns policies list
To get detailed information about a specific DNS64 server policy, run the
gcloud dns policies describe command:
gcloud dns policies describe NAME
Replace NAME with the name of the DNS64 server
policy about which you want detailed information.
Disable a DNS64 server policy
gcloud
To disable a DNS64 server policy, run the dns policies update command:
gcloud dns policies update NAME \
--no-enable-dns64-all-queries
Replace NAME with the name of the DNS64 server
policy that you want to disable.
What's next
- To configure NAT64 for Public NAT translation from IPv6 to IPv4 addresses, follow the instructions in Create a Cloud NAT gateway.
- To get an overview of DNS server policies, see DNS server policies.
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshoot Cloud DNS.