Logging and monitoring

This page provides information about logging and monitoring metrics for Cloud DNS including private zones and forwarding zones. This page also provides instructions for monitoring the propagation of your public DNS changes.

Using private DNS logging

Private DNS logging tracks queries that name servers resolve for your Virtual Private Cloud (VPC) networks. Queries from an external entity directly to a public zone are not logged because a public name server handles them.

Logged queries can come from Compute Engine virtual machine (VM) instances, Google Kubernetes Engine containers in the same VPC network, peering zones, or on-premises clients that use inbound DNS forwarding. Private DNS zones, forwarding DNS zones, alternative name servers, internal Google Cloud DNS zones, or external DNS zones might eventually resolve the queries.

Log records belong to the project that owns the network that carried the request. In the case of Shared VPC, the log records belong to the host project because the host project owns the network.

Enabling and disabling logging

Use DNS policies to enable and disable logging for your networks.

To enable logging for a network that does not have a DNS policy, run the dns policies create command.

gcloud

gcloud dns policies create POLICY_NAME \
    --networks=NETWORK \
    --enable-logging \
    --description=DESCRIPTION

Replace the following:

  • POLICY_NAME: the name of the DNS policy
  • NETWORK: one or more networks in a comma-separated list
  • DESCRIPTION: a description of the policy

To enable logging for a network that has an existing DNS policy, run the dns policies update command.

gcloud

gcloud dns policies update POLICY_NAME \
    --networks=NETWORK \
    --enable-logging

Replace the following:

  • POLICY_NAME: the name of the DNS policy
  • NETWORK: one or more networks in a comma-separated list

To turn off logging while leaving the policy in place, run the dns policies update command.

gcloud

gcloud dns policies update POLICY_NAME \
    --networks=NETWORK \
    --no-enable-logging

Replace the following:

  • POLICY_NAME: the name of the DNS policy
  • NETWORK: one or more networks in a comma-separated list

To delete the policy entirely, run the dns policies delete command.

gcloud

gcloud dns policies delete POLICY_NAME \

Replace POLICY_NAME with the name of the DNS policy that you want to delete.

Viewing logs

Console

In the Google Cloud Console, go to the Logs Explorer page.

Go to Logs Explorer

Viewing record format fields

Every log entry has the following fields, if applicable. Some of the fields are also shared with monitoring metrics.

Field Field type Description Used in metrics
source_type String Source of the query: inbound-forwarding, gce-vm Yes
location String Google Cloud region, for example us-east1, from which the response was served Yes
project_id String Google Cloud project ID of the network from which the query was received Yes
target_type String Type of target resolving the DNS query: private-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external Yes
target_name String The target name, for example zone name, policy name, internal zone name, external domain name Yes
queryName String / DNS DNS query name, RFC 1035 4.1.2. No
queryType String / DNS DNS query type, RFC 1035 4.1.2. No
responseCode Number / DNS Response code, RFC 1035 4.1.1. No
rdata String / DNS DNS answer in presentation format, RFC 1035 5.1, truncated to 260 bytes No
authAnswer Boolean / DNS Authoritative answer, RFC 1035 No
sourceNetwork String / Source Network from which the query reached our system No
vmInstanceId Number / Source Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs No
vmInstanceName String / Source Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs No
vmProjectId String / Source Google Cloud project ID of the network from which the query was sent, only applicable to queries initiated by Compute Engine VMs No
vmZoneName String / Source Name of the VM zone from which the query was sent, only applicable to queries initiated by Compute Engine VMs No
sourceIP String / Source IP originating the query No
destinationIP String / Target Target IP address, only applicable for forwarding cases No
protocol String / DNS TCP | UDP No
egressError String

Egress proxy error, the actual error reported by the egress proxy as received from the on-premises DNS server

This field can be used to differentiate an actual SERVFAIL returned by the on-premises DNS versus a network error encountered by the egress proxy.

No

Troubleshooting outbound forwarding

If you receive logs containing SERVFAIL that are missing certain fields such as destinationIP, egressIP, and egressError, see the related section in the Troubleshooting documentation.

Monitoring metrics

Cloud DNS exports monitoring metrics to Cloud Monitoring.

You can monitor the rate of DNS queries and responses that point to private zones, forwarding zones, policy forwarding, internal Google Cloud zones, and the internet. Monitoring is available on the Google Cloud Console Monitoring page and in the Cloud Monitoring API.

Private DNS exports the dns.googleapis.com/query/response_count delta metric that contains the response_code label to count the number of queries per response code.

The response_code label is of type string with the possible values of NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMP, and UNKNOWN. For definitions of these codes, see the IANA DNS RCODEs.

The metric is exported under the dns_query resource type by using the applicable fields of the log record format.

Monitoring DNS propagation

When you use the gcloud command-line tool or the REST API to make changes, the changes are initially marked as pending until the operation is completed. You can use the gcloud tool or the REST API to check on the status of changes or get a history of changes.

An operation is completed (status: done) when Cloud DNS has successfully updated the system that controls the servers. There might still be delays before all name servers are updated.

Listing changes for a managed zone

To list changes for a managed zone, see the following options.

gcloud

Run the dns record-sets changes list command:

gcloud dns record-sets changes list --zone=ZONE

Replace ZONE with the name of the managed zone whose record sets you want to manage.

Python

def list_changes(project_id, zone_name):
    client = dns.Client(project=project_id)
    zone = client.zone(zone_name)

    changes = zone.list_changes()

    return [(change.started, change.status) for change in changes]

Verifying DNS propagation

To monitor and verify that the DNS name server has picked up your changes, you can use the watch and dig commands. The following example demonstrates how to look up your name server and check to see when one of your managed zone's name servers has picked up a change to an MX record.

To look up your zone's name servers, run the dns managed-zones describe command:

gcloud dns managed-zones describe ZONE_NAME

Replace ZONE_NAME with the name of your Cloud DNS zone.

To check if the records are available yet on your authoritative name server, run the following dig command:

watch dig example.com in MX @ZONE_NAME_SERVER

Replace ZONE_NAME_SERVER with one of the name servers from the managed zone.

The watch command runs the dig command every 2 seconds by default. You can use this command to determine when your authoritative name server picks up your change, which should happen within 120 seconds. After your authoritative name server has the change, DNS resolvers can start to pick up the new record. Resolvers that already have the previous record cached wait for the previous TTL value of the record to expire.

To run dig against your system's name server, you can remove the @<address> from the dig command. If you would like to monitor propagation to other name servers, you can change the address to point to other name servers.

What's next