Configure Cloud DNS server policies

This page describes how to configure Cloud DNS server policies and use them with Virtual Private Cloud (VPC) networks. Before you use this page, review the DNS server policies overview.

Before you begin

The Cloud DNS API requires that you create a Google Cloud project and enable the Cloud DNS API.

If you are creating an application that uses the REST API, you must also create an OAuth 2.0 client ID.

  1. If you don't already have one, sign up for a Google Account.
  2. Enable the Cloud DNS API in the Google Cloud console. You can choose an existing Compute Engine or App Engine project, or you can create a new project.
  3. If you need to make requests to the REST API, you need to create an OAuth 2.0 ID. See Setting up OAuth 2.0.
  4. In the project, note the following information that you need to input in later steps:
    • The client ID (xxxxxx.apps.googleusercontent.com).
    • The project ID that you want to use. You can find the ID at the top of the Overview page in the Google Cloud console. You can also ask your user to provide the project name that they want to use in your app.

If you have not run the Google Cloud CLI previously, you must run the following command to specify the project name and authenticate with the Google Cloud console:

gcloud auth login

To choose a different project than one you have chosen previously, specify the --project option at the command line.

Create DNS server policies

Each DNS server policy object can define any of the following server policies:

Each VPC network can reference no more than one DNS server policy. If you need to define both inbound and outbound forwarding for a VPC network, create one policy that defines both an inbound and an outbound policy.

Create an inbound server policy

To create an inbound server policy, follow these instructions. Cloud DNS creates a set of inbound forwarder IP addresses from the primary IPv4 address ranges of subnets in each VPC network to which the policy applies. After you create your policy, you can list the entry points that Cloud DNS creates.

gcloud

To create an inbound server policy, run the dns policies create command:

gcloud dns policies create NAME \
    --description=DESCRIPTION \
    --networks=VPC_NETWORK_LIST \
    --enable-inbound-forwarding

Replace the following:

  • NAME: a name for the policy
  • DESCRIPTION: a description for the policy
  • VPC_NETWORK_LIST: a comma-delimited list of VPC networks where inbound forwarding addresses must be created

Terraform

resource "google_dns_policy" "default" {
  name                      = "example-inbound-policy"
  enable_inbound_forwarding = true

  networks {
    network_url = google_compute_network.default.id
  }
}

resource "google_compute_network" "default" {
  name                    = "network"
  auto_create_subnetworks = false
}

Create an outbound server policy

To specify a list of alternative name servers for a VPC network, you can create an outbound server policy.

gcloud

To create an outbound server policy, run the dns policies create command:

gcloud dns policies create NAME \
    --description=DESCRIPTION \
    --networks=VPC_NETWORK_LIST \
    --alternative-name-servers=ALTERNATIVE_NAMESERVER_LIST \
    --private-alternative-name-servers=PRIVATE_ALTERNATIVE_NAMESERVER_LIST

Replace the following:

  • NAME: a name for the policy
  • DESCRIPTION: a description for the policy
  • VPC_NETWORK_LIST: a comma-delimited list of VPC networks that query the alternative name servers
  • ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses that you can use as alternative name servers; private routing is only used for alternative name servers that have RFC 1918 addresses
  • PRIVATE_ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses that you can use as alternative name servers, accessed by using private routing

Terraform

resource "google_dns_policy" "default" {
  name = "example-outbound-policy"

  alternative_name_server_config {
    target_name_servers {
      ipv4_address    = "172.16.1.10"
      forwarding_path = "private"
    }
    target_name_servers {
      ipv4_address = "172.16.1.20"
    }
  }

  networks {
    network_url = google_compute_network.default.id
  }
}

resource "google_compute_network" "default" {
  name                    = "network"
  auto_create_subnetworks = false
}

Create a server policy for both

gcloud

To create a DNS server policy for both inbound and outbound forwarding, run the dns policies create command:

gcloud dns policies create NAME \
    --description=DESCRIPTION \
    --networks=VPC_NETWORK_LIST \
    --alternative-name-servers=ALTERNATIVE_NAMESERVER_LIST \
    --private-alternative-name-servers=PRIVATE_ALTERNATIVE_NAMESERVER_LIST \
    --enable-inbound-forwarding

Replace the following:

  • NAME: a name for the policy
  • DESCRIPTION: a description for the policy
  • VPC_NETWORK_LIST: a comma-delimited list of VPC networks where inbound forwarding addresses must be created and that must query the alternative name servers
  • ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses that you can use as alternative name servers. Private routing is only used for alternative name servers that have RFC 1918 addresses.
  • PRIVATE_ALTERNATIVE_NAMESERVER_LIST: a comma-delimited list of IP addresses that you can use as alternative name servers, accessed by using private routing.

Terraform

resource "google_dns_policy" "example_policy" {
  name                      = "example-policy"
  enable_inbound_forwarding = true

  enable_logging = true

  alternative_name_server_config {
    target_name_servers {
      ipv4_address    = "172.16.1.10"
      forwarding_path = "private"
    }
    target_name_servers {
      ipv4_address = "172.16.1.20"
    }
  }

  networks {
    network_url = google_compute_network.network_1.id
  }
  networks {
    network_url = google_compute_network.network_2.id
  }
}

resource "google_compute_network" "network_1" {
  name                    = "network-1"
  auto_create_subnetworks = false
}

resource "google_compute_network" "network_2" {
  name                    = "network-2"
  auto_create_subnetworks = false
}

List inbound forwarder entry points

When an inbound server policy applies to a VPC network, Cloud DNS creates a set of regional internal IP addresses that serve as destinations to which your on-premises systems or name resolvers can send DNS queries. These addresses serve as entry points to the name resolution order of your VPC network.

Google Cloud firewall rules do not apply to the regional internal addresses that act as entry points for inbound forwarders. Cloud DNS accepts TCP and UDP traffic on port 53 automatically.

Each inbound forwarder accepts and receives queries from Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) in the same region as the regional internal IP address. VM instances can access the inbound forwarder through any of the internal IP addresses in the same VPC network. To access inbound forwarding, either the network interface must have an external IP address or a subnet of the NIC must have Private Google Access enabled.

gcloud

To list the set of regional internal IP addresses that serve as entry points for inbound forwarding, run the compute addresses list command:

gcloud compute addresses list \
    --filter='purpose = "DNS_RESOLVER"' \
    --format='csv(address, region, subnetwork)'

Update DNS policies

The following sections provide information about changing VPC networks and enabling or disabling inbound forwarding.

Change VPC networks

The following list describes what happens when you change the list of VPC networks to which a DNS policy applies:

  • If the policy specifies an inbound policy, entry points for inbound forwarders are created in VPC networks as needed.
  • If the policy specifies an outbound policy, the name resolution order of each VPC network is updated to include the specified alternative name servers.

gcloud

To modify the list of networks to which a DNS server policy applies, run the dns policies update command:

gcloud dns policies update NAME \
    --networks=VPC_NETWORK_LIST

Replace the following:

  • NAME: a name for the policy
  • VPC_NETWORK_LIST: a comma-delimited list of VPC networks to which the policy applies; the list of VPC networks that you specify replaces the previous list

Enable or disable inbound forwarding

You can enable inbound forwarding for a DNS server policy that defines only an outbound policy (alternative name server). You can also disable inbound forwarding for an existing DNS policy.

gcloud

To enable inbound forwarding for a DNS server policy, run the dns policies update command:

gcloud dns policies update NAME \
    --enable-inbound-forwarding

To disable inbound forwarding for a DNS server policy, run the dns policies update command:

gcloud dns policies update NAME \
    --no-enable-inbound-forwarding

Replace NAME with the name of the policy.

List DNS policies

gcloud

To list DNS server policies in your project, run the dns policies list command:

gcloud dns policies list

Delete a DNS policy

gcloud

To delete a server policy, run the dns policies delete command:

gcloud dns policies delete NAME

Replace NAME with the name of the policy to delete.

What's next