This page describes how to configure Cloud DNS server policies and use them with Virtual Private Cloud (VPC) networks. Before you use this page, review the DNS server policies overview.
Before you begin
The Cloud DNS API requires that you create a Google Cloud project and enable the Cloud DNS API.
If you are creating an application that uses the REST API, you must also create an OAuth 2.0 client ID.
- If you don't already have one, sign up for a Google Account.
- Enable the Cloud DNS API in the Google Cloud console. You can choose an existing Compute Engine or App Engine project, or you can create a new project.
- If you need to make requests to the REST API, you need to create an OAuth 2.0 ID. See Setting up OAuth 2.0.
- In the project, note the following information that you need to input in
later steps:
-
The client ID (
xxxxxx.apps.googleusercontent.com
). - The project ID that you want to use. You can find the ID at the top of the Overview page in the Google Cloud console. You can also ask your user to provide the project name that they want to use in your app.
-
The client ID (
If you have not run the Google Cloud CLI previously, you must run the following command to specify the project name and authenticate with the Google Cloud console:
gcloud auth login
To choose a different project than one you have chosen previously, specify
the --project
option at the command line.
Create DNS server policies
Each DNS server policy object can define any of the following server policies:
- An inbound server policy, enabling inbound forwarding
- An outbound server policy, specifying one or more alternative name servers
- Both an inbound and an outbound server policy
Each VPC network can reference no more than one DNS server policy. If you need to define both inbound and outbound forwarding for a VPC network, create one policy that defines both an inbound and an outbound policy.
Create an inbound server policy
To create an inbound server policy, follow these instructions. Cloud DNS creates a set of inbound forwarder IP addresses from the primary IPv4 address ranges of subnets in each VPC network to which the policy applies. After you create your policy, you can list the entry points that Cloud DNS creates.
gcloud
To create an inbound server policy, run the dns policies
create
command:
gcloud dns policies create NAME \ --description=DESCRIPTION \ --networks=VPC_NETWORK_LIST \ --enable-inbound-forwarding
Replace the following:
NAME
: a name for the policyDESCRIPTION
: a description for the policyVPC_NETWORK_LIST
: a comma-delimited list of VPC networks where inbound forwarding addresses must be created
Terraform
Create an outbound server policy
To specify a list of alternative name servers for a VPC network, you can create an outbound server policy.
gcloud
To create an outbound server policy, run the dns policies
create
command:
gcloud dns policies create NAME \ --description=DESCRIPTION \ --networks=VPC_NETWORK_LIST \ --alternative-name-servers=ALTERNATIVE_NAMESERVER_LIST \ --private-alternative-name-servers=PRIVATE_ALTERNATIVE_NAMESERVER_LIST
Replace the following:
NAME
: a name for the policyDESCRIPTION
: a description for the policyVPC_NETWORK_LIST
: a comma-delimited list of VPC networks that query the alternative name serversALTERNATIVE_NAMESERVER_LIST
: a comma-delimited list of IP addresses that you can use as alternative name servers; private routing is only used for alternative name servers that have RFC 1918 addressesPRIVATE_ALTERNATIVE_NAMESERVER_LIST
: a comma-delimited list of IP addresses that you can use as alternative name servers, accessed by using private routing
Terraform
Create a server policy for both
gcloud
To create a DNS server policy for both inbound and outbound forwarding,
run the dns policies create
command:
gcloud dns policies create NAME \ --description=DESCRIPTION \ --networks=VPC_NETWORK_LIST \ --alternative-name-servers=ALTERNATIVE_NAMESERVER_LIST \ --private-alternative-name-servers=PRIVATE_ALTERNATIVE_NAMESERVER_LIST \ --enable-inbound-forwarding
Replace the following:
NAME
: a name for the policyDESCRIPTION
: a description for the policyVPC_NETWORK_LIST
: a comma-delimited list of VPC networks where inbound forwarding addresses must be created and that must query the alternative name serversALTERNATIVE_NAMESERVER_LIST
: a comma-delimited list of IP addresses that you can use as alternative name servers. Private routing is only used for alternative name servers that have RFC 1918 addresses.PRIVATE_ALTERNATIVE_NAMESERVER_LIST
: a comma-delimited list of IP addresses that you can use as alternative name servers, accessed by using private routing.
Terraform
List inbound forwarder entry points
When an inbound server policy applies to a VPC network, Cloud DNS creates a set of regional internal IP addresses that serve as destinations to which your on-premises systems or name resolvers can send DNS queries. These addresses serve as entry points to the name resolution order of your VPC network.
Google Cloud firewall rules do not apply to the regional internal
addresses that act as entry points for inbound forwarders. Cloud DNS
accepts TCP and UDP traffic on port 53
automatically.
Each inbound forwarder accepts and receives queries from Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) in the same region as the regional internal IP address. VM instances can access the inbound forwarder through any of the internal IP addresses in the same VPC network. To access inbound forwarding, either the network interface must have an external IP address or a subnet of the NIC must have Private Google Access enabled.
gcloud
To list the set of regional internal IP addresses that serve as entry points
for inbound forwarding, run the compute addresses
list
command:
gcloud compute addresses list \ --filter='purpose = "DNS_RESOLVER"' \ --format='csv(address, region, subnetwork)'
Update DNS policies
The following sections provide information about changing VPC networks and enabling or disabling inbound forwarding.
Change VPC networks
The following list describes what happens when you change the list of VPC networks to which a DNS policy applies:
- If the policy specifies an inbound policy, entry points for inbound forwarders are created in VPC networks as needed.
If the policy specifies an outbound policy, the name resolution order of each VPC network is updated to include the specified alternative name servers.
gcloud
To modify the list of networks to which a DNS server policy applies, run the
dns policies update
command:
gcloud dns policies update NAME \ --networks=VPC_NETWORK_LIST
Replace the following:
NAME
: a name for the policyVPC_NETWORK_LIST
: a comma-delimited list of VPC networks to which the policy applies; the list of VPC networks that you specify replaces the previous list
Enable or disable inbound forwarding
You can enable inbound forwarding for a DNS server policy that defines only an outbound policy (alternative name server). You can also disable inbound forwarding for an existing DNS policy.
gcloud
To enable inbound forwarding for a DNS server policy, run the dns policies
update
command:
gcloud dns policies update NAME \ --enable-inbound-forwarding
To disable inbound forwarding for a DNS server policy, run the dns policies
update
command:
gcloud dns policies update NAME \ --no-enable-inbound-forwarding
Replace NAME
with the name of the policy.
List DNS policies
gcloud
To list DNS server policies in your project, run the dns policies
list
command:
gcloud dns policies list
Delete a DNS policy
gcloud
To delete a server policy, run the dns policies
delete
command:
gcloud dns policies delete NAME
Replace NAME
with the name of the policy to delete.
What's next
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.
- To get an overview of Cloud DNS, see Cloud DNS overview.