DNS server policies

You can configure one DNS server policy for each Virtual Private Cloud (VPC) network. The policy can specify inbound DNS forwarding, outbound DNS forwarding, or both. In this section, inbound server policy refers to a policy that permits inbound DNS forwarding. Outbound server policy refers to one possible method for implementing outbound DNS forwarding. It is possible for a policy to be both an inbound server policy and an outbound server policy if it implements the features of both.

For more information, see Applying Cloud DNS server policies.

Inbound server policy

Each VPC network provides DNS name resolution services to the VMs that use it. When a VM uses its metadata server 169.254.169.254 as its name server, Google Cloud searches for DNS records according to the name resolution order.

By default, a VPC network's name resolution services—through its name resolution order—are only available to that VPC network itself. You can create an inbound server policy in your VPC network to make these name resolution services available to an on-premises network that is connected using Cloud VPN or Cloud Interconnect.

When you create an inbound server policy, Cloud DNS takes an internal IP address from the primary IP address range of each subnet that your VPC network uses. For example, if you have a VPC network that contains two subnets in the same region and a third subnet in a different region, a total of three IP addresses are reserved for inbound forwarding. Cloud DNS uses these internal IP addresses as entry points for inbound DNS requests.

Inbound server policy entry points

The regional internal IP addresses used by Cloud DNS for the inbound server policy serve as entry points into the name resolution services of the VPC network. As a best practice, routing to an inbound server policy entry point in a region should be handled by Cloud VPN tunnels or Cloud Interconnect attachments in the same region. For Cloud VPN tunnels using dynamic routing and for all Cloud Interconnect attachments, Cloud Router manages a BGP session, including advertisement of inbound entry point IP addresses. Cloud Router default route advertisements include inbound entry point IP addresses because their IP addresses come from the VPC network's subnets. For detailed information about Cloud Router advertisement options, see Route advertisement modes in the Cloud Router documentation.

Regardless of the entry point's region, Cloud DNS uses the region of the VPN tunnel or Cloud Interconnect attachment (VLAN) as the canonical source for the request. For more information, see Manage DNS routing policies.

For information about how to create inbound server policies, see Creating an inbound server policy.

Outbound server policy

You can change the name resolution order by creating an outbound server policy that specifies a list of alternative name servers. When you specify alternative name servers for a VPC network, those servers are the only name servers that Google Cloud queries when handling DNS requests from VMs in your VPC network that are configured to use their metadata servers (169.254.169.254).

For information about how to create outbound server policies, see Creating an outbound server policy.

Alternative name servers and routing methods

Cloud DNS supports three types of alternative name servers and offers standard and private routing methods for routing traffic to them.

Alternative name servers are defined in the following table.

Alternative name server Description Standard routing supports Private routing supports Source of requests
Type 1 An internal IP address of a Google Cloud VM in the same VPC network where the outbound server policy is defined. Only RFC 1918 IP addresses—traffic always routed through an authorized VPC network. Any internal IP address, including non-RFC 1918 private IP addresses and privately re-used public IP addresses—traffic always routed through an authorized VPC network. 35.199.192.0/19
Type 2 An IP address of an on-premises system, connected to the VPC network with the outbound server policy, using Cloud VPN or Cloud Interconnect. Only RFC 1918 IP addresses—traffic always routed through an authorized VPC network. Any internal IP address, including non-RFC 1918 private IP addresses and privately re-used public IP addresses—traffic always routed through an authorized VPC network. 35.199.192.0/19
Type 3 An external IP address of a DNS name server accessible to the internet or the external IP address of a Google Cloud resource; for example, the external IP address of a VM in another VPC network. Only internet-routable external IP addresses—traffic always routed to the internet or to the external IP address of a Google Cloud resource. Private routing isn't supported. Google Public DNS source ranges

You can choose one of the following routing methods when you specify the alternative name server of an outbound server policy:

  • Standard routing: Routes traffic through an authorized VPC network or over the internet based on whether the alternative name server is an RFC 1918 IP address. If the alternative name server is an RFC 1918 IP address, Cloud DNS classifies the name server as either a Type 1 or Type 2 name server, and routes requests through an authorized VPC network. If the alternative name server is not an RFC 1918 IP address, Cloud DNS classifies the name server as Type 3, and expects the name server to be internet accessible.

  • Private routing: Always routes traffic through an authorized VPC network, regardless of the alternative name server's IP address (RFC 1918 or not). Consequently, only Type 1 and Type 2 name servers are supported.

To access a Type 1 or a Type 2 alternative name server, Cloud DNS uses routes in the authorized VPC network, where the DNS client is located. These routes define a secure path to the name server:

For additional guidance about network requirements for Type 1 and Type 2 name servers, see alternative name server network requirements.

Alternative name server selection order

Cloud DNS lets you configure a list of alternative name servers for an outbound server policy and a list of forwarding targets for a forwarding zone.

In case of multiple alternative name servers, Cloud DNS uses an internal algorithm to select an alternative name server. This algorithm ranks each alternative name server.

To process a request, Cloud DNS first tries a DNS query by contacting the alternative name server with the highest ranking. If that server does not respond, Cloud DNS repeats the request to the next highest ranked alternative name server. If no alternative name servers reply, Cloud DNS synthesizes a SERVFAIL response.

The ranking algorithm is automatic, and the following factors increase the ranking of an alternative name server:

  • The higher the number of successful DNS responses processed by the alternative name server. Successful DNS responses include NXDOMAIN responses.
  • The lower the latency (round-trip time) for communicating with the alternative name server.