Cloud DNS uses the following procedure to answer queries from Compute Engine virtual machine (VM) instances and Google Kubernetes Engine (GKE) nodes.
For Compute Engine VMs other than GKE nodes,
Cloud DNS follows the VPC network resolution
order to process queries it receives. Each VM must be configured to
use the metadata server IP address (169.254.169.254
) as its name server.
For GKE nodes:
Cloud DNS first attempts to match a query using cluster-scoped response policies and private zones.
Cloud DNS continues by following the VPC network resolution order.
Cluster-scoped response policies and private zones
Match using rules in GKE cluster-scoped response policies. Cloud DNS scans all applicable GKE cluster-scoped response policies for a rule where the DNS name attribute matches as much of the query as possible. Cloud DNS uses longest-suffix matching to scan cluster-scoped response policies:
If Cloud DNS finds a matching response policy rule and the rule serves local data, then Cloud DNS returns the local data as its response, completing the name resolution process.
If Cloud DNS finds a matching response policy rule and the rule's behavior bypasses the response policy, then Cloud DNS continues to the next step.
If Cloud DNS fails to find a matching response policy or if there isn't an applicable cluster-scoped response policy for the node, then Cloud DNS continues to the next step.
Match records in cluster-scoped private zones. Cloud DNS scans all cluster-scoped managed private zones for a record that matches as much of the query as possible. Cloud DNS uses longest-suffix matching to find records in cluster-scoped private zones:
If the most specific match for the query is a record in a cluster-scoped managed private zone, then Cloud DNS returns the record data as its response, completing the name resolution process.
If the most specific match for the query is the zone name of a cluster-scoped forwarding zone, then Cloud DNS forwards the query to one of the forwarding zone's forwarding targets to complete the name resolution process. Cloud DNS returns one of the following responses:
- The response received from the forwarding target.
- A
SERVFAIL
response, if the forwarding target does not respond to Cloud DNS.
If the query does not match any cluster-scoped private zone, Cloud DNS continues to the VPC network resolution order.
VPC network resolution order
VPC network alternative name server: If the VPC network has an outbound server policy, Google Cloud forwards the query to one of the alternative servers defined in that policy to complete the name resolution process. Cloud DNS returns one of the following responses:
- The response received from the alternative name server.
- A
SERVFAIL
response, if the alternative name server does not respond to Cloud DNS.
If the VPC network does not have an outbound server policy, Cloud DNS continues to the next step.
Match using rules in VPC network-scoped response policies. Cloud DNS scans all applicable VPC network response policies for a rule where the DNS name attribute matches as much of the query as possible. Cloud DNS uses longest-suffix matching to scan network-scoped response policies:
If Cloud DNS finds a matching response policy rule and the rule serves local data, then Cloud DNS returns the local data as its response, completing the name resolution process.
If Cloud DNS finds a matching response policy rule and the rule's behavior bypasses the response policy, then Cloud DNS continues to the next step.
If Cloud DNS fails to find a matching response policy or if there isn't an applicable network-scoped response policy for the VM or node, then Cloud DNS continues to the next step.
Match records in VPC network-scoped managed private zones and Compute Engine
.internal
zones. Cloud DNS scans all applicable Compute Engine internal DNS zones and all managed private zones authorized for the VPC network for a record that matches as much of the query as possible. Cloud DNS uses longest-suffix matching to find records:If the most specific match for the query is a Compute Engine internal DNS name, Cloud DNS returns the internal IPv4 address of the VM's network interface as its response, completing the name resolution process. A record from a managed private zone only takes precedence over an automatically created Compute Engine internal DNS name when the record in the private zone is a more specific match.
If the most specific match for the query is a record in a network-scoped managed private zone, Cloud DNS returns the record data as its response, completing the name resolution process.
If the most specific match for the query is the zone name of a network-scoped forwarding zone, then Cloud DNS forwards the query to one of the forwarding zone's forwarding targets to complete the name resolution process. Cloud DNS returns one of the following responses:
- The response received from the forwarding target.
- A
SERVFAIL
response, if the forwarding target does not respond to Cloud DNS.
If the most specific match for the query is the name of a network-scoped peering zone, Cloud DNS stops the current name resolution process and begins a new name resolution process from the perspective of the peering zone's target VPC network.
If the query does not match any Compute Engine internal DNS name, or if the query doesn't match a private zone, forwarding zone, or peering zone, Cloud DNS continues to the next step.
Match record using public DNS query: Google Cloud follows the start of authority (SOA) record to query publicly available zones, including Cloud DNS public zones. Cloud DNS returns one of the following responses:
- The response received from an authoritative name server.
- An
NXDOMAIN
response, if the record does not exist.
Example
Suppose that you have two VPC networks, vpc-a
and vpc-b
, and
a GKE cluster, cluster-a
, along with the following scoped
resources:
vpc-a
is authorized to query the following private zones. Note the trailing dot in each entry:static.example.com.
10.internal.
peer.com.
is a peering zone that can query the VPC name resolution order ofvpc-b
.vpc-a
is not associated with any outbound server or response policies.cluster-a
is authorized to query a private zone calledexample.com
.cluster-a
is also not associated with any outbound server or response policies.A VM in
cluster-a
can query:example.com
and children (includingstatic.example.com
), answered by the private zone calledexample.com
, authorized tocluster-a
.10.internal
onvpc-a
.peer.com
by using the peering zone.
A VM that is not in
cluster-a
can query:static.example.com
and children, answered by the private zone calledstatic.example.com
authorized tovpc-a
. Queries forexample.com
return internet responses.10.internal
onvpc-a
.peer.com
by using the peering zone.
What's next
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.
- To get an overview of Cloud DNS, see Cloud DNS overview.
- To learn how to configure response policies, see Manage response policies and rules.