Managing Zones

This page provides directions for creating Cloud DNS managed zones. Before you use this page, familiarize yourself with the Cloud DNS concepts.

Before you begin

The Cloud DNS API requires that you create a Cloud DNS project and enable the Cloud DNS API.

If you are creating an application that uses the REST API, you must also create an OAuth 2.0 client ID.

  1. If you don't already have one, sign up for a Google account.
  2. Enable the Cloud DNS API in the Cloud Console. You can choose an existing Compute Engine or App Engine project, or you can create a new project.
  3. If you need to make requests to the REST API, you will need to create an OAuth 2.0 ID: Setting up OAuth 2.0.
  4. Note the following information in the project that you will need to input in later steps:
    • The client ID (xxxxxx.apps.googleusercontent.com).
    • The project ID that you wish to use. You can find the ID at the top of the Overview page in the Cloud Console. You could also ask your user to provide the project name that they want to use in your app.

If you have not run the gcloud command-line tool previously, you must run the following command to specify the project name and authenticate with the Cloud Console:

gcloud auth login

If you want to run a gcloud command on Google Cloud resources in another project, specify the --project option for this command and the other glcoud commands throughout this page..

Creating managed zones

Each managed zone that you create is associated with a Google Cloud project. The following sections describe how to create the type of managed zone that Cloud DNS supports.

Creating a public zone

To create a new managed zone:

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Public for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the zone using a domain name that you own. All records in the zone share this suffix, for example: example.com.

  5. Under DNSSEC, select Off, On, or Transfer. For more information, see DNSSEC configuration.

  6. Click Create. The Zone details page is displayed.

gcloud

To create a new managed zone, use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=dns-suffix \
    --labels=labels \
    --visibility=public

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.com
  • labels: An optional comma-delimited list of key-value pairs such as Dept:Marketing or Project:project1. For more details, see the SDK documentation.

API

To create a managed zone with the API, send a POST request using the managedZones.create method:

POST https://www.googleapis.com/dns/v1/projects/project-id/managedZones
{
  "name": "name",
  "description": "description",
  "dnsName": "dns-name",
  "visibility": "public"
}

Replace the following command options:

  • project-id: The ID of the project where the managed zone is created
  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.com

Creating a private zone

To create a new managed private zone with private DNS records managed by Cloud DNS, follow these directions. For additional information, see Best practices for Cloud DNS private zones.

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Private for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix, for example: example.private.

  5. Optionally, add a Description.

  6. Select VPC networks to which the private zone is visible. Only the VPC networks that you select are authorized to query records in the zone.

  7. Click Create.

gcloud

To create a new managed private zone, use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=dns-suffix \
    --networks=vpc-network-list \
    --labels=labels \
    --visibility=private

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private
  • vpc-network-list: A comma-delimited list of VPC networks that are authorized to query the zone. These networks must be in the same project as the zone.
  • labels: An optional comma-delimited list of key-value pairs such as Dept:Marketing or Project:project1. For more details, see the SDK documentation.

API

To create a managed private zone with the API, send a POST request using the managedZones.create method:

POST https://www.googleapis.com/dns/v1/projects/project-id/managedZones
{

"name": "name",
"description": "description",
"dnsName": "dns-name",
"visibility": "private"
"privateVisibilityConfig": {
    "kind": "dns#managedZonePrivateVisibilityConfig",
    "networks": [{
            "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
            "networkUrl": vpc-network-1
        },
        {
            "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
            "networkUrl": vpc-network-2
        },
        ....
    ]
}

Replace the following command options:

  • project-id: The ID of the project where the managed zone is created
  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private
  • vpc-network-1 and vpc-network-2: URLs for VPC networks, in the same project, that can query records in this zone. You can add multiple VPC networks as indicated. To determine the URL for a VPC network, use the following gcloud command, replacing vpc-network-name with the network's name:
gcloud compute networks describe vpc-network-name \
    --format="get(selfLink)"

Creating a Service Directory DNS zone

You can create a Service Directory zone that allows your Google Cloud-based services to query your Service Directory namespace through DNS.

For detailed instructions on how to create a Service Directory DNS zone, see Configuring a Service Directory DNS zone.

For instructions on how to query your Service Directory using DNS, see Querying using DNS.

Creating a managed reverse lookup private zone

A managed reverse lookup zone is a private zone with a special attribute that instructs Cloud DNS to perform a PTR lookup against Compute Engine DNS data. You must set up managed reverse lookup zones for Cloud DNS to correctly resolve non-RFC 1918 PTR records for your VMs.

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Private for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the zone. The suffix must end with in-addr.arpa to be a reverse zone. This DNS name must match the reverse lookup name of the non-RFC 1918 PTR records you are trying to resolve through Cloud DNS. For example, if you are trying to match the PTR record for 20.20.1.2, you must create a reverse look up zone with the dns name of 2.1.20.20.in-addr.arpa.

  5. Optionally, add a Description.

  6. Under Options, select Managed reverse lookup zone.

  7. Select the networks to which the private zone will be visible.

  8. Click Create.

gcloud

To create a new managed reverse lookup private zone, use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=dns-suffix \
    --networks=vpc-network-list \
    --visibility=private \
    --managed-reverse-lookup=true

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your reverse zone. It must end in .in-addr.arpa. Typically, reverse zones take the form ${ip_block_in_reverse}.in-addr.arpa.
  • vpc-network-list: A comma-delimited list of VPC networks containing the Google Cloud resources to which PTR records resolve

Creating a forwarding zone

To create a new managed private forwarding zone, follow these directions. Before you begin, ensure that you understand the differences between standard and private routing and the network requirements for forwarding targets.

For additional information, see Best practices for Cloud DNS forwarding zones.

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Private for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix. For example, example.private.

  5. Optionally, add a Description.

  6. Under Options, select Forward queries to another server.

  7. Select the networks to which the private zone will be visible.

  8. Click Add item to add the IPv4 addresses of a forwarding target. You can add multiple IP addresses.

  9. To force private routing to the forwarding target, check the box next to Enable under Private forwarding. For important background information about routing methods to forwarding targets, see Forwarding targets and routing methods.

  10. Click Create.

gcloud

To create a new managed private forwarding zone, use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=dns-suffix \
    --networks=vpc-network-list \
    --forwarding-targets=forwarding-targets-list \
    --private-forwarding-targets=private-forwarding-targets-list \
    --visibility=private

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private
  • vpc-network-list: A comma-delimited list of VPC networks that are authorized to query the zone. These networks must be in the same project as the zone.
  • forwarding-targets-list: A comma-delimited list of IP addresses to which queries are sent. RFC 1918 IP addresses specified with this flag must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible. For important background information, see Forwarding targets and routing methods.
  • private-forwarding-targets-list: A comma-delimited list of IP addresses to which queries are sent. Any IP address specified with this flag must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. For important background information, see Forwarding targets and routing methods.

API

To create a managed private forwarding zone with the API, send a POST request using the managedZones.create method:

POST https://www.googleapis.com/dns/v1/projects/project-id/managedZones
{

    "name": "name",
    "description": "description",
    "dnsName": "dns-name",
    "visibility": "private"
    "privateVisibilityConfig": {
        "kind": "dns#managedZonePrivateVisibilityConfig",
        "networks": [{
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": vpc-network-1
            },
            {
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": vpc-network-2
            },
            ....
        ]
    },
    "forwardingConfig": {
        "kind": "dns#managedZoneForwardingConfig",
        "targetNameServers": [{
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": <
                    var>forwarding-target-1
            },
            {
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": forwarding-target-2
            },
            ....
        ]
    },
}

Replace the following command options:

  • project-id: The ID of the project where the managed zone is created
  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private.
  • vpc-network-1 and vpc-network-2: URLs for VPC networks, in the same project, that are able to query records in this zone. You can add multiple VPC networks as indicated. To determine the URL for a VPC network, describe the network with the following gcloud command, replacing vpc-network-name with the network's name:

    gcloud compute networks describe vpc-network-name \
       --format="get(selfLink)"
    
  • forwarding-target-1 and forwarding-target-2: IP addresses of forwarding target name servers. You can add multiple forwarding targets as indicated. RFC 1918 IP addresses specified here must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible. Refer to Forwarding targets and routing methods for important background information.

Creating a peering zone

Create a new managed private peering zone when you need one VPC network, called a consumer network to query the VPC name resolution order of another VPC network called the producer network. For important background information, see DNS peering.

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Private for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix, for example: example.private.

  5. Optionally, add a Description.

  6. Select the networks to which the private zone must be visible.

  7. Under DNS peering, select the box next to Enable DNS peering.

  8. Under Peer project, select a peer project.

  9. Under Peer network, select a peer network.

  10. Click Create.

gcloud

  1. In the project that contains the consumer VPC network, identify or create a service account.

  2. Grant the DNS Peer role to the service account (from the previous step) in the project that contains the producer VPC network.

    gcloud projects add-iam-policy-binding producer-project-id \
       --member=service-account \
       --role=roles/dns.peer
    

    Replace the following command options:

    • producer-project-id: The ID of the project containing the producer VPC network
    • service-account: The service account, in the project containing the consumer VPC network, created or identified in the first step
  3. In the project that contains the consumer VPC network, create a new managed private peering zone using the dns managed-zones create command:

    gcloud dns managed-zones create name \
      --description=description \
      --dns-name=dns-suffix \
      --networks=consumer-vpc-network \
      --account=service-account \
      --target-network=producer-vpc-network \
      --target-project=producer-project-id \
      --visibility=private
    

    Replace the following command options:

    • name: A name for your zone
    • description: A description for your zone
    • dns-name: The DNS suffix for your zone, like example.com
    • consumer-vpc-network: The name of the consumer VPC network
    • service-account: The service account, in the project containing the consumer VPC network, identified in the first step. If omitted, the gcloud command-line tool uses the currently active Cloud IAM member, as indicated by gcloud auth list.
    • producer-vpc-network: The name of the producer VPC network
    • producer-project-id: The ID of the project containing the producer VPC network

Updating managed zones

Cloud DNS allows you to modify certain attributes of your managed public or managed private zone.

Updating public zones

You can change the description or DNSSEC configuration of a public zone.

Console

  1. Go to the Cloud DNS page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the public zone you want to update.

  3. Click Edit.

  4. To change DNSSEC settings, under DNSSEC, select Off, On, or Transfer. For more information, see DNSSEC configuration.

  5. Optionally update the description.

  6. Click Save.

gcloud

To update a managed zone, use the dns managed-zones update command:

gcloud dns managed-zones update name \
    --description=description \
    --dnssec-state=state

Replace the following command options:

Updating authorized networks for a private zone

To modify the VPC networks to which a private zone is visible:

Console

  1. Go to the Cloud DNS page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the private zone you want to update.

  3. Click Edit.

  4. Select the VPC networks to which the private zone is visible. Only the selected VPC networks are authorized to query records in the zone.

  5. Click Save.

gcloud

To update authorized VPC networks of a managed private zone, use the dns managed-zones update command:

gcloud dns managed-zones update name \
    --description=description \
    --networks=vpc-network-list

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • vpc-network-list: A comma-delimited list of VPC networks that are authorized to query the zone. These networks must be in the same project as the zone.

Updating labels

To add new, change existing, remove selected, or clear all labels on a managed zone, use the dns managed-zones update commands as shown:

gcloud dns managed-zones update name \
    --update-labels=labels
gcloud dns managed-zones update name \
    --remove-labels=labels
gcloud dns managed-zones update name \
    --clear-labels

Replace the following command options:

  • name: A name for your zone
  • labels: An optional comma-delimited list of key-value pairs such as Dept:Marketing or Project:project1. For more details, see the SDK documentation.

Listing and describing managed zones

Listing managed zones

To list all of your zones within a project:

Console

  1. Managed zones are shown on the Cloud DNS zone page in the Cloud Console.

    Go to the Cloud DNS page

gcloud

To list all managed zones, use the dns managed-zones list command:

gcloud dns managed-zones list

To list all managed zones, modify the command as follows:

gcloud dns managed-zones list \
   --filter="visibility=public"

To list all managed private zones, modify the command as follows:

gcloud dns managed-zones list \
   --filter="visibility=private"

Describing a managed zone

To view attributes of a managed zone:

Console

  1. Go to the Cloud DNS zone page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the zone that you want to inspect.

gcloud

To view attributes of a new managed zone, use the dns managed-zones describe command:

gcloud dns managed-zones describe name

Replace the following command options:

  • name: The name of your zone

Deleting a managed zone

Console

  1. Go to the Cloud DNS page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the managed zone that you want to delete.

  3. Remove all records in the zone except for the SOA and NS records. For more information, see Adding or removing a record.

  4. Click Delete zone.

gcloud

  1. Remove all records in the zone except for the SOA and NS records. For more information, see Adding or removing a record. You can quickly empty an entire zone by importing an empty file into a record set. For more information, see Importing and exporting record sets. For example:

    touch empty-file
    gcloud dns record-sets import -z name \
       --delete-all-existing \
       empty-file
    rm empty-file
    

    Replace the following command options:

    • name: The name of your zone
  2. To delete a new managed private zone, use the dns managed-zones delete command:

    gcloud dns managed-zones delete name
    

    Replace the following command options:

    • name: The name of your zone

Forwarding target network requirements

When Cloud DNS sends requests to forwarding targets, it sends packets with the source ranges listed in the following table. For additional background information about the different types of targets, see forwarding targets and routing methods.

Forwarding target type Source ranges
  • Type 1 targets
    (VMs in a VPC network authorized to use the forwarding zone)
  • Type 2 targets
    (On-premises, connected to a VPC network authorized to use the forwarding zone)
35.199.192.0/19
Cloud DNS uses the 35.199.192.0/19 source range for all customers. This range is only accessible from a Google Cloud VPC network or from an on-premises network connected to a VPC network.
  • Type 3 targets
    (internet accessible)
Google Public DNS source ranges

Type 1 and type 2 targets

Cloud DNS requires the following in order to access a Type 1 or a Type 2 target. These requirements are the same whether the target is an RFC 1918 IP address and you're using standard routing or if you've explicitly chosen private routing:

  • Firewall configuration for 35.199.192.0/19: For Type 1 targets, create an ingress allow firewall rule for TCP and UDP port 53 traffic, applicable to your forwarding targets in each authorized VPC network. For Type 2 targets, configure an on-premises network firewall and similar equipment to permit TCP and UDP port 53.
  • Route to the forwarding target: For Type 1 targets, Cloud DNS uses a subnet route to access the target in the VPC network authorized to use the forwarding zone. For Type 2 name targets, Cloud DNS uses either custom dynamic or custom static routes, except for tagged static routes, to access the forwarding target.
  • Return route to 35.199.192.0/19 through the same VPC network: For Type 1 targets, Google Cloud automatically adds a special return route for the 35.199.192.0/19 destination. For Type 2 targets, your on-premises network must have a route for the 35.199.192.0/19 destination, whose next hop is in the same VPC network and region where the request originated, through a Cloud VPN tunnel or Cloud Interconnect attachment (VLAN). For information on how to meet this requirement, see return route strategies for type 2 targets.

  • Direct response from target: Cloud DNS requires that the forwarding target that receives packets be the one that sends replies to 35.199.192.0/19. If your forwarding target sends the request to a different name server, and that other name server responds to 35.199.192.0/19, Cloud DNS ignores the response. For security reasons, Google Cloud expects the source address of each target name server's DNS reply to match the IP address of the forwarding target.

Return route strategies for type 2 targets

Cloud DNS cannot send responses from Type 2 forwarding targets over the internet, through a different VPC network, or to a different region (even if it is in the same VPC network). Responses must return to the same region and VPC network, though they can use any Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) in that same region and same network.

  • For Cloud VPN tunnels that use static routing, manually create a route in your on-premises network whose destination is 35.199.192.0/19 and whose next hop is the Cloud VPN tunnel. For Cloud VPN tunnels that use policy-based routing, configure the Cloud VPN's local traffic selector and the on-premises VPN gateway's remote traffic selector to include 35.199.192.0/19.
  • For Cloud VPN tunnels that use dynamic routing or for Cloud Interconnect, configure a custom route advertisement for 35.199.192.0/19 on the BGP session of the Cloud Router that manages the tunnel or interconnect attachment (VLAN).

Type 3 targets

When Cloud DNS accesses a non-RFC 1918 IP address using standard routing, it expects the forwarding target to be publicly accessible.

Next steps