Quotas and limits

This document lists the quotas and limits that apply to Cloud DNS.

A quota restricts how much of a particular shared Google Cloud resource your Cloud project can use, including hardware, software, and network components.

Quotas are part of a system that does the following:

  • Monitors your use or consumption of Google Cloud products and services.
  • Restricts your consumption of those resources for reasons including ensuring fairness and reducing spikes in usage.
  • Maintains configurations that automatically enforce prescribed restrictions.
  • Provides a means to make or request changes to the quota.

When a quota is exceeded, in most cases, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Cloud project and are shared across all applications and IP addresses that use that Cloud project.

Many products and services also have limits that are unrelated to the quota system. These are constraints, such as maximum file sizes or database schema limitations, which generally cannot be increased or decreased, unless otherwise stated.

Quotas

This table highlights important global quotas for each project. For other quotas, see the Quotas page in the Google Cloud Console.

Item Quota Notes
Number of API queries per user, per minute Quotas The maximum number of API requests that an IAM user can make to the Cloud DNS API within a one-minute time period.

Limits

Unlike quotas, where you can request additional quota, limits cannot generally be increased unless specifically noted.

API usage

The number of API requests (queries) per day is governed at the project level. All API requests count against this limit, including those made from the gcloud command-line tool and through the Google Cloud Console.

Resource limits

Item Limit Notes
Managed zones 10,000 If you need to increase this limit, contact your Google Cloud sales team.
Resource record sets per managed zone 10,000 If you need to increase this limit, contact your Google Cloud sales team.
Records per resource record set 100. However, each delegation (resource record sets of type NS) can have up to eight name servers. If you need to increase this limit, contact your Google Cloud sales team.
Name servers per delegation 8 If you need to increase this limit, contact your Google Cloud sales team.
Additions per change 1,000 If you need to increase this limit, contact your Google Cloud sales team.
Deletions per change 1,000 If you need to increase this limit, contact your Google Cloud sales team.
Resource record data size per change 100,000 bytes If you need to increase this limit, contact your Google Cloud sales team.
Number of label combinations 1,000 If you need to increase this limit, contact your Google Cloud sales team.
Number of labels per managed zone 64 labels and 128 bytes per key or value This limit cannot be increased.
Number of forwarding targets in a forwarding zone 50 This limit cannot be increased.
Number of forwarding targets in an alternative name server 50 This limit cannot be increased.
Number of policy resources per project 100 If you need to increase this limit, contact your Google Cloud sales team.
Number of items per routing policy 100 If you need to increase this limit, contact your Google Cloud sales team.
Number of VPC networks bound to a policy resource 100 If you need to increase this limit, contact your Google Cloud sales team.
Number of VPC networks bound to a private managed zone resource 100 If you need to increase this limit, contact your Google Cloud sales team.
Number of managed zone resources bound to a VPC network 10,000 If you need to increase this limit, contact your Google Cloud sales team.
Number of GKE clusters bound to a private managed zone resource 100 If you need to increase this limit, contact your Google Cloud sales team.
Number of managed zone resources bound to a GKE cluster 10,000 If you need to increase this limit, contact your Google Cloud sales team.
Largest size of a DNS response (UDP) 1,440 bytes
Largest size of a DNS response (TCP) 65,533 bytes
Maximum query rate per VPC network 100,000 queries in a ten-second (10s) period

Name server limits

Cloud DNS assigns every public managed zone to one of five name server shards. Shards are the letter before the number in an authoritative name server name, so ns-cloud-e1 through ns-cloud-e4 are the E shard.

A new managed zone of a domain, for example domain.example.tld, cannot be assigned to a shard if any of the following already exists on the same shard:

  • A managed zone with the same DNS name, such as domain.example.tld
  • A subdomain of the DNS name, such as sub.domain.example.tld
  • A parent domain of the DNS name, such as example.tld

Because of these restrictions, the following limitations apply to public managed zones:

  • You can create a maximum of five zones with the exact same DNS name.
  • For any parent domain, you can create a maximum of five levels of subdomains.

This limit applies to all projects and users in Google Cloud. Non-delegated subdomains and delegations hosted on other DNS services do not count against this limit. Before Cloud DNS creates a fifth zone with the same DNS name and prevents anyone else from using that DNS name, it requires you to verify the domain ownership with a TXT record.

Multiple subdomains of the same parent domain, for example domain.example.tld and otherdomain.example.tld, can be assigned to the same shard. However, Cloud DNS might pick any available shard after considering the limitation. If you create such subdomains in each shard, you cannot create a zone for the parent domain example.tld.

You can avoid this issue by always creating managed zones for the parent domains before creating zones for their subdomains.

If the child domains are already blocking all shards, follow these steps to free a shard for the parent domain:

  1. Check the name servers for every subdomain zone to determine its shard.
  2. Find the shard (X) with the fewest (or least important) managed zones.
  3. Export zones in shard X (and change their delegations) to another DNS service.
  4. After TTLs expire for the original delegations, delete the managed zones for shard X subdomains.
  5. Create the managed zone for the parent domain; it is assigned to shard X.
  6. Restore the deleted managed zones for the subdomains, restoring subdomains before any of their own sub-subdomains. They are in new shards, so they all need updated delegations.

Checking limits

You can run the following command to look up the limits for your project. The following example shows the total limits for the various types of objects in the my-project project. The totalRrdataSizePerChange is measured in bytes and the combined total of both the additions and deletions for a change.

gcloud dns project-info describe my-project

Even though these are limits, Google Cloud tracks them internally as quotas, so they are labeled as quotas in the output.

id: my-project,
kind: "dns#project",
number: "123456789012",
quota:
    kind: dns#quota,
    managedZones: 10000,
    resourceRecordsPerRrset: 10000,
    rrsetAdditionsPerChange: 1000,
    rrsetDeletionsPerChange: 1000,
    rrsetsPerManagedZone: 10000,
    totalRrdataSizePerChange: 100000,
    labelSets: 1000

You can find the name of your default project and additional projects at the top of the Home page in the Google Cloud Console.