Managing Zones

This page provides directions for creating Cloud DNS managed zones. Before you use this page, familiarize yourself with the Cloud DNS concepts.

Before you begin

The Cloud DNS API requires that you create a Cloud DNS project and enable the Cloud DNS API.

If you are creating an application that uses the REST API, you must also create an OAuth 2.0 client ID.

  1. If you don't already have one, sign up for a Google account.
  2. Enable the Cloud DNS API in the Cloud Console. You can choose an existing Compute Engine or App Engine project, or you can create a new project.
  3. If you need to make requests to the REST API, you will need to create an OAuth 2.0 ID: Setting up OAuth 2.0.
  4. Note the following information in the project that you will need to input in later steps:
    • The client ID (xxxxxx.apps.googleusercontent.com).
    • The project ID that you wish to use. You can find the ID at the top of the Overview page in the Cloud Console. You could also ask your user to provide the project name that they want to use in your app.

If you have not run the gcloud command-line tool previously, you must run the following command to specify the project name and authenticate with the Cloud Console:

gcloud auth login

If you want to run a gcloud command on Google Cloud resources in another project, specify the --project option for this command and the other glcoud commands throughout this page..

Creating managed zones

Each managed zone that you create is associated with a Google Cloud project. The following sections describe how to create the type of managed zone that Cloud DNS supports.

Creating a public zone

To create a new managed zone:

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Public for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the zone using a domain name that you own. All records in the zone share this suffix, for example: example.com.

  5. Under DNSSEC, select Off, On, or Transfer. For more information, see DNSSEC configuration.

  6. Click Create. The Zone details page is displayed.

gcloud

To create a new managed zone, use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=dns-suffix \
    --labels=labels \
    --visibility=public

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.com
  • labels: An optional comma-delimited list of key-value pairs such as Dept:Marketing or Project:project1. For more details, see the SDK documentation.

API

To create a managed zone with the API, send a POST request using the managedZones.create method:

POST https://www.googleapis.com/dns/v1/projects/project-id/managedZones
{
  "name": "name",
  "description": "description",
  "dnsName": "dns-name",
  "visibility": "public"
}

Replace the following command options:

  • project-id: The ID of the project where the managed zone is created
  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.com

Creating a private zone

To create a new managed private zone with private DNS records managed by Cloud DNS, follow these directions. For additional information, see Best practices for Cloud DNS private zones.

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Private for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix, for example: example.private.

  5. Optionally, add a Description.

  6. Select VPC networks to which the private zone is visible. Only the VPC networks that you select are authorized to query records in the zone.

  7. Click Create.

gcloud

To create a new managed private zone, use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=dns-suffix \
    --networks=vpc-network-list \
    --labels=labels \
    --visibility=private

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private
  • vpc-network-list: A comma-delimited list of VPC networks that are authorized to query the zone. These networks must be in the same project as the zone.
  • labels: An optional comma-delimited list of key-value pairs such as Dept:Marketing or Project:project1. For more details, see the SDK documentation.

API

To create a managed private zone with the API, send a POST request using the managedZones.create method:

POST https://www.googleapis.com/dns/v1/projects/project-id/managedZones
{

"name": "name",
"description": "description",
"dnsName": "dns-name",
"visibility": "private"
"privateVisibilityConfig": {
    "kind": "dns#managedZonePrivateVisibilityConfig",
    "networks": [{
            "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
            "networkUrl": vpc-network-1
        },
        {
            "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
            "networkUrl": vpc-network-2
        },
        ....
    ]
}

Replace the following command options:

  • project-id: The ID of the project where the managed zone is created
  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private
  • vpc-network-1 and vpc-network-2: URLs for VPC networks, in the same project, that can query records in this zone. You can add multiple VPC networks as indicated. To determine the URL for a VPC network, use the following gcloud command, replacing vpc-network-name with the network's name:
gcloud compute networks describe vpc-network-name \
    --format="get(selfLink)"

Creating a forwarding zone

To create a new managed private forwarding zone, follow these directions. Before you begin, ensure that you understand the differences between standard and private routing and the network requirements for forwarding targets.

For additional information, see Best practices for Cloud DNS forwarding zones.

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Private for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix. For example, example.private.

  5. Optionally, add a Description.

  6. Under Options, select Forward queries to another server.

  7. Select the networks to which the private zone will be visible.

  8. Click Add item to add the IPv4 addresses of a forwarding target. You can add multiple IP addresses.

  9. To force private routing to the forwarding target, check the box next to Enable under Private forwarding. For important background information about routing methods to forwarding targets, see Forwarding targets and routing methods.

  10. Click Create.

gcloud

To create a new managed private forwarding zone, use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=dns-suffix \
    --networks=vpc-network-list \
    --forwarding-targets=forwarding-targets-list \
    --private-forwarding-targets=private-forwarding-targets-list \
    --visibility=private

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private
  • vpc-network-list: A comma-delimited list of VPC networks that are authorized to query the zone. These networks must be in the same project as the zone.
  • forwarding-targets-list: A comma-delimited list of IP addresses to which queries are sent. RFC 1918 IP addresses specified with this flag must be located in your VPC network or in an on-premises network connected using Google Cloud or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible. For important background information, see Forwarding targets and routing methods.
  • private-forwarding-targets-list: A comma-delimited list of IP addresses to which queries are sent. Any IP address specified with this flag must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. For important background information, see Forwarding targets and routing methods.

API

To create a managed private forwarding zone with the API, send a POST request using the managedZones.create method:

POST https://www.googleapis.com/dns/v1/projects/project-id/managedZones
{

    "name": "name",
    "description": "description",
    "dnsName": "dns-name",
    "visibility": "private"
    "privateVisibilityConfig": {
        "kind": "dns#managedZonePrivateVisibilityConfig",
        "networks": [{
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": vpc-network-1
            },
            {
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": vpc-network-2
            },
            ....
        ]
    },
    "forwardingConfig": {
        "kind": "dns#managedZoneForwardingConfig",
        "targetNameServers": [{
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": <
                    var>forwarding-target-1
            },
            {
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": forwarding-target-2
            },
            ....
        ]
    },
}

Replace the following command options:

  • project-id: The ID of the project where the managed zone is created
  • name: A name for your zone
  • description: A description for your zone
  • dns-name: The DNS suffix for your zone like example.private.
  • vpc-network-1 and vpc-network-2: URLs for VPC networks, in the same project, that are able to query records in this zone. You can add multiple VPC networks as indicated. To determine the URL for a VPC network, describe the network with the following gcloud command, replacing vpc-network-name with the network's name:

    gcloud compute networks describe vpc-network-name \
       --format="get(selfLink)"
    
  • forwarding-target-1 and forwarding-target-2: IP addresses of forwarding target name servers. You can add multiple forwarding targets as indicated. RFC 1918 IP addresses specified here must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible. Refer to Forwarding targets and routing methods for important background information.

Creating a peering zone

Create a new managed private peering zone when you need one VPC network, called a consumer network to query the VPC name resolution order of another VPC network called the producer network. For important background information, see DNS peering.

Console

  1. Go to the Create a DNS zone page in the Cloud Console.

    Go to the Create a DNS zone page

  2. Choose Private for the Zone type.

  3. Enter a Zone name. For example, my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix, for example: example.private.

  5. Optionally, add a Description.

  6. Select the networks to which the private zone must be visible.

  7. Under DNS peering, select the box next to Enable DNS peering.

  8. Under Peer project, select a peer project.

  9. Under Peer network, select a peer network.

  10. Click Create.

gcloud

  1. In the project that contains the consumer VPC network, identify or create a service account.

  2. Grant the DNS Peer role to the service account (from the previous step) in the project that contains the producer VPC network.

    gcloud projects add-iam-policy-binding producer-project-id \
       --member=service-account \
       --role=roles/dns.peer
    

    Replace the following command options:

    • producer-project-id: The ID of the project containing the producer VPC network
    • service-account: The service account, in the project containing the consumer VPC network, created or identified in the first step
  3. In the project that contains the consumer VPC network, create a new managed private peering zone using the dns managed-zones create command:

    gcloud dns managed-zones create name \
      --description=description \
      --dns-name=dns-suffix \
      --networks=consumer-vpc-network \
      --account=service-account \
      --target-network=producer-vpc-network \
      --target-project=producer-project-id \
      --visibility=private
    

    Replace the following command options:

    • name: A name for your zone
    • description: A description for your zone
    • dns-name: The DNS suffix for your zone, like example.com
    • consumer-vpc-network: The name of the consumer VPC network
    • service-account: The service account, in the project containing the consumer VPC network, identified in the first step. If omitted, the gcloud command-line tool uses the currently active Cloud IAM member, as indicated by gcloud auth list.
    • producer-vpc-network: The name of the producer VPC network
    • producer-project-id: The ID of the project containing the producer VPC network

Updating managed zones

Cloud DNS allows you to modify certain attributes of your managed public or managed private zone.

Updating public zones

You can change the description or DNSSEC configuration of a public zone.

Console

  1. Go to the Cloud DNS page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the public zone you want to update.

  3. Click Edit.

  4. To change DNSSEC settings, under DNSSEC, select Off, On, or Transfer. For more information, see DNSSEC configuration.

  5. Optionally update the description.

  6. Click Save.

gcloud

To update a managed zone, use the dns managed-zones update command:

gcloud dns managed-zones update name \
    --description=description \
    --dnssec-state=state

Replace the following command options:

Updating authorized networks for a private zone

To modify the VPC networks to which a private zone is visible:

Console

  1. Go to the Cloud DNS page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the private zone you want to update.

  3. Click Edit.

  4. Select the VPC networks to which the private zone is visible. Only the selected VPC networks are authorized to query records in the zone.

  5. Click Save.

gcloud

To update authorized VPC networks of a managed private zone, use the dns managed-zones update command:

gcloud dns managed-zones update name \
    --description=description \
    --networks=vpc-network-list

Replace the following command options:

  • name: A name for your zone
  • description: A description for your zone
  • vpc-network-list: A comma-delimited list of VPC networks that are authorized to query the zone. These networks must be in the same project as the zone.

Updating labels

To add new, change existing, remove selected, or clear all labels on a managed zone, use the dns managed-zones update commands as shown:

gcloud dns managed-zones update name \
    --update-labels=labels
gcloud dns managed-zones update name \
    --remove-labels=labels
gcloud dns managed-zones update name \
    --clear-labels

Replace the following command options:

  • name: A name for your zone
  • labels: An optional comma-delimited list of key-value pairs such as Dept:Marketing or Project:project1. For more details, see the SDK documentation.

Listing and describing managed zones

Listing managed zones

To list all of your zones within a project:

Console

  1. Managed zones are shown on the Cloud DNS zone page in the Cloud Console.

    Go to the Cloud DNS page

gcloud

To list all managed zones, use the dns managed-zones list command:

gcloud dns managed-zones list

To list all managed zones, modify the command as follows:

gcloud dns managed-zones list \
   --filter="visibility=public"

To list all managed private zones, modify the command as follows:

gcloud dns managed-zones list \
   --filter="visibility=private"

Describing a managed zone

To view attributes of a managed zone:

Console

  1. Go to the Cloud DNS zone page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the zone that you want to inspect.

gcloud

To view attributes of a new managed zone, use the dns managed-zones describe command:

gcloud dns managed-zones describe name

Replace the following command options:

  • name: The name of your zone

Deleting a managed zone

Console

  1. Go to the Cloud DNS page in the Cloud Console.

    Go to the Cloud DNS page

  2. Click the managed zone that you want to delete.

  3. Remove all records in the zone except for the SOA and NS records. For more information, see Adding or removing a record.

  4. Click Delete zone.

gcloud

  1. Remove all records in the zone except for the SOA and NS records. For more information, see Adding or removing a record. You can quickly empty an entire zone by importing an empty file into a record set. For more information, see Importing and exporting record sets. For example:

    touch empty-file
    gcloud dns record-sets import -z name \
       --delete-all-existing \
       empty-file
    rm empty-file
    

    Replace the following command options:

    • name: The name of your zone
  2. To delete a new managed private zone, use the dns managed-zones delete command:

    gcloud dns managed-zones delete name
    

    Replace the following command options:

    • name: The name of your zone

Forwarding target network requirements

When Cloud DNS sends requests to forwarding targets, it sends packets with the source ranges listed in the following table:

Forwarding target Source ranges
RFC 1918 forwarding targets accessed using standard routing
Any forwarding target accessed using private routing
35.199.192.0/19
Non-RFC 1918 forwarding targets accessed using standard routing Google Public DNS source ranges

Private targets

When Cloud DNS accesses RFC 1918 forwarding targets using standard routing, or when Cloud DNS accesses any target using private routing, your on-premises network must meet the following requirements:

  • Permit traffic from 35.199.192.0/19: Your on-premises network firewall and similar equipment must allow packets from sources in 35.199.192.0/19. Cloud DNS uses the 35.199.192.0/19 source range for all customers. The 35.199.192.0/19 address range is only accessible from a Google Cloud VPC network or from an on-premises network connected to a VPC network.
  • Respond to 35.199.192.0/19 through a VPC network: Your on-premises network must have a route that directs response traffic destined for 35.199.192.0/19 back to your VPC network, through a Cloud VPN tunnel or Cloud Interconnect attachment (VLAN). Responses to DNS queries from forwarding targets cannot be sent through the internet. If your on-premises network responds to 35.199.192.0/19 through the internet, Google Cloud ignores the response. You can meet this routing requirement in one of two ways:
    • For Cloud VPN tunnels that use static routing, manually create a route in your on-premises network whose destination is 35.199.192.0/19 and whose next hop is the Cloud VPN tunnel. For Cloud VPN tunnels that use policy-based routing, configure the Cloud VPN's local traffic selector and the on-premises VPN gateway's remote traffic selector to include 35.199.192.0/19.
    • For Cloud VPN tunnels that use dynamic routing or for Cloud Interconnect, configure a custom route advertisement on the Cloud Router that manages the tunnel or interconnect attachment (VLAN).
  • Direct response from forwarding target: Cloud DNS requires that the forwarding target name server that receives packets be the one that sends the reply to 35.199.192.0/19. If your name server sends the request to a different name server, and that other name server responds to 35.199.192.0/19, Cloud DNS ignores the response. For security reasons, Google Cloud expects the source address of each forwarding target's DNS reply to match IP address of the forwarding target.

Public targets

When Cloud DNS accesses a non-RFC 1918 forwarding target using standard routing, it expects the name server to be publicly accessible.

Next steps