Cloud DNS controls for generative AI use cases

This document includes the best practices and guidelines for Cloud DNS when running generative AI workloads on Google Cloud. Use Cloud DNS with Vertex AI to register, manage, and serve your domain.

Required Cloud DNS controls

The following controls are strongly recommended when using Cloud DNS.

Enable DNS Security Extensions

Google control ID DNS-CO-6.1
Category Required
Description

The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It doesn't provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.

Within Cloud DNS, enable DNSSEC in the following places:

  • DNS zone
  • Top-level domain (TLD)
  • DNS resolution
Applicable products
  • Cloud DNS
Related NIST-800-53 controls
  • SC-7
  • SC-8
Related CRI profile controls
  • PR.AC-5.1
  • PR.AC-5.2
  • PR.DS-2.1
  • PR.DS-2.2
  • PR.DS-5.1
  • PR.PT-4.1
  • DE.CM-1.1
  • DE.CM-1.2
  • DE.CM-1.3
  • DE.CM-1.4
Related information

Optional Cloud DNS controls

We recommend that you implement the following security controls in folders that contain generative AI workloads.

Use zonal DNS

Google control ID DNS-CO-4.1
Category Optional
Description

The compute.setNewProjectDefaultToZonalDNSOnly boolean constraint lets you set the internal DNS setting for new projects to use zonal DNS only. Use zonal DNS because it offers higher reliability compared to individual zones because zonal DNS isolates failures in the DNS registration .
Applicable products
  • Organization policy
Path constraints/compute.setNewProjectDefaultToZonalDNSOnly
Operator =
Value
  • True
Type Boolean
Related NIST-800-53 controls
  • AC-3
  • AC-17
  • AC-20
Related CRI profile controls
  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1
Related information

What's next