Polices Demo
Start course

Cloud DNS is a scalable, reliable, and managed DNS service that runs on Google Cloud Platform. This course will show you how easy it is to manage millions of DNS records using its simple user interface. You will also learn how to forward DNS requests, as well as how to secure and monitor them.

Learning Objectives

  • What Cloud DNS is and what it can do
  • Adding DNS records
  • Enabling DNS Security Extensions
  • Creating public and private zones
  • Setting DNS policies
  • Logging Cloud DNS activity

Intended Audience

  • GCP Networking Engineers
  • GCP Security Engineers
  • Anyone who is interested in managing DNS using GCP


  • A basic understanding of DNS (including DNS records)

Now that you understand what DNS policies can do, let me demonstrate how to create them. First, I'm going to show you how to add an alternative name server. Then, I'll show you how to enable inbound query forwarding. And finally, I'll show you how to enable DNS logging. So, you create new policies by going to the Cloud DNS page, and then clicking on the "DNS Server Policies" tab.

Now currently, you can see that there are no policies set. So, for my first policy, let me specify an alternative name server. I just need to click on "Create Policy" to start. I do not want to enable "Inbound Query Forwarding" yet, so let me turn that off. For some reason it's enabled by default for every new policy. You can also see that it's possible to enable multiple options with a single policy. I can specify my alternative name server down here. I'm just going to use, which is one of Google's public DNS servers. This is not something that I typically would do, as it's going to forward all DNS requests to a DNS server that I have no control over.

Typically, I would enter the IP address of an on-prem DNS server here. And now all I have to do is to specify a name for this policy. So, this policy is gonna forward all DNS requests to one of Google's public DNS servers. However, even though I added the policy, it's still not affecting anything yet. And that is because I did not specify any networks yet. I also need to pick the networks that this policy is going to be applied to. Let me do that now. I'm gonna go ahead and add all my networks.

So now, I've effectively replaced Cloud DNS with for all of my VPCs. So for the next part, I want to show you how to do the opposite. I'm going to create a policy that will allow me to replace an external DNS server with Cloud DNS. Now before I do this, I need to delete my previous policy first. In order to delete a policy, you have to remove all attached networks. Now you can see, I can delete the actual policy. So, I'm gonna create a new policy and this time I'm going to leave the "Inbound Query Forwarding" option enabled. You'll notice that there's not really any other options to choose. And that's because all we're doing is we're telling Cloud DNS to accept external DNS requests.

So here, I just have to specify a name and then pick the networks that this will apply to. You can prevent sharing certain DNS records by excluding certain networks. Okay, so all the configuration changes have been completed on the Google side. The only step left would be to update my external DNS server. Now, those exact steps are gonna depend upon the type of DNS server that you're running, and so I'm not gonna cover that part. However, I will show you how to get a list of IP endpoints that you will need.

Now, you can run this following command using the Cloud SDK to get the list of IPs. Now these IPs are what you're going to forward your DNS requests to. If you don't have the Cloud SDK installed locally, then you could still use Cloud Shell to run the command instead. Okay, for this last policy, I'm gonna show you how to enable DNS logging. Let me delete the previous policy. Now I can add the new policy. I'll give it a name. I need to enable "Logs" and then disable "Inbound Query Forwarding". And of course, I need to specify the networks that this will apply to.

With this new policy, Cloud DNS is going to begin to keep detailed logs for any DNS lookups. You should be aware that cached responses are not logged, so keep that in mind. Also, you should be aware that this can potentially generate a significant amount of data. Enabling these logs might result in extra storage costs. All metrics are exported to Cloud Monitoring and you can view that using Logs Explorer. So, here's where you can search for your logs, you view your logs, and you can build different queries. I'm not gonna take the time to teach you how to actually use Logs Explorer, since that's covered elsewhere.

If you're interested, you can look up the details afterwards. This is how you enable logging and where you go to find the logs. You're gonna find this extremely helpful for troubleshooting any DNS related issues you might run into. All right, so that's about it. You know how to use the three main policy types in Google Cloud DNS.

About the Author
Learning Paths

Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.

Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.

When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.