Cloud DNS is a scalable, reliable, and managed DNS service that runs on Google Cloud Platform. This course will show you how easy it is to manage millions of DNS records using its simple user interface. You will also learn how to forward DNS requests, as well as how to secure and monitor them.
- What Cloud DNS is and what it can do
- Adding DNS records
- Enabling DNS Security Extensions
- Creating public and private zones
- Setting DNS policies
- Logging Cloud DNS activity
- GCP Networking Engineers
- GCP Security Engineers
- Anyone who is interested in managing DNS using GCP
- A basic understanding of DNS (including DNS records)
So now that you understand what zones are, let me run you through a practical demonstration of how you will typically use them. First, I will show you how to map a public IP for a website to a public domain name. Then, I'll show you how to create a private DNS name for internal use. And finally, I'll also show you how to set up DNS peering and DNS forwarding. Now, before I start, you should know that I've already set up a few VPCs and VMs. I have two Linux virtual machines, both running Apache, and serving up a single webpage. Now each VM has its own public and private IP and they're running inside their own separate VPC. I've also added firewall rules to open ports 80 and 22. So I can connect to each VM via SSH and HTTP. Here, you see that I can already connect to the web servers by using their IP address.
But now, I'm going to add a public DNS record so that I can use a domain name to connect instead. So for the first step, I need to bring up the Cloud DNS page. Now you can see here that there are options for working with zones and for working with policies. I'm going to be adding a DNS record, so I need to create a zone. Now when creating a zone, you have to specify which kind you want. This is going to be a public domain name, so I need to create a public zone. To set up a public zone, you need to have a domain name registered. Now I've already done this using Google Cloud Domains.
Cloud DNS does not handle domain registration, so you'll need to use a different tool. Here, you can see my domain name. Now you can use Cloud Domains as well if you wish. However, it's not required. There are many other domain registrars out there, so pick the one you like best. To create my new public zone, I have to assign it a name. I'm gonna set the name to be the same as the domain, except I'll need to replace the periods with dashes. Zone names can only contain letters, numbers and dashes.
Next, I need to specify the domain name, so let me enter that. And now, I can choose to enable DNS Security Extensions. Now this is generally recommended, so I'm gonna enable that here as well. You can see under DNSSEC that there are three options provided: Off, On and Transfer. It should be obvious what the Off and On options do. Transfer is used when you're in the middle of transferring a domain name over to Google and you already have DNSSEC enabled. While this option is supported, I would generally not recommend using it.
It's usually safer and easier to disable DNS Security extensions before starting the transfer. You can then re-enable DNSSEC after the transfer has completed. Now I can optionally add a description here if I want. It's unnecessary for this demo since I'm only going to end up with a few zones. But this field becomes more useful when you have hundreds or thousands of zones. So at this point, I can confirm the zone creation. Now, in my demo, I'm gonna be using the cloud console a lot, but you can also accomplish the same things using command lines tools as well. So here is where you can see the equivalent command for creating a public zone.
Alright, now that I've created the zone, let's review the details. Here, you can see the domain name, as well as verify that DNS Security extensions has been enabled. You also should notice that the SOA and NS records were automatically generated. Now, if I return to the zone page, you can see what this new entry looks like here. Remember, I still haven't actually added the A record yet. I've just created the zone. So, let me do that next. I'll click on the zone and I'll select Add Record Set.
Now adding a DNS record is very simple. The default type is already set to A, so I don't need to change that. Now if I wanted to add an IPv6 address, I could create a AAAA record as well. All I need to do is specify the server name, which I will call WWW, and then I'll specify the IP address, which I can copy from the Compute Engine screen. If you want to use the command line to do this, you can get those commands from here. Okay, so now I have created my A record. There's just one last thing to do. I need to tell my registrar to forward requests for the new domain to Cloud DNS. Now this is going to be simple since I'm using Google service. But you can accomplish the same thing using a different registrar. Of course, if you do, the steps will probably be slightly different than what you see here.
Now, in theory, I should be able to start using www.ca-demo-domain.com to access my apache web server. I say in theory because DNS changes can take a while to propagate. This is probably not gonna work right away. You see that I'm getting an error here because it's gonna take a while for the records to actually be available. Now this could take hours, might even take a whole day, so let me go ahead and skip ahead. Okay, now you can see the DNS record is working properly. Luckily, I have my own private DNS server and so I was able to force it to grab the updated records pretty quickly.
Now most people will not have that option, so again, you might have to wait up to a day before it finally starts working. But now we see that my domain name is correctly resolving to the first apache web server instance. So now you know how you create a new public DNS zone and record. Next, I'm going to show you how to work with private records. I'm going to create a private domain name and map that to the private IP for my second VM.
Now this domain name is only going to be usable inside of my GCP account. So to do this, I need to return to the Cloud DNS page and then create a new zone. This zone is going to be private. And you'll notice, when I select private, that some of the options have changed. I still have to provide a zone name and a domain name. But the DNS Security extensions option has disappeared. That is because it's only available for public zones.
Also, now I have to pick what kind of private zone this will be. Here is where you can set up forwarding or peering or pick some other advanced options as well. Now for this zone, I'm just gonna keep to the default type. Finally, I have to choose the network, or networks, that this zone will be active for. So here, I'm going to pick VPC-2 because that is what contains my second VM. Now I have a new private domain called privatedomain.com configured for VPC-2. Again the SOA and NS records are added automatically.
So, my last step is just to add the A record. So I can copy the private IP address here. And then, I'll set the domain name to be the same as the instance. And now, apache-2-vm.privatedomain.com should resolve to my Apache 2 instance. Remember, this is an internal DNS record, so I can't use my browser to test like last time. Instead, I'm gonna SSH to the VM instance and then use the ping command to verify that it worked. So here we see ping is returning the correct IP. That means our DNS record is working. So now you know how to create a private DNS zone and record.
Currently, this private DNS record is working for Apache-2-vm, but it will not work for Apache-1-vm. Now this is because Apache-1 is in a different VPC. If I want, I can use DNS peering to share the DNS records in VPC-2 with VPC-1. So let me do that next. I need to go back to Cloud DNS and create yet another zone. As we saw last time, DNS Peering and Forwarding are available under a private zone. I need to pick a name. And here, I need to specify the domain name that I wish to peer. I also have to specify the network that I wish to share my DNS records with. So this should be VPC-1. And then finally, I have to select the network that I'm sharing from. Because this can actually be a network in a completely different project, I need to pick the project first. And now I can pick the network.
Okay, so this is going to share all DNS records for privatedomain.com created in VPC-2 with VPC-1. I should now be able to resolve apache-2-vm.privatedomain.com from apache-1-vm. Here, we see the ping command can resolve the IP address, so peering is working. You will also notice that, unlike last time, that ping is not getting a response. Now this is completely expected. DNS Peering only shares DNS records. It does not enable connectivity between VPCs. While I now can look up the IP address, I still can't actually connect. If I wanted to allow apache-1 to be able to successfully ping apache-2, I would need to configure VPC peering.
Now the last thing I want to quickly demonstrate is how to set up DNS Forwarding. For this, I need to create yet another private zone, and then select Forward Queries to another server. A Forwarding zone is going to require me to specify an external DNS server. Setting up an external DNS server is beyond the scope of this demo. So instead, I'm just going to forward DNS requests for the google.com domain to one of Google's public DNS servers. Now this is not something you would typically do. Normally, you would use this option to forward requests to say, an on-prem domain. And then the DNS server would be your internal on-prem server. But this will at least show you the basic idea. So now, any requests for the google.com domain in either VPC-1 or VPC-2 will be forwarded to Google's public DNS server at 184.108.40.206 instead of trying to resolve it locally. So now you know how to create the four main types of zones: public, private, peering and forwarding.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.