Create a forwarding zone

This page provides instructions about how to create a forwarding zone. For detailed background information, see Forwarding zones.

Before you begin, ensure that you understand the following:

To create a new managed private forwarding zone, complete the following steps.

Console

  1. In the Google Cloud console, go to the Create a DNS zone page.

    Go to Create a DNS zone

  2. For the Zone type, select Private.

  3. Enter a Zone name such as my-new-zone.

  4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix. For example, example.private.

  5. Optional: Add a description.

  6. Under Options, select Forward queries to another server.

  7. Select the networks to which the private zone must be visible.

  8. To add the IPv4 addresses of a forwarding target, click Add item. You can add multiple IP addresses.

  9. To force private routing to the forwarding target, under Private forwarding, select the Enable checkbox.

  10. Click Create.

gcloud

Run the dns managed-zones create command:

gcloud dns managed-zones create NAME \
    --description=DESCRIPTION \
    --dns-name=DNS_SUFFIX \
    --networks=VPC_NETWORK_LIST \
    --forwarding-targets=FORWARDING_TARGETS_LIST \
    --private-forwarding-targets=PRIVATE_FORWARDING_TARGETS_LIST \
    --visibility=private

Replace the following:

  • NAME: a name for your zone
  • DESCRIPTION: a description for your zone
  • DNS_SUFFIX: the DNS suffix for your zone, such as example.private
  • VPC_NETWORK_LIST: a comma-delimited list of VPC networks that are authorized to query the zone
  • FORWARDING_TARGETS_LIST: a comma-delimited list of IP addresses to which queries are sent. RFC 1918 IP addresses specified with this flag must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible.
  • PRIVATE_FORWARDING_TARGETS_LIST: a comma-delimited list of IP addresses to which queries are sent. Any IP address specified with this flag must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect.

Terraform

resource "google_dns_managed_zone" "private_zone" {
  name        = "private-zone"
  dns_name    = "private.example.com."
  description = "Example private DNS zone"
  labels = {
    foo = "bar"
  }

  visibility = "private"

  private_visibility_config {
    networks {
      network_url = google_compute_network.network_1.id
    }
    networks {
      network_url = google_compute_network.network_2.id
    }
  }

  forwarding_config {
    target_name_servers {
      ipv4_address = "172.16.1.10"
    }
    target_name_servers {
      ipv4_address = "172.16.1.20"
    }
  }
}

resource "google_compute_network" "network_1" {
  name                    = "network-1"
  auto_create_subnetworks = false
}

resource "google_compute_network" "network_2" {
  name                    = "network-2"
  auto_create_subnetworks = false
}

API

Send a POST request using the managedZones.create method:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones
{

    "name": "NAME",
    "description": "DESCRIPTION",
    "dnsName": "DNS_NAME",
    "visibility": "private"
    "privateVisibilityConfig": {
        "kind": "dns#managedZonePrivateVisibilityConfig",
        "networks": [{
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": VPC_NETWORK_1
            },
            {
                "kind": "dns#managedZonePrivateVisibilityConfigNetwork",
                "networkUrl": VPC_NETWORK_2
            },
            ....
        ]
    },
    "forwardingConfig": {
        "kind": "dns#managedZoneForwardingConfig",
        "targetNameServers": [{
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": FORWARDING_TARGET_1
            },
            {
                "kind": "dns#managedZoneForwardingConfigNameServerTarget",
                "ipv4Address": FORWARDING_TARGET_2
            },
            ....
        ]
    },
}

Replace the following:

  • PROJECT_ID: the ID of the project where the managed zone is created
  • NAME: a name for your zone
  • DESCRIPTION: a description for your zone
  • DNS_NAME: the DNS suffix for your zone, such as example.private
  • VPC_NETWORK_1 and VPC_NETWORK_2: URLs for VPC networks in the same project that are able to query records in this zone. You can add multiple VPC networks as indicated. To determine the URL for a VPC network, describe the network with the following gcloud command, replacing VPC_NETWORK_NAME with the network's name:
    gcloud compute networks describe VPC_NETWORK_NAME 
    --format="get(selfLink)"
  • FORWARDING_TARGET_1 and FORWARDING_TARGET_2: IP addresses of forwarding target name servers. You can add multiple forwarding targets as indicated. RFC 1918 IP addresses specified here must be located in your VPC network or in an on-premises network connected to Google Cloud using Cloud VPN or Cloud Interconnect. Non-RFC 1918 IP addresses specified with this flag must be internet accessible.

Forwarding target network requirements

When Cloud DNS sends requests to forwarding targets, it sends packets with the source ranges listed in the following table.

Forwarding target type Source ranges

Type 1 target

An internal IP address of a Google Cloud VM or an internal passthrough Network Load Balancer in the same VPC network that is authorized to use the forwarding zone.

Type 2 target

An IP address of an on-premises system, connected to the VPC network authorized to use the forwarding zone, using Cloud VPN or Cloud Interconnect.

For more information about what IP addresses are supported, see Forwarding targets and routing methods.

35.199.192.0/19

Cloud DNS uses the 35.199.192.0/19 source range for all customers. This range is only accessible from a Google Cloud VPC network or from an on-premises network connected to a VPC network.

Type 3 target

An external IP address of a DNS name server accessible to the internet or the external IP address of a Google Cloud resource; for example, the external IP address of a VM in another VPC network.

Google Public DNS source ranges

Type 1 and Type 2 targets

Cloud DNS requires the following to access a Type 1 or a Type 2 target. These requirements are the same whether the target is an RFC 1918 IP address and you're using standard routing or if you choose private routing:

  • Firewall configuration for 35.199.192.0/19

    For Type 1 targets, create an ingress allow firewall rule for TCP and UDP port 53 traffic, applicable to your forwarding targets in each authorized VPC network. For Type 2 targets, configure an on-premises network firewall and similar equipment to permit TCP and UDP port 53.

  • Route to the forwarding target

    For Type 1 targets, Cloud DNS uses a subnet route to access the target in the VPC network authorized to use the forwarding zone. For Type 2 name targets, Cloud DNS uses either custom dynamic or custom static routes, except for tagged static routes, to access the forwarding target.

  • Return route to 35.199.192.0/19 through the same VPC network

    For Type 1 targets, Google Cloud uses a special routing path for the 35.199.192.0/19 destination. For Type 2 targets, your on-premises network must have a route for the 35.199.192.0/19 destination, whose next hop is in the same VPC network where the request originated, through a Cloud VPN tunnel or VLAN attachment for Cloud Interconnect.. For information about how to meet this requirement, see return route strategies for Type 2 targets.

  • Direct response from target

    Cloud DNS requires that the forwarding target that receives packets be the one that sends replies to 35.199.192.0/19. If your forwarding target sends the request to a different name server, and that other name server responds to 35.199.192.0/19, Cloud DNS ignores the response. For security reasons, Google Cloud expects the source address of each target name server's DNS reply to match the IP address of the forwarding target.

Return route strategies for Type 2 targets

Cloud DNS cannot send responses from Type 2 forwarding targets over the internet or through a different VPC network. Responses must return to the same VPC network, although they can use any Cloud VPN tunnel or VLAN attachment in that same network.

  • For Cloud VPN tunnels that use static routing, manually create a route in your on-premises network whose destination is 35.199.192.0/19 and whose next hop is the Cloud VPN tunnel. For Cloud VPN tunnels that use policy-based routing, configure the Cloud VPN's local traffic selector and the on-premises VPN gateway's remote traffic selector to include 35.199.192.0/19.
  • For Cloud VPN tunnels that use dynamic routing or for Cloud Interconnect, configure a custom route advertisement for 35.199.192.0/19 on the BGP session of the Cloud Router that manages the tunnel or VLAN attachment.

Type 3 targets

When Cloud DNS uses standard routing to access an external IP address, it expects the forwarding target to be either a system on the internet, publicly accessible, or an external IP address of a Google Cloud resource.

For example, a Type 3 target includes the external IP address of a VM in a different VPC network.

Private routing to Type 3 targets is not supported.

What's next