Configure DNS server policies

This page describes how to configure DNS server policies anduse them with Virtual Private Cloud (VPC) networks. Before you use this page,review theDNS server policies overview.

Before you begin

The Cloud DNS API requires that you create a Google Cloud project and enable theCloud DNS API.

If you are creating an application that uses the REST API, you must alsocreate an OAuth 2.0 client ID.

  1. If you don't already have one,sign up for a Google Account.
  2. Enable the Cloud DNS API in the Google Cloud console. You can choose an existing Compute Engine or App Engine project, or you can create a new project.
  3. If you need to make requests to the REST API, you need to create an OAuth 2.0 ID. SeeSetting up OAuth 2.0.
  4. In the project, note the following information that you need to input in later steps:
    • The client ID (xxxxxx.apps.googleusercontent.com).
    • The project ID that you want to use. You can find the ID at the top of theOverview page in the Google Cloud console. You can also ask your user to provide the project name that they want to use in your app.

If you have not run the Google Cloud CLI previously, you mustrun the following command to specify the project name and authenticate withthe Google Cloud console:

gcloud auth login

To choose a different project than one you have chosen previously, specifythe--project option at the command line.

Permissions required for this task

To perform this task, you must have been granted the following permissionsor the following IAM roles.

Permissions

  • dns.policies.create to create a DNS server policy
  • dns.policies.delete to delete a DNS server policy
  • dns.policies.get to fetch the current configuration of a DNS server policy
  • dns.policies.list to list all DNS server policies associated with a project
  • dns.policies.update to update a DNS server policy
  • dns.managedZones.list to list managed zones

Roles

  • DNS Administrator (roles/dns.admin)

Create DNS server policies

Each DNS server policy object can define any of the following server policies:

Each VPC network can reference no more than one DNS serverpolicy. If you need to define both inbound and outbound forwarding for aVPC network, create one policy that defines both an inbound andan outbound policy. You can't configure DNS64 with an inbound DNS server policy.

Create an inbound DNS server policy

To create an inbound DNS server policy, follow these instructions. Cloud DNScreates a set ofinbound forwarder IP addresses from the primary IPv4address ranges of subnets in each VPC network to which the policyapplies. After you create your policy, you canlist the entry points that Cloud DNScreates.

Important: For important details about how inbound server entry points associateDNS queries with a VPC network and region, carefully review theInbound serverpolicies section oftheCloud DNS server policies page.

Console

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. ClickCreate policy.

  3. In theName field, enter the name of the inbound DNS server policythat you want to create, such asinbound-dns-server-policy.

  4. In theInbound query forwarding section, selectOn.

  5. You can optionally enable DNS64 to enable communication betweenIPv6-only workloads and IPv4-only destinations. SeeConfigure DNS64for more information.

  6. You can optionally enable private DNS logs in theLogs section,however, this can increase your costs in Cloud Logging.

  7. In theNetworks list, select VPC networks that youwant to bind to this DNS server policy.

    A network can only be bound to a single policy. If you can't select anetwork from the list, it's being used by another policy. To see whatnetwork is being used by a policy, view theIn use by column ontheDNS server policies page.

  8. ClickCreate.

gcloud

To create an inbound DNS server policy, run thedns policiescreate command:

gcloud dns policies createNAME \    --description="DESCRIPTION" \    --networks="VPC_NETWORK_LIST" \    --enable-inbound-forwarding

Replace the following:

  • NAME: a name for the policy
  • DESCRIPTION: a description for the policy
  • VPC_NETWORK_LIST: a comma-delimited list ofVPC networks that the DNS server policy must bind to

Terraform

resource "google_dns_policy" "default" {  name                      = "example-inbound-policy"  enable_inbound_forwarding = true  networks {    network_url = google_compute_network.default.id  }}resource "google_compute_network" "default" {  name                    = "network"  auto_create_subnetworks = false}

Create an outbound DNS server policy

To specify a list of alternative name servers for a VPC network,you can create an outbound DNS server policy.

Important: For important details about how use ofalternative name servers affects VPC network-scopedresponse policies, VPC network-scoped private zones, andCompute Engine internal DNS, carefully review theOutbound serverpolicies section ofthe "DNS server policies overview" page. Also reviewAlternative name server types,routing methods, andaddresses andAlternativename server networkrequirements.

Console

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. ClickCreate policy.

  3. In theName field, enter the name of the outbound DNS server policythat you want to create, such asoutbound-dns-server-policy.

  4. In theInbound query forwarding section, selectOff.

  5. You can optionally enable private DNS logs in theLogs section,however, this can increase your costs in Cloud Logging.

  6. In theAlternative DNS servers (Optional) section, clickAdd item, and enter the IP address of your outbound DNS servers intheIP Address field.

    • Select thePrivate forwarding checkbox if you want to forceprivate routing to outbound DNS servers.

  7. In theNetworks list, select VPC networks that youwant to bind to this DNS server policy.

  8. ClickCreate.

gcloud

To create an outbound DNS server policy, run thedns policiescreate command:

gcloud dns policies createNAME \    --description="DESCRIPTION" \    --networks="VPC_NETWORK_LIST" \    --alternative-name-servers="ALTERNATIVE_NAMESERVER_LIST" \    --private-alternative-name-servers="PRIVATE_ALTERNATIVE_NAMESERVER_LIST"

Replace the following:

  • NAME: a name for the policy
  • DESCRIPTION: a description for the policy
  • VPC_NETWORK_LIST: a comma-delimited list ofVPC networks that query the alternative nameservers
  • ALTERNATIVE_NAMESERVER_LIST: a comma-delimited listof IP addresses that you can use as alternative name servers
  • PRIVATE_ALTERNATIVE_NAMESERVER_LIST: acomma-delimited list of IP addresses that you can use as alternativename servers, accessed by using private routing

Terraform

resource "google_dns_policy" "default" {  name = "example-outbound-policy"  alternative_name_server_config {    target_name_servers {      ipv4_address    = "172.16.1.10"      forwarding_path = "private"    }    target_name_servers {      ipv4_address = "172.16.1.20"    }  }  networks {    network_url = google_compute_network.default.id  }}resource "google_compute_network" "default" {  name                    = "network"  auto_create_subnetworks = false}

Create a DNS server policy for both inbound and outbound forwarding

Console

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. ClickCreate policy.

  3. In theName field, enter the name of the inbound DNS server policythat you want to create, such asinbound-outbound-dns-server-policy.

  4. In theInbound query forwarding section, selectOn.

  5. You can optionally enable private DNS logs in theLogs section,however, this can increase your costs in Cloud Logging.

  6. In theAlternative DNS servers (Optional) section, clickAdd item, and enter the IP address of your outbound DNS servers intheIP Address field.

    • SelectPrivate forwarding if you want to force private routing tooutbound DNS servers.

  7. In theNetworks list, select VPC networks that youwant to bind to this DNS server policy.

  8. ClickCreate.

gcloud

To create a DNS server policy for both inbound and outbound forwarding,run thedns policies createcommand:

gcloud dns policies createNAME \    --description="DESCRIPTION" \    --networks="VPC_NETWORK_LIST" \    --alternative-name-servers="ALTERNATIVE_NAMESERVER_LIST" \    --private-alternative-name-servers="PRIVATE_ALTERNATIVE_NAMESERVER_LIST" \    --enable-inbound-forwarding

Replace the following:

  • NAME: a name for the policy
  • DESCRIPTION: a description for the policy
  • VPC_NETWORK_LIST: a comma-delimited list ofVPC networks where inbound forwarding addresses mustbe created and that must query the alternative name servers
  • ALTERNATIVE_NAMESERVER_LIST: a comma-delimited listof IP addresses that you can use as alternative name servers
  • PRIVATE_ALTERNATIVE_NAMESERVER_LIST: acomma-delimited list of IP addresses that you can use as alternativename servers, accessed by using private routing.

Terraform

resource "google_dns_policy" "example_policy" {  name                      = "example-policy"  enable_inbound_forwarding = true  enable_logging = true  alternative_name_server_config {    target_name_servers {      ipv4_address    = "172.16.1.10"      forwarding_path = "private"    }    target_name_servers {      ipv4_address = "172.16.1.20"    }  }  networks {    network_url = google_compute_network.network_1.id  }  networks {    network_url = google_compute_network.network_2.id  }}resource "google_compute_network" "network_1" {  name                    = "network-1"  auto_create_subnetworks = false}resource "google_compute_network" "network_2" {  name                    = "network-2"  auto_create_subnetworks = false}

List inbound forwarder entry points

When an inbound DNS server policy applies to a VPC network,Cloud DNS creates a set of regional internal IP addresses that serveas destinations to which your on-premises systems or name resolvers can sendDNS queries. These addresses serve as entry points to the name resolutionorder of your VPC network.

Note: If you disable and then re-enable inbound forwarding or if you delete andrecreate a VPC network, the entry point IP addresses change.

Google Cloud firewall rules donot apply to the regional internaladdresses that act as entry points for inbound forwarders. Cloud DNSaccepts TCP and UDP traffic on port53 automatically.

Each inbound forwarder accepts and receives queries from Cloud VPNtunnels or Cloud Interconnect attachments (VLANs) in the same regionas the regional internal IP address. VM instances can access the inboundforwarder through any of the internal IP addresses in the sameVPC network. To access inbound forwarding, either the networkinterface must have an external IP address or a subnet of the NIC must havePrivate Google Access enabled.

Console

View the list of inbound forwarder entry points for a policy:

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. Click the name of the policy.

  3. On thePolicy details page, click theIn use by tab.

Each network bound to the policy lists theInbound query forwarding IPaddresses.

gcloud

To list the set of regional internal IP addresses that serve as entry pointsfor all inbound forwarding policies, run thecompute addresseslist command:

gcloud compute addresses list \    --filter='purpose = "DNS_RESOLVER"' \    --format='csv(address, region, subnetwork)'

Update DNS policies

The following sections provide information about changing VPCnetworks and enabling or disabling inbound forwarding.

Change VPC networks

The following list describes what happens when you change the list ofVPC networks to which a DNS policy applies:

  • If the policy specifies an inbound policy, entry points for inbound forwardersare created in VPC networks as needed.

  • If the policy specifies an outbound policy, the name resolutionorder of each VPC network is updated to include the specifiedalternative name servers.

Console

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. Click the name of the policy you want to change.

  3. ClickEdit policy.

  4. In theNetworks list, select or clear the checkboxes next to theVPC networks.

  5. ClickSave.

gcloud

To modify the list of networks to which a DNS server policy applies, run thedns policies update command:

gcloud dns policies updateNAME \    --networks="VPC_NETWORK_LIST"

Replace the following:

  • NAME: a name for the policy
  • VPC_NETWORK_LIST: a comma-delimited list ofVPC networks to which the policy applies; the list ofVPC networks that you specify replaces the previous list

Enable or disable inbound forwarding

You can enable inbound forwarding for a DNS server policy that defines only anoutbound policy (alternative name server). You can also disable inboundforwarding for an existing DNS policy.

Console

Enable inbound forwarding for a DNS server policy:

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. Click the name of the policy you want to change.

  3. ClickEdit policy.

  4. In theInbound query forwarding section, selectOn.

  5. ClickSave.

Disable inbound forwarding for a DNS server policy:

  1. Open theCloud DNS server policies page.
  2. Click the name of the policy you want to change.
  3. ClickEdit policy.
  4. In theInbound query forwarding section, selectOff.
  5. ClickSave.

gcloud

To enable inbound forwarding for a DNS server policy, run thedns policiesupdate command:

gcloud dns policies updateNAME \    --enable-inbound-forwarding

To disable inbound forwarding for a DNS server policy, specify the--no-enable-inbound-forwarding flag:

gcloud dns policies updateNAME \    --no-enable-inbound-forwarding

ReplaceNAME with the name of the policy.

List DNS policies

Console

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. Any DNS server policy created in your project is listed.

gcloud

To list DNS server policies in your project, run thedns policieslist command:

gcloud dns policies list

Delete a DNS policy

Console

To delete a DNS server policy, it must not be bound to any network.Update your policy to remove all networks beforedeleting the policy.

  1. In the Google Cloud console, open theCloud DNS server policies page.

    Go to Cloud DNS server policies

  2. ClickDelete by the nameof the policy you want to delete.

gcloud

To delete a DNS server policy, run thedns policiesdelete command:

gcloud dns policies deleteNAME

ReplaceNAME with the name of the policy to delete.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.