Google Cloud DNS

• Cloud DNS is a high-performance, resilient, reliable, low-latency, global Domain Name System (DNS) service that publishes the domain names to the global DNS in a cost-effective way.
• Cloud DNS helps to publish the zones and records in DNS without the burden of managing your own DNS servers and software.
• Cloud DNS offers both public zones and private managed DNS zones.
  • A public zone is visible to the public internet
  • A private zone is visible only from one or more specified VPC networks
  • Google Cloud also creates internal DNS names for VMs automatically, even if you do not use Cloud DNS
• Cloud DNS also supports zonal DNS zones (GA since Dec 2022) that are scoped to a specific Google Cloud zone, providing higher availability for zonal resources.
• With Shared VPC, Cloud DNS managed private zone, Cloud DNS peering zone, or Cloud DNS forwarding zone must be created in the host project
• Google Cloud offers inbound and outbound DNS forwarding for private zones
• Cloud DNS offers DNS forwarding zones and DNS server policies to allow lookups of DNS names between the on-premises and Google Cloud environment
• Cloud DNS supports per-resource IAM permissions (GA since Dec 2022) allowing fine-grained read, write, or administrator permissions for different managed zones under the same project.
• Cloud DNS supports Cloud Logging for both private and public zones (GA since Nov 2021) to monitor DNS queries, including query name, type, response code, and source IP address.

DNS Server Policies

• DNS Server Policies can specify inbound DNS forwarding, outbound DNS forwarding, or both.
• Inbound server policy refers to a policy that permits inbound DNS forwarding i.e. On-premises to VPC
• Outbound server policy refers to one possible method for implementing outbound DNS forwarding i.e. VPC to On-premises
• It is possible for a policy to be both an inbound server policy and an outbound server policy if it implements the features of both.
• DNS Server Policies is similar to DNS Forwarding zones, except that it applies to all the traffic and not a single specific domain
• DNS Outbound Policy disables internal DNS for the selected networks
• DNS Server Policies also support DNS64 configuration to enable IPv6-only VM instances to communicate with IPv4-only destinations (see DNS64 section below).

DNS Forwarding Zones

• Cloud DNS forwarding zones help configure target name servers for specific private zones.
• Using a forwarding zone is one way to implement outbound DNS forwarding from the VPC network.
• A Cloud DNS forwarding zone is a special type of Cloud DNS private zone. Instead of creating records within the zone, you specify a set of forwarding targets.
• Each forwarding target is an IP address of a DNS server, located in the VPC network, or in an on-premises network connected to the VPC network by Cloud VPN or Cloud Interconnect.
• Forwarding targets can also be specified as a fully qualified domain name (FQDN) (GA since June 2025), which allows outbound DNS forwarding without requiring a fixed IP address for the target name server.
• Cloud DNS caches responses for queries sent to Cloud DNS forwarding zones
• DNS forwarding does not work between two Google Cloud environments

DNS Peering

• DNS peering allows sending requests for records that come from one zone’s namespace to another VPC network for e.g., a SaaS provider can give a SaaS customer access to DNS records it manages.
• To provide DNS peering,
  • Cloud DNS peering zone must be created and configured to perform DNS lookups in a VPC network where the records for that zone’s namespace are available.
  • The VPC network where the DNS peering zone performs lookups is called the DNS producer network.
• To use DNS peering,
  • A network must be authorized to use a peering zone.
  • The VPC network authorized to use the peering zone is called the DNS consumer network.
• DNS peering and VPC Network Peering are different services. DNS peering can be used with VPC Network Peering, but VPC Network Peering is NOT required for DNS peering. VPC peering does not enable DNS peering and must be setup explicitly.

DNS Routing Policies

• Cloud DNS supports DNS routing policies (GA since Jan 2022) to steer traffic based on specific criteria for resource record sets in both private and public zones.
• Cloud DNS supports the following routing policy types:
  • Weighted Round Robin (WRR) – assign different weights to each resource record set for a DNS name to distribute traffic according to configured weights. Supports manual active-active or active-passive configurations.
  • Geolocation – map traffic originating from source geographies (Google Cloud regions) to specific DNS targets. Applies nearest match when source doesn’t exactly match a policy item.
  • Geolocation with Geofence – restricts traffic to a specific geolocation even if all endpoints in that region are unhealthy (prevents automatic failover to next closest region).
  • Failover – active/backup configurations for high availability. Returns IP addresses from the active set normally; switches to backup set when all active endpoints are unhealthy.
• DNS routing policies cannot be configured for forwarding zones, peering zones, managed reverse lookup zones, or Service Directory zones.
• Cloud DNS supports health checks with routing policies for:
  • Internal Application Load Balancers (regional and cross-region)
  • Internal passthrough Network Load Balancers
  • Internal proxy Network Load Balancers (Preview)
  • External endpoints (GA since Feb 2025) – health checks for any public IP address including global/regional external load balancers and on-premises endpoints
• Cloud DNS enables automatic failover when endpoints fail their health checks, dynamically adjusting traffic split among remaining healthy endpoints.
• For external endpoint health checks, probes originate from three user-specified Google Cloud source regions with three prober instances per region (nine total probers per endpoint).
• If all endpoints are unhealthy, Cloud DNS returns all endpoints as a result (fail-open behavior).

DNS Response Policies

• Response policies (GA since Nov 2021) let you customize DNS management within a private zone by using rules instead of records.
• If a rule in the response policy affects the incoming query, it is processed; otherwise, the lookup proceeds normally.
• Response policy rules are selectors that apply behavior to queries matching the selector (DNS names via wildcards or exact matches).
• Use cases include:
  • Setting up private connectivity to Google APIs from within a VPC Service Controls perimeter
  • Overriding DNS resolution for specific domains within a VPC network
  • Blocking access to specific domains by returning NXDOMAIN
  • Redirecting traffic to alternative endpoints for specific DNS names
• Response policies can be bound to VPC networks and GKE clusters.

Alias Records

• Alias records (GA since Sept 2025) provide CNAME-like functionality at the zone apex.
• This custom record type maps the apex domain name to a canonical target, solving the limitation that CNAME records cannot coexist with other record types (like SOA) required at the zone apex.
• Useful when you need to point a naked/apex domain (e.g., example.com) to a load balancer or CDN hostname without using a CNAME.
• Similar in concept to AWS Route 53 Alias records.

DNS64

• DNS64 (GA since Aug 2025) provides synthesized IPv6 addresses for IPv4 destinations, enabling IPv6-only VM instances to communicate with IPv4-only services.
• DNS64 is configured as part of a DNS server policy and applies to VPC networks bound to the policy.
• When an IPv6-only client queries for a domain that only has A records (IPv4), Cloud DNS synthesizes AAAA records (IPv6) using the 64:ff9b::/96 well-known prefix.
• Works together with Cloud NAT’s NAT64 to provide end-to-end IPv6-to-IPv4 connectivity.
• Useful for IPv6-only environments that need to reach legacy IPv4 applications on the internet.

DNS Armor – Advanced Threat Detection

• DNS Armor (GA since Jan 2026), powered by Infoblox, is a fully-managed DNS-layer security service for Google Cloud workloads.
• Monitors internet-bound DNS queries for malicious activity at the earliest point in the attack chain—the DNS query—without adding operational complexity or performance overhead.
• Detects threats including:
  • Requests to malicious command and control (C2) servers
  • DNS tunneling for sensitive data exfiltration
  • Malware using DNS queries for communication
• Complements existing cloud-first network security products (Cloud Armor, Cloud NGFW) by offering a foundational DNS-based security layer.
• Threat findings are reported in Cloud Logging for integration with security operations workflows.

VPC Name Resolution Order

• Each VPC network provides DNS name resolution services to the VM instances that use it.
• When VMs use their metadata server 169.254.169.254 as their name server, Google Cloud searches for DNS records in the following order:
  • If the VPC network has an outbound server policy, Google Cloud forwards all DNS queries to those alternative servers. The VPC name resolution order consists only of this step.
  • If the VPC network does not have an outbound server policy:
    • Google Cloud tries to find a private zone that matches as much of the requested record as possible (longest suffix matching).
      • Searching records that you created in private zones.
      • Querying the forwarding targets for forwarding zones.
      • Querying the name resolution order of another VPC network by using peering zones.
    • Searches the automatically created Compute Engine internal DNS records for the project.
    • Queries publicly available zones

DNSSEC

• DNSSEC is a feature of DNS that authenticates responses to domain name lookups
• DNSSEC protects the domains from spoofing and cache poisoning attacks
• DNSSEC provides strong authentication for domain lookups, but it does not provide encryption
• Both the registrar and registry must support DNSSEC for the Top Level Domain (TLD) used
• For Enabling DNSSEC
  • Enable DNSSEC on the domain. DNS zone for the domain must serve special DNSSEC records for public keys (DNSKEY), signatures (RRSIG), and non-existence (NSEC, or NSEC3 and NSEC3PARAM) to authenticate the zone’s contents.
  • DS record must be added to the TLD at the registrar
  • DNS resolver that validates signatures for DNSSEC-signed domains must be used
• Note: When DNSSEC is enabled with DNS routing policies, only a single IP address can be used within each policy item.

GCP Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

Questions on DNS Routing Policies and New Features

1. A company needs to distribute DNS traffic across multiple regions with automatic failover when a region becomes unhealthy. Which Cloud DNS routing policy should they use?
   1. Weighted Round Robin (WRR) routing policy
   2. Geolocation routing policy
   3. Failover routing policy
   4. DNS forwarding policy

   Answer: b. Geolocation routing policy – Geolocation routing with health checks automatically fails over to the next closest region when endpoints are unhealthy. Failover routing policy (c) provides active/backup, not multi-region distribution.

2. A company wants to point their apex domain (example.com) to a load balancer hostname without using an A record with a static IP. What Cloud DNS feature should they use?
   1. CNAME record at the apex
   2. DNS peering zone
   3. Alias record
   4. DNS forwarding zone

   Answer: c. Alias record – Alias records (GA Sept 2025) provide CNAME-like functionality at the zone apex. CNAME records cannot be placed at the apex because they cannot coexist with SOA records.

3. An organization has IPv6-only VM instances that need to access legacy IPv4-only services on the internet. Which combination of features should they configure?
   1. Cloud NAT with DNS forwarding
   2. DNS64 with NAT64
   3. DNS peering with Cloud VPN
   4. DNSSEC with IPv6 forwarding

   Answer: b. DNS64 with NAT64 – DNS64 synthesizes AAAA records from A records using the 64:ff9b::/96 prefix, and NAT64 handles the actual packet translation, enabling IPv6-only VMs to reach IPv4 destinations.

4. A security team wants to detect DNS-based command and control (C2) communication and data exfiltration from their Google Cloud workloads. Which service should they enable?
   1. DNSSEC
   2. Cloud Armor
   3. DNS Armor
   4. DNS Response Policies

   Answer: c. DNS Armor – DNS Armor (GA Jan 2026), powered by Infoblox, provides DNS-layer threat detection for C2 communications, DNS tunneling, and malware DNS queries.

5. Which of the following routing policy types restricts DNS traffic to a specific geolocation even when all endpoints in that region are unhealthy?
   1. Weighted Round Robin (WRR)
   2. Geolocation routing policy
   3. Geolocation routing policy with geofence
   4. Failover routing policy

   Answer: c. Geolocation routing policy with geofence – With geofencing enabled, automatic failover to the next closest region does not occur, even if all endpoints in a geolocation fail health checks.

6. An organization wants to override DNS resolution for specific Google API domains within their VPC to route to VPC Service Controls restricted endpoints. What Cloud DNS feature should they use?
   1. DNS forwarding zone
   2. DNS server policy
   3. DNS response policy
   4. DNS peering zone

   Answer: c. DNS response policy – Response policies allow custom DNS resolution within VPCs, making it easy to route specific API domains to restricted VIPs for VPC Service Controls compliance.

7. Cloud DNS health checks for external endpoints (GA Feb 2025) support which of the following? (Choose 2)
   1. Health checking endpoints behind Cloud VPN
   2. TCP, HTTP, and HTTPS protocols
   3. Health check probes from three user-specified regions
   4. gRPC protocol health checks
   5. Probes from fixed IP address ranges

   Answer: b, c – External endpoint health checks support TCP/HTTP/HTTPS protocols and originate from three user-specified source regions. gRPC, SSL, and HTTP/2 are not supported. Probe source IP ranges are not fixed.

References

• Cloud DNS Overview
• DNS Routing Policies and Health Checks
• Manage Response Policies and Rules
• Advanced Threat Detection with DNS Armor
• Configure DNS64
• Cloud DNS Records Overview (Alias Records)
• Cloud DNS Release Notes