Google Cloud DNS

Updated on 13 Feb 2024
2 Minutes to read
Contributors

Article summary

Did you find this summary helpful?

Thank you for your feedback!

If you are utilizing the Private Zone/Private DNS feature of Google Cloud, you can utilize the those name servers via private IP's through the tunnel established on the Harmony SASEimeter81 gateway. You can take full advantange of private DNS zones and still resolve external records. You can enable Private DNS after enabling the following changes in Google Cloud Platform.

Some prerequesities for this guide:

GCP project
VPC Network - This can be created or you can use Google predefined list of subnets
Site to Site VPN tunnel to the VPC from Harmony SASE (Tunnel)

This process will allow the administrator to expose Google's Cloud DNS via a private IP inside one or multiple networks that you have defined in your VPC.

via GUI/Web

Navigate to Network Services -> Cloud DNS
Navigate to DNS Server Policies
Create a DNS Server Policy

Make sure that inbound query forwarding is On and all of the desired networks are selected.

You will get an IP address from the top of the network the policy is used by:

This is the private IP that you can use for Private DNS setup in Harmony SASE.
You can add more networks here if you like but please make sure that routing is available for those so that Harmony SASE can reach them via CLI.

Install Google Cloud SDK (https://cloud.google.com/sdk/docs/install)
Authenticate/Initialize your gcloud cli environment

gcloud auth login

Create an inbound server policy for DNS

gcloud dns policies create {{NAME}} --description={{DESCRIPTION}} --networks={{VPC_NETWORK_LIST}} --enable-inbound-forwarding

{{NAME}} - name for the policy.
{{DESCRIPTION}} - Description of the policy.
{{VPC_NETWORK_LIST}} - Comma separated list of VPC networks (not subnets)

ops-vlad:~ vbekker$ gcloud dns policies create inbounddnsvlad --description=inboundDNSVlad --networks=vladvpc --enable-inbound-forwarding
Created Policy [https://dns.googleapis.com/dns/v1/projects/vladgcp/policies/inbounddnsvlad].
{
  "description": "inboundDNSVlad",
  "enableInboundForwarding": true,
  "enableLogging": false,
  "id": "8199820556025819315",
  "kind": "dns#policy",
  "name": "inbounddnsvlad",
  "networks": [
    {
      "kind": "dns#policyNetwork",
      "networkUrl": "https://compute.googleapis.com/compute/v1/projects/vladgcp/global/networks/vladvpc"
    }
  ]
}

Validation
Here is a succesfull DNS lookup from the gateway directly to the server and also to our dns forwarder

Directly querying the name server

vlad@vodFpGngx3:~$ dig www.vpcdnszone.com  @192.168.128.2

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.vpcdnszone.com @192.168.128.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51251
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.vpcdnszone.com.		IN	A

;; ANSWER SECTION:
www.vpcdnszone.com.	300	IN	A	192.168.128.50

;; Query time: 161 msec
;; SERVER: 192.168.128.2#53(192.168.128.2)
;; WHEN: Fri Mar 05 00:11:01 UTC 2021
;; MSG SIZE  rcvd: 63

Via local forwarder

vlad@vodFpGngx3:~$ dig www.vpcdnszone.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.vpcdnszone.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46053
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.vpcdnszone.com.		IN	A

;; ANSWER SECTION:
www.vpcdnszone.com.	300	IN	A	192.168.128.50

;; Query time: 156 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 05 01:38:15 UTC 2021
;; MSG SIZE  rcvd: 70

Finally, enable Private DNS on the network:

Was this article helpful?

What's Next

AWS Route 53 DNS