--- title: "Google Cloud DNS" slug: "google-cloud-private-dns" updated: 2026-04-07T09:08:35Z published: 2026-04-07T09:08:35Z canonical: "support.perimeter81.com/google-cloud-private-dns" stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt > Use this file to discover all available pages before exploring further. # Google Cloud DNS If you are utilizing the Private Zone/Private DNS feature of Google Cloud, you can utilize the those name servers via private IP's through the tunnel established on the Harmony SASEimeter81 gateway. You can take full advantange of private DNS zones and still resolve external records. You can enable [Private DNS](/v1/docs/how-to-select-a-custom-dns) after enabling the following changes in Google Cloud Platform. Some prerequesities for this guide: 1. **GCP project** 2. **VPC Network** - This can be created or you can use Google predefined list of subnets 3. **Site to Site VPN tunnel** to the VPC from Check Point SASE ([Tunnel](/v1/docs/configuring-a-site-to-site-ipsec-tunnel-to-google-cloud-platform)) This process will allow the administrator to expose Google's Cloud DNS via a private IP inside one or multiple networks that you have defined in your VPC. via **GUI/Web** 1. Navigate to **Network Services -> Cloud DNS** ![image.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image%28116%29.png) 2. Navigate to **DNS Server Policies** ![image.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image%28117%29.png) 3. Create a **DNS Server Policy** ![image.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image%28118%29.png) Make sure that **inbound query forwarding** is **On** and all of the desired networks are selected. You will get an IP address from the top of the network the policy is used by: ![image.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image%28119%29.png) This is the private IP that you can use for [Private DNS](/v1/docs/how-to-select-a-custom-dns)setup in Check Point SASE. You can add more networks here if you like but please make sure that routing is available for those so that Check Point SASE can reach them via **CLI.** 1. Install Google Cloud SDK (https://cloud.google.com/sdk/docs/install) 2. Authenticate/Initialize your gcloud cli environment ``` gcloud auth login ``` 1. Create an **inbound server policy** for DNS ``` gcloud dns policies create {{NAME}} --description={{DESCRIPTION}} --networks={{VPC_NETWORK_LIST}} --enable-inbound-forwarding ``` {{NAME}} - name for the policy. {{DESCRIPTION}} - Description of the policy. {{VPC_NETWORK_LIST}} - Comma separated list of VPC networks (not subnets) ``` ops-vlad:~ vbekker$ gcloud dns policies create inbounddnsvlad --description=inboundDNSVlad --networks=vladvpc --enable-inbound-forwarding Created Policy [https://dns.googleapis.com/dns/v1/projects/vladgcp/policies/inbounddnsvlad]. { "description": "inboundDNSVlad", "enableInboundForwarding": true, "enableLogging": false, "id": "8199820556025819315", "kind": "dns#policy", "name": "inbounddnsvlad", "networks": [ { "kind": "dns#policyNetwork", "networkUrl": "https://compute.googleapis.com/compute/v1/projects/vladgcp/global/networks/vladvpc" } ] } ``` **Validation** Here is a succesfull DNS lookup from the gateway directly to the server and also to our dns forwarder Directly querying the name server ``` vlad@vodFpGngx3:~$ dig www.vpcdnszone.com @192.168.128.2 ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.vpcdnszone.com @192.168.128.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51251 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.vpcdnszone.com. IN A ;; ANSWER SECTION: www.vpcdnszone.com. 300 IN A 192.168.128.50 ;; Query time: 161 msec ;; SERVER: 192.168.128.2#53(192.168.128.2) ;; WHEN: Fri Mar 05 00:11:01 UTC 2021 ;; MSG SIZE rcvd: 63 ``` Via local forwarder ``` vlad@vodFpGngx3:~$ dig www.vpcdnszone.com ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.vpcdnszone.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46053 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.vpcdnszone.com. IN A ;; ANSWER SECTION: www.vpcdnszone.com. 300 IN A 192.168.128.50 ;; Query time: 156 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 05 01:38:15 UTC 2021 ;; MSG SIZE rcvd: 70 ``` Finally, enable Private DNS on the network: ![image.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image%28120%29.png)