This is a copy and paste from my article that I wrote titled "Google Cloud Private DNS Zones".
On October 23, 2018, Google introduced private DNS zones for Google Cloud DNS. This is an important announcement as this keeps internal DNS names private. Today's article covers how to implement this new feature in Google Cloud Platform.
What is Google Cloud Private DNS Zones? A DNS server can provide a feature called split-horizon DNS. This means that the information returned to a DNS query can change based upon the location of who is asking. For Google Cloud DNS, you have queries that can arrive from the Public Internet or from Google Cloud VPC.
Google Cloud DNS can now provide:
- Create private DNS zones to provide DNS name resolution to your private network resources (VMs, load balancers, etc.).
- Connect a private zone to a single network or multiple networks, giving you flexibility when designing your internal network architectures.
- Create split-horizon DNS architectures where identical or overlapping zones can coexist between public and private zones in Cloud DNS, or across different GCP networks.
- Utilize IAM-based, DNS-specific roles to delegate administrative or editor access to manage or view managed private zones.
Private zones for Google Cloud DNS is a beta feature. This requires creating the private zone using the gcloud CLI.
For this article, we will use the domain name "example.com". We will setup both private and public zones.
Step 1 - Create the private zone.
gcloud beta dns managed-zones create --dns-name="example.com" --description="Private Zone" --visibility=private --networks=default "private-zone"
Step 2 - Create the public zone.
Note you can skip this step if you are not using Google Cloud DNS for your domain name.
gcloud beta dns managed-zones create --dns-name="example.com" --description="Public Zone" --visibility=public "public-zone"
Step 3 - Make the private zone visible to the default network.
gcloud beta dns managed-zones update private --networks default
Step 4 - Get a VM instance full and short hostname.
This step requires manually figuring out what the internal hostname for an instance is. Connect to the instance. These commands run from the instance console.
hostname
This command returns the short hostname.
web-server-1
Now get the long hostname.
hostname -f
This command returns the long hostname.
web-server-1.us-east4-c.c.development-123456.internal
Step 4 - Add an instance to the private zone using its private DNS name.
This step uses the Google Cloud Console. Console -> Network Services -> Cloud DNS. Notice the two zones that we just created "private zone" and "public zone". Select the private zone.
The console should display two entries for this zone. The NS (name server) record and the SOA (Start of Authority).
Near the top of the Google Console window is the button "ADD RECORD SET". Click this button.
For the DNS Name enter: web-server-1
For the Resource Record Type change to: CNAME
For the Canonical name enter: web-server-1.us-east4-c.c.development-123456.internal
Step 5 - Add an instance to the public zone using its public IP address.
Go back to the Cloud DNS. Select the public zone. Click "ADD RECORD SET".
For the DNS Name enter: web-server-1 (or the name you want the public DNS to support).
For the Resource Record Type: A
For the IPv4 Address enter: the public IP address
Step 6 - Verify the public DNS resolution.
From your desktop or another computer connected to the Internet, open a command shell / prompt and ping web-server-1.example.com. This should resolve to the public IP address.
Step 7 - Verify the private DNS resolution.
From another VM instance in the same Google Cloud VPC, open a command shell / prompt and ping web-server-1.example.com. This should resolve the private DNS name and IP address.
There you have it. Google Cloud DNS now supports split-horizon DNS (often called split-brain DNS).
