On October 23, 2018, Google introduced private DNS zones for Google Cloud DNS. This is an important announcement as this keeps internal DNS names private. Today’s article covers how to implement this new feature in Google Cloud Platform.

Update: May 8, 2019. At Google Next ’19, Google announced new features for Cloud DNS. This article discusses the new features. This article still applies as the features in this article transitioned from beta to production.

What is Google Cloud Private DNS Zones? A DNS server can provide a feature called split-horizon DNS. This means that the information returned to a DNS query can change based upon the location of who is asking. For Google Cloud DNS, you have queries that can arrive from the Public Internet or from Google Cloud VPC.

Google Cloud DNS can now provide:

  1. Create private DNS zones to provide DNS name resolution to your private network resources (VMs, load balancers, etc.).
  2. Connect a private zone to a single network or multiple networks, giving you flexibility when designing your internal network architectures.
  3. Create split-horizon DNS architectures where identical or overlapping zones can coexist between public and private zones in Cloud DNS, or across different GCP networks.
  4. Utilize IAM-based, DNS-specific roles to delegate administrative or editor access to manage or view managed private zones.

Above four bullets copied from “Introducing Private DNS Zones“.

Private zones for Google Cloud DNS is a beta feature. This requires creating the private zone using the gcloud CLI.

Update: May 8, 2019. Google has released these features and you can now use with the CLI or the GUI to create your zones. I have changed the CLI examples to no longer use the beta features as these are production now.

For this article, we will use the domain name “example.com” for the Cloud DNS name. We will set up both private and public zones. The public and private zones both use the same DNS name.

Step 1 – Create the private zone.

gcloud dns managed-zones create --dns-name="example.com" --description="Private Zone" --visibility=private --networks=default "private-zone"

Step 2 – Create the public zone.

Note you can skip this step if you are not using Google Cloud DNS for your domain name.

gcloud dns managed-zones create --dns-name="example.com" --description="Public Zone" --visibility=public "public-zone"

Step 3 – Make the private zone visible to the default network. The Cloud DNS Zone name is “private”.

gcloud dns managed-zones update private --networks default

Step 4 – Get a VM instance full and short hostname.

This step requires manually figuring out what the internal hostname for an instance is. Connect to the instance. These commands run from the instance console.


This command returns the short hostname.


Now get the long hostname.

hostname -f

This command returns the long hostname.


Note: You can get the private DNS name from the metadata server:

curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname"

Step 5 – Add an instance to the private zone using its private DNS name.

This step uses the Google Cloud Console. Console -> Network Services -> Cloud DNS. Notice the two zones we just created “private zone” and “public zone”. Select the private zone.

The console should display two entries for this zone. The NS (name server) record and the SOA (Start of Authority).

Near the top of the Google Console window is the button “ADD RECORD SET”. Click this button.

For the DNS Name enter: web-server-1

For the Resource Record Type change to: CNAME

For the Canonical name enter: webserver1.useast4c.c.development123456.internal

Step 6 – Add an instance to the public zone using its public IP address.

Go back to the Cloud DNS. Select the public zone. Click “ADD RECORD SET”.

For the DNS Name enter: web-server-1 (or the name you want the public DNS to support).

For the Resource Record Type: A

For the IPv4 Address enter: <the public IP address>

Note: You can get the external (public) IP address from the metadata server:

curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip"


Step 7 – Verify the public DNS resolution.

From your desktop or another computer connected to the Internet, open a command shell/prompt and “ping web-server-1.example.com”. This should resolve to the public IP address.

Step 8 – Verify the private DNS resolution.

From another VM instance in the same Google Cloud VPC, open a command shell/prompt and “ping web-server-1.example.com”. This should resolve the private DNS name and IP address.

There you have it. Google Cloud DNS now supports split-horizon DNS (often called split-brain DNS).