Google Cloud: DNS Overview

Share At:

Google Cloud DNS: The Definitive Guide [2019] - SiteYaar


DNS is a hierarchical distributed database that stores IP addresses and other data and allows queries by name.

In other words, DNS is a directory of easily readable domain names that translate to numeric IP addresses used by computers to communicate with each other. For example, when you type a URL into a browser, DNS converts the URL into an IP address of a web server associated with that name.

The DNS directories are stored and distributed around the world on domain name servers that are updated regularly.

The following concepts are useful when working with DNS:

DNS server types

A DNS server stores a database of domain names, and then processes domain names based on DNS queries that come from a client in a network.

Authoritative server

An authoritative server is a server that holds the DNS name records, including A, AAAA, and CNAME.

non-authoritative server constructs a cache file based on previous queries for domains. It does not hold original name records.

Recursive resolver

recursive resolver is the server that sends a query to the authoritative or non-authoritative server for resolution. A recursive resolver is so-called because it performs each query for a given name and returns the final result.

This is in contrast to an iterative resolver, which only returns a referral to the next DNS servers that might have the answer.

Following is an example of a recursive resolver in action; if you run dig +trace, the recursive resolver performs the following action ( Public DNS is one such resolver):

 dig +trace
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +trace
;; global options: +cmd
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  NS
.           168383  IN  RRSIG   NS 8 0 518400 20190810170000 20190728160000 59944 .
    1nKZVN8SsO8s7elz6JGmdoM6D/1ByLNFQmKvU55ikaVSnXylqixLbJQI 7LyQoA==
;; Received 525 bytes from in 22 ms

com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            172800  IN  NS
com.            86400   IN  DS  30909 8 2
    E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.            86400   IN  RRSIG   DS 8 1 86400 20190811170000 20190729160000 59944 .
    MvuLPXvK6Y7oSh5WknbFduw7HQdo1jH3/QR54FORswBJT8VmYD7Zii88 tAjbRQ==
;; Received 1170 bytes from in 2 ms     172800  IN  NS     172800  IN  NS     172800  IN  NS     172800  IN  NS 86400 IN NSEC3 1 1 0 -
    86400 20190803044434 20190727033434 17708 com.
    8HSrHcXrRoAJopFim3Ge1xdZ+uERg3cTIcN2tJxxkCeqt/EcUTqtQl8t EAc= 86400 IN NSEC3 1 1 0 -
    8 2 86400 20190804045723 20190728034723 17708 com.
    7gU1AL7cqTmBAo2RWu62vtUytV09+O3KGFq5O+Cwr11dSTfq1yYyw6YW cMI=
;; Received 772 bytes from in 2 ms     300 IN  A
;; Received 55 bytes from in 13 ms

Each DNS client queries a name server. A recursive resolver queries other name servers, all the way up to a top-level name server, if necessary. The NS record for a zone on an upper-level name server directs the resolver down to another name server, eventually reaching either a name server that cached the zone or the authoritative server for the zone.


Public zone

A public zone is visible to the internet. You can create DNS records in a public zone to publish your service on the internet. For example, you might create an A record in a public zone called (note the trailing dot) for your public website

Private zone

A private zone is any zone that cannot be queried over the public internet.

Delegated subzone

DNS allows the owner of a zone to use NS records to delegate a subdomain to a different name server. Resolvers follow these records and send queries for the subdomain to the target name server specified in the delegation.

For example, you can create separate zones for both and, each with its own authoritative name server. Because is a child domain of, the method to enable the authoritative name server for the subdomain to be located from the parent domain’s zone is called delegation.

Delegation is essentially a pointer to the authoritative name server for a subdomain. To enable delegation in Cloud DNS, you can add NS records for the subdomains in the zone of the parent domain.

Split horizon DNS

Split horizon is a term used to describe an instance when two zones, one to be used by the internal network and the other to be used by the external network (usually the internet), are created for the same domain. Split-horizon DNS lets you serve different answers (different resource record sets) for the same name depending on who is asking.

For example, you can provide the development/staging version of your app if the query comes from the development network, and the production/public version of your app if the query comes from the public internet.


A record is a mapping between a DNS resource and a domain name. Each individual DNS record has a type (name and number), an expiration time (time to live), and type-specific data.

Some of the commonly used record types are:

  • A: Address record, which maps host names to their IPv4 address.
  • AAAA: IPv6 Address record, which maps host names to their IPv6 address.
  • CNAME: Canonical name record, which specifies alias names.
  • MX: Mail exchange record, which is used in routing requests to mail servers.
  • NS: Name server record, which delegates a DNS zone to an authoritative server.
  • PTR: Pointer record, which defines a name associated with an IP address.
  • SOA: Start of authority, used to designate the primary name server and administrator responsible for a zone. Each zone hosted on a DNS server must have an SOA (start of authority) record. You can modify the record as needed (for example, you can change the serial number to an arbitrary number to support date-based versioning).

Record sets

Records with the same name and of the same type but with different data values are called record sets. When you create a record, if a set with the same name and type exists, the record is added to this matching set. If there’s no matching set, a new set is created and appended to the list of record sets.

This is an example of a record set with more than one record having the same name and type:

DNS nameTypeTTL (seconds)Data

For a list of supported record types in Cloud DNS, see Supported DNS record types.


A domain name registrar is an organization that manages the reservation of internet domain names for public zones. A registrar must be accredited by a generic top-level domain (gTLD) registry or a country code top-level domain (ccTLD) registry. This is how upper-level name servers agree on SOA and update NS records for the zone to direct requests to caching or authoritative name servers.

SOA serial number

The SOA serial number is a version number for a DNS zone. For all name servers to be current with the version of a zone, they must have the same SOA serial number. The serial numbers of SOA records created in DNS managed zones monotonically increase with each transactional change to a zone’s record sets.

However, you can change the serial number of an SOA record to an arbitrary number, including an ISO 8601-formatted date, as recommended in RFC 1912.


The Domain Name System Security Extension (DNSSEC) addresses vulnerabilities to DNS data. DNSSEC is a suite of IETF specifications that provides authentication of DNS data, authenticated denial of existence, and data integrity to DNS clients (resolvers). In short, DNSSEC provides a way for software to verify the origin of DNS data and validate that it has not been modified in transit.

For more details about DNSSEC, see RFC 4033.

For a list of general DNS terminology, see RFC 7719.

Share At:
0 0 votes
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
gate io para yatırma
17 days ago

I am a website designer. Recently, I am designing a website template about The boss’s requirements are very strange, which makes me very difficult. I have consulted many websites, and later I discovered your blog, which is the style I hope to need. thank you very much. Would you allow me to use your blog style as a reference? thank you!

ichimoku cloud binance

Thanks for sharing. I read many of your blog posts, cool, your blog is very good.

Back To Top

Contact Us