Stay organized with collections
Save and categorize content based on your preferences.
This page guides you through how to configure DNS resolution for a new domain in Google Distributed Cloud (GDC) air-gapped.
In GDC through the use of DNS zones.
The intended audience for this page is platform administrators and application operators
responsible for managing DNS resolution for their organization.
You can create public or private DNS zones in your GDC environment to match the visibility and access requirements of your services:
For services that require external network visibility and access: Set up
a public DNS zone to allow users and systems outside your network access to
your service. If you have a website, a public-facing API, or any service
that needs to be reachable from outside your GDC
Cloud environment, you need a public DNS zone to map your domain name to the
appropriate IP addresses.
For services that require secure and restricted access to internal
systems: Set up a private DNS zone to hide your internal domain name and
restrict access to your internal services. If you have an internal
application, database, or microservice that needs to communicate with other
internal services using only secure protocols and private IP addresses, you
need a private DNS zone to map your domain name to the appropriate IP
addresses A private DNS zone ensures that these services
can find each other using internal domain names without exposing their
existence or IP addresses to the external network. This enhances security
and simplifies internal networking.
For more information about the difference between public and private DNS zones, see Zone types for Cloud DNS.
Before you begin
To configure DNS zones in GDC and add records, you must
have the following:
An existing project. For more information, see Create a
project.
GLOBAL_API_SERVER: the global API server's kubeconfig path. For more
information, see Global and zonal API servers.
If you have not yet generated a kubeconfig file for the API server, see
Sign in for details.
DNS_ZONE_NAME: the name of your DNS zone.
PROJECT_NAMESPACE: the namespace of your project.
DOMAIN_NAME: the domain name for your public
DNS zone, such as example.com.
DESCRIPTION: a description for your DNS zone.
For example, Public DNS zone for example.com. This field is optional.
For a public DNS zone, you must configure the DNS resolver in your network to forward
DNS requests for that DNS zone to the name servers in GDC that host that
DNS zone. The name servers are listed in the status of a ManagedDNSZone custom resource:
For this example, the DNS resolver needs to be updated to forward
requests for example.com to
ns.managed-dns-public.gdc1.staging.gpcdemolabs.com. This configuration assumes that the resolver already has the configuration needed to appropriately forward DNS requests for GDC's infrastructure DNS zone gdc1.staging.gpcdemolabs.com.
Create a private DNS zone
Use the Kubernetes API to create a private DNS zone:
Create and apply a ManagedDNSZone resource to create a DNS zone
accessible only from within the default customer VPC:
GLOBAL_API_SERVER: the global API server's kubeconfig path. For more
information, see Global and zonal API servers.
If you have not yet generated a kubeconfig file for the API server, see
Sign in for details.
DNS_ZONE_NAME: the name of your DNS zone.
PROJECT_NAMESPACE: the namespace of your project.
DOMAIN_NAME: the domain name for your private
DNS zone, such as example.com.
DESCRIPTION: a description for your DNS zone.
For example, Private DNS zone for example.com. This field is optional.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Create DNS zones\n\n| **Preview:** This is a Preview feature that is available as-is and is not recommended for production environments. Google provides no Service-Level agreements (SLA) or technical support commitments for Preview features. For more information, see GDC's [feature stages](/distributed-cloud/hosted/docs/latest/gdch/resources/feature-stages).\n\nThis page guides you through how to configure DNS resolution for a new domain in Google Distributed Cloud (GDC) air-gapped.\nIn GDC through the use of DNS zones.\n\nThe intended audience for this page is platform administrators and application operators\nresponsible for managing DNS resolution for their organization.\n\nYou can create public or private DNS zones in your GDC environment to match the visibility and access requirements of your services:\n\n- **For services that require external network visibility and access:** Set up a public DNS zone to allow users and systems outside your network access to your service. If you have a website, a public-facing API, or any service that needs to be reachable from outside your GDC Cloud environment, you need a public DNS zone to map your domain name to the appropriate IP addresses.\n- **For services that require secure and restricted access to internal\n systems:** Set up a private DNS zone to hide your internal domain name and restrict access to your internal services. If you have an internal application, database, or microservice that needs to communicate with other internal services using only secure protocols and private IP addresses, you need a private DNS zone to map your domain name to the appropriate IP addresses A private DNS zone ensures that these services can find each other using internal domain names without exposing their existence or IP addresses to the external network. This enhances security and simplifies internal networking.\n\nFor more information about the difference between public and private DNS zones, see [Zone types for Cloud DNS](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/dns/dns-overview#zone-types).\n\nBefore you begin\n----------------\n\nTo configure DNS zones in GDC and add records, you must\nhave the following:\n\n- An existing project. For more information, see [Create a\n project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/create-a-project).\n- The necessary identity and access roles. For more information, see [Prepare IAM permissions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/dns/dns-permissions).\n\nCreate a public DNS zone\n------------------------\n\nUse the Kubernetes API in GDC to create a public DNS zone:\n\n1. Create and apply a `ManagedDNSZone` resource to create a DNS zone\n accessible from outside of GDC:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e apply -f - \u003c\u003cEOF\n apiVersion: networking.global.gdc.goog/v1\n kind: ManagedDNSZone\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDNS_ZONE_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n dnsName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDOMAIN_NAME\u003c/span\u003e\u003c/var\u003e\n description: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDESCRIPTION\u003c/span\u003e\u003c/var\u003e\n visibility: PUBLIC\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e: the global API server's kubeconfig path. For more information, see [Global and zonal API servers](/distributed-cloud/hosted/docs/latest/gdch/resources/multi-zone/api-servers). If you have not yet generated a kubeconfig file for the API server, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) for details.\n - \u003cvar translate=\"no\"\u003eDNS_ZONE_NAME\u003c/var\u003e: the name of your DNS zone.\n - \u003cvar translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e: the namespace of your project.\n - \u003cvar translate=\"no\"\u003eDOMAIN_NAME\u003c/var\u003e: the domain name for your public DNS zone, such as `example.com`.\n - \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: a description for your DNS zone. For example, `Public DNS zone for example.com`. This field is optional.\n2. For a public DNS zone, you must configure the DNS resolver in your network to forward\n DNS requests for that DNS zone to the name servers in GDC that host that\n DNS zone. The name servers are listed in the status of a `ManagedDNSZone` custom resource:\n\n apiVersion: networking.global.gdc.goog/v1\n kind: ManagedDNSZone\n metadata:\n name: public-example-com\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n dnsName: example.com\n description: \"Public DNS zone for example.com\"\n visibility: PUBLIC\n status:\n ...\n nameServers:\n - ns.managed-dns-public.gdc1.staging.gpcdemolabs.com\n\n For this example, the DNS resolver needs to be updated to forward\n requests for `example.com` to\n `ns.managed-dns-public.gdc1.staging.gpcdemolabs.com`. This configuration assumes that the resolver already has the configuration needed to appropriately forward DNS requests for GDC's infrastructure DNS zone `gdc1.staging.gpcdemolabs.com`.\n\nCreate a private DNS zone\n-------------------------\n\nUse the Kubernetes API to create a private DNS zone:\n\n- Create and apply a `ManagedDNSZone` resource to create a DNS zone\n accessible only from within the default customer VPC:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e apply -f - \u003c\u003cEOF\n apiVersion: networking.global.gdc.goog/v1\n kind: ManagedDNSZone\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDNS_ZONE_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n dnsName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDOMAIN_NAME\u003c/span\u003e\u003c/var\u003e\n description: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDESCRIPTION\u003c/span\u003e\u003c/var\u003e\n visibility: PRIVATE\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e: the global API server's kubeconfig path. For more information, see [Global and zonal API servers](/distributed-cloud/hosted/docs/latest/gdch/resources/multi-zone/api-servers). If you have not yet generated a kubeconfig file for the API server, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) for details.\n - \u003cvar translate=\"no\"\u003eDNS_ZONE_NAME\u003c/var\u003e: the name of your DNS zone.\n - \u003cvar translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e: the namespace of your project.\n - \u003cvar translate=\"no\"\u003eDOMAIN_NAME\u003c/var\u003e: the domain name for your private DNS zone, such as `example.com`.\n - \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: a description for your DNS zone. For example, `Private DNS zone for example.com`. This field is optional.\n\nWhat's next\n-----------\n\n- [Create a DNS record](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/dns/create-dns-records)"]]