A Response Policy Rule is a selector that applies its behavior to queries that match the selector. Selectors are DNS names, which may be wildcards or exact matches. Each DNS query subject to a Response Policy matches at most one ResponsePolicyRule, as identified by the dnsName field with the longest matching suffix.
JSON representation
{"ruleName": string,"kind": string,// Union field selector can be only one of the following:"dnsName": string// End of list of possible types for union field selector.// Union field action can be only one of the following:"localData": {object (LocalData)},"behavior": enum (Behavior)// End of list of possible types for union field action.}
Fields
ruleName
string
An identifier for this rule. Must be unique with the ResponsePolicy.
kind
string
Union field selector.
selector can be only one of the following:
dnsName
string
The DNS name (wildcard or exact) to apply this rule to. Must be unique within the Response Policy Rule.
Answer this query directly with DNS data. These ResourceRecordSets override any other DNS behavior for the matched name; in particular they override private zones, the public internet, and GCP internal DNS. No SOA nor NS types are allowed.
All resource record sets for this selector, one per resource record type. The name must match the dnsName.
Behavior
Enums
behaviorUnspecified
bypassResponsePolicy
Skip a less-specific Response Policy Rule and let the query logic continue. This mechanism, when used with wildcard selectors, lets you exempt specific subdomains from a broader Response Policy Rule and direct the queries to the public internet instead. For example, if the following rules exist:
A query for foo.example.com skips the wildcard rule.
This functionality also facilitates allowlisting. Response Policy Zones (RPZs) can be applied at multiple levels within the hierarchy: for example, an organization, a folder, a project, or a VPC network. If an RPZ rule is applied at a higher level, adding a passthrough rule at a lower level will override it. Queries from affected virtual machines (VMs) to that domain bypass the RPZ and proceed with normal resolution.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-19 UTC."],[[["\u003cp\u003eResponse Policy Rules apply specific behaviors to DNS queries matching defined selectors, which can be wildcard or exact DNS names, with each query matching at most one rule based on the longest matching suffix.\u003c/p\u003e\n"],["\u003cp\u003eEach Response Policy Rule is identified by a unique \u003ccode\u003ednsName\u003c/code\u003e and can dictate actions like using \u003ccode\u003elocalData\u003c/code\u003e to provide direct DNS data or applying a specified \u003ccode\u003ebehavior\u003c/code\u003e instead of typical DNS data responses.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eLocalData\u003c/code\u003e within a Response Policy Rule provides direct answers to queries, overriding other DNS behaviors, and contains resource record sets for the specified selector name, with no support for SOA or NS types.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ebehavior\u003c/code\u003e field in a Response Policy Rule can specify \u003ccode\u003ebypassResponsePolicy\u003c/code\u003e, which enables the bypassing of a less-specific rule, allowing queries to continue to normal resolution and allowing for exemptions of specific subdomains.\u003c/p\u003e\n"],["\u003cp\u003eResponse Policy Rules can be managed using methods such as \u003ccode\u003ecreate\u003c/code\u003e, \u003ccode\u003edelete\u003c/code\u003e, \u003ccode\u003eget\u003c/code\u003e, \u003ccode\u003elist\u003c/code\u003e, \u003ccode\u003epatch\u003c/code\u003e, and \u003ccode\u003eupdate\u003c/code\u003e, allowing for complete lifecycle management of the rules.\u003c/p\u003e\n"]]],[],null,["# REST Resource: responsePolicyRules\n\n- [Resource: ResponsePolicyRule](#ResponsePolicyRule)\n - [JSON representation](#ResponsePolicyRule.SCHEMA_REPRESENTATION)\n- [LocalData](#LocalData)\n - [JSON representation](#LocalData.SCHEMA_REPRESENTATION)\n- [Behavior](#Behavior)\n- [Methods](#METHODS_SUMMARY)\n\nResource: ResponsePolicyRule\n----------------------------\n\nA Response Policy Rule is a selector that applies its behavior to queries that match the selector. Selectors are DNS names, which may be wildcards or exact matches. Each DNS query subject to a Response Policy matches at most one ResponsePolicyRule, as identified by the dnsName field with the longest matching suffix.\n\nLocalData\n---------\n\nBehavior\n--------"]]
