You can manage DNS records for the Cloud DNS API by using either of two alternative
API endpoints: Changes
and ResourceRecordSets
.
While the Changes
API requires you to delete existing resource record
sets to add new ones, you can use the ResourceRecordSets
API to replace
resource record sets.
This page describes how to make additions, deletions, and updates to a resource
record set by using the Changes
and ResourceRecordSets
API and how to send the
desired changes to the API by using the import
, export
, and transaction
commands.
Before you begin
You must have already created a managed zone and completed the prerequisites for creating a zone.
You can add or remove DNS records in a record set by creating and executing a transaction that specifies the operations that you want to perform. A transaction is a group of one or more record changes that must be propagated together. The entire transaction either succeeds or fails, so your data is never left in an intermediate state.
For more information about DNS record types, see this list of supported DNS record types .
Add a record
When adding a record, you can add two values or strings to the record set for the same DNS name. When adding record sets, you must add a space between the first value and the second value.
Console
To create a record set, follow these steps:
-
In the Google Cloud console, go to the Cloud DNS zonespage.
-
Click the name of the managed zone that you want to add the record to.
-
On the Zone detailspage, click Add standard.
-
On the Create record setpage, in the DNS namefield, enter the subdomain of the DNS zone—for example,
mail
. The trailing dot is automatically added at the end.To create a wildcard DNS record, enter an asterisk—for example,
*.example.com
. -
Select the Resource record type—for example,
MX
. -
In the TTLfield, enter a numeric value for the resource record's time to live, which is the amount of time that it can be cached. This value must be a positive integer.
-
From the TTL unitmenu, select the unit of time—for example,
30 minutes
. -
Depending on the resource record type that you have selected, populate the remaining fields .
-
To enter additional information, click Add item.
-
Click Create.
gcloud
-
To start a transaction, use the
gcloud dns record-sets transaction start
command:gcloud dns record-sets transaction start \ --zone= MANAGED_ZONE
Replace
MANAGED_ZONE
with the name of the managed zone whose record sets you want to manage—for example,my-zone-name
. -
To add a record set as part of a transaction, use the
gcloud dns record-sets transaction add
command:gcloud dns record-sets transaction add RR_DATA \ --name= DNS_NAME \ --ttl= TTL \ --type= RECORD_TYPE \ --zone= MANAGED_ZONE
Replace the following:
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
... -
DNS_NAME
: the DNS or domain name of the record set to add—for example,test.example.com
-
TTL
: the time to live (TTL) for the record set in number of seconds—for example,300
-
RECORD_TYPE
: the record type —for example,A
. -
MANAGED_ZONE
: the name of the managed zone whose record sets you want to manage—for example,my-zone-name
-
-
To execute the transaction, use the
gcloud dns record-sets transaction execute
command:gcloud dns record-sets transaction execute \ --zone= MANAGED_ZONE
-
To add a wildcard transaction, use the
gcloud dns record-sets transaction add
command:gcloud dns record-sets transaction add \ --zone= MANAGED_ZONE \ --name= WILDCARD_DNS_NAME \ --type= RECORD_TYPE \ --ttl= TTL
Replace the following:
-
MANAGED_ZONE
: the name of the managed zone whose record sets you want to manage—for example,my-zone-name
-
WILDCARD_DNS_NAME
: the DNS or domain name of the record set that you want to add—for example,*.example.com.
(note the trailing dot) -
RECORD_TYPE
: the record type —for example,CNAME
. -
TTL
: the TTL for the record set in number of seconds—for example,300
-
Terraform
API
To update a transaction with new resource record sets, use the changes.create
method:
POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ MANAGED_ZONE /changes
{ "deletions": [] "additions": [ { "name": DNS_NAME , "type": RECORD_TYPE , "ttl": TTL , "rrdatas": [ RR_DATA ] } ] }
Replace the following:
-
PROJECT_ID
: your project ID -
MANAGED_ZONE
: your managed zone name or ID -
DNS_NAME
: the DNS or domain name of the record set—for example,test.example.com.
(note the trailing dot) -
RECORD_TYPE
: the record type -
TTL
: the time to live (TTL) for the record set in number of seconds—for example,30
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
...
Remove a record
Console
To remove a record or record set, follow these steps:
-
In the Google Cloud console, go to the Cloud DNSpage.
-
Click the zone name whose record set you want to delete. Records for the zone are listed on the Zone detailspage.
-
Next to the record that you want to delete, select the checkbox.
-
Click Delete record set.
gcloud
To remove a transaction, use the gcloud dns record-sets transaction remove
command:
gcloud dns record-sets transaction remove RR_DATA \ --name= DNS_NAME \ --ttl= TTL \ --type= RECORD_TYPE \ --zone= MANAGED_ZONE
Replace the following:
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
... -
DNS_NAME
: the DNS or domain name of the record set to remove—for example,test.example.com
-
TTL
: the TTL for the record set in number of seconds—for example,30
-
RECORD_TYPE
: the record type —for example,A
. -
MANAGED_ZONE
: the name of the managed zone
To replace an existing record, run the remove
command followed by the add
command.
API
To update a transaction with deleted resource record sets, use the changes.create
method:
POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ MANAGED_ZONE /changes
{ "deletions": [ { "name": DNS_NAME , "type": RECORD_TYPE , "ttl": TTL , "rrdatas": [ RR_DATA ] } ] "additions": [] }
Replace the following:
-
PROJECT_ID
: your project ID -
MANAGED_ZONE
: your managed zone name or ID -
DNS_NAME
: the DNS or domain name of the record set—for example,test.example.com.
(note the trailing dot) -
RECORD_TYPE
: the record type . -
TTL
: the TTL for the record set in number of seconds—for example,30
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
...
Import and export record sets
To copy record sets into and out of a managed zone, you can use import
and export
. The formats that you can import from and export to are either
BIND zone file format or YAML records format.
gcloud
-
To import a record set, use the
dns record-sets import
command. The--zone-file-format
flag tellsimport
to expect a BIND zone-formatted file. If you omit this flag,import
expects a YAML-formatted records file:gcloud dns record-sets import -z=examplezonename \ --zone-file-format path-to-example-zone-file
When you use the
gcloud dns record-sets import
command, specifying--replace-origin-ns
replaces the NS records for the zone with the NS records specified in the zone file. These records must match the name servers assigned by Cloud DNS to host the zone. They must also match the NS records specified in the parent (delegating) zone. By default, Cloud DNS does not overwrite NS records. If you use this flag, you must verify that the NS records are correct. They must come from a prior export of the same zone assigned to the same name server by Cloud DNS. -
To export a record set, use the
dns record-sets export
command. To specify that the record sets are exported into a BIND zone-formatted file, use the--zone-file-format
flag. For example:example.com. 21600 IN NS ns-gcp-private.googledomains.com. example.com. 21600 IN SOA ns-gcp-private.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300 host1.example.com. 300 IN A 192.0.2.91
If you omit the
--zone-file-format
flag,export
exports the record set into a YAML-formatted records file:gcloud dns record-sets export example.zone -z=examplezonename
For example:
--- kind : dns # resourceRecordSet name : example . com . rrdatas : - ns - gcp - private . googledomains . com . ttl : 21600 type : NS --- kind : dns # resourceRecordSet name : example . com . rrdatas : - ns - gcp - private . googledomains . com . cloud - dns - hostmaster . google . com . 1 21600 3600 259200 300 ttl : 21600 type : SOA --- kind : dns # resourceRecordSet name : host1 . example . com . rrdatas : - 192.0.2.91 ttl : 300 type : A
Display the current record set
To display the current DNS records for your zone, use the gcloud dns record-sets list
command:
gcloud
To display the current DNS records for your zone, use the gcloud dns record-sets list
command:
gcloud dns record-sets list \ --zone="myzonename"
The command outputs the JSON response for the resource record set for the first 100 records. You can specify these additional parameters:
-
--limit
: maximum number of record sets to list -
--name
: only list record sets with this exact domain name -
--type
: only list records of this type; if present, the--name
parameter must also be present
Create a resource record set
Console
To create a resource record set, follow these steps:
-
In the Google Cloud console, go to the Cloud DNSpage.
-
Click the zone for which you want to create a resource record set.
-
On the Zone detailspage, click Add standard.
-
Enter the DNS name for the record set—for example,
test.example.com
. -
Select the resource record type .
-
Enter the time to live ( TTL) for the resource record set—for example,
30
. -
Select the TTL unit—for example,
minutes
. -
Enter the details based on the record type that you have selected.
-
Click Create.
gcloud
To create a resource record set, use the gcloud dns record-sets create
command:
gcloud dns record-sets create RRSET_NAME \ --rrdatas= RR_DATA \ --ttl= TTL \ --type= RRSET_TYPE \ --zone= MANAGED_ZONE
Replace the following:
-
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
... -
TTL
: the TTL in seconds that the resolver caches this resource record set—for example,30
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
. -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix
API
To create a resource record set, use the resourceRecordSets.create
method:
POST https://www.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ MANAGED_ZONE /rrsets { "name": RRSET_NAME , "type": RRSET_TYPE , "ttl": TTL , "rrdatas": RR_DATA }
Replace the following:
-
PROJECT_ID
: the ID of the project -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix -
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
-
TTL
: the TTL in seconds that the resolver caches this resource record set—for example,30
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
...
Terraform
View details of a resource record set
This procedure assumes that you have created a resource record set within the managed zone that uses the same name and type.
Console
To view the details of an existing resource record set, follow these steps:
-
In the Google Cloud console, go to the Cloud DNS zonespage.
-
Click the zone for which you want to view the resource record set.
-
The Zone detailspage lists the details of all the resource record sets in that zone.
gcloud
To view the details of an existing resource record set, use the gcloud dns record-sets describe
command:
gcloud dns record-sets describe RRSET_NAME \ --type= RRSET_TYPE \ --zone= MANAGED_ZONE
Replace the following:
-
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
. -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix
API
To get the details of an existing resource record set, use the resourceRecordSets.get
method:
GET https://www.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ MANAGED_ZONE /rrsets/ RRSET_NAME / RRSET_TYPE
Replace the following:
-
PROJECT_ID
: the ID of the project -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix -
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
.
Patch a resource record set
Console
To apply a partial update to an existing resource record set, follow these steps:
-
In the Google Cloud console, go to the Cloud DNS zonespage.
-
Click the zone for which you want to update the resource record set.
-
On the Zone detailspage, next to the resource record set that you want to update, click edit Edit.
-
After making the necessary updates, click Save.
gcloud
To apply a partial update to an existing resource record set, use the gcloud dns record-sets update
command:
gcloud dns record-sets update RRSET_NAME \ --rrdatas= RR_DATA \ --ttl= TTL \ --type= RRSET_TYPE \ --zone= MANAGED_ZONE
Replace the following:
-
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
... -
TTL
: the TTL in seconds that the resolver caches this resource record set—for example,30
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
. -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix
API
To apply a partial update to an existing resource record set, use
the resourceRecordSets.patch
method:
PATCH https://www.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ MANAGED_ZONE /rrsets/ RRSET_NAME / RRSET_TYPE { "ttl": TTL , "rrdatas": RR_DATA , "update_mask": { "paths": ["rrset.ttl", "rrset.rrdatas"] } }
Replace the following:
-
PROJECT_ID
: the ID of the project -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix -
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
. -
TTL
: the TTL in seconds that the resolver caches this resource record set—for example,30
-
RR_DATA
: an arbitrary value associated with the resource record set—for example,198.51.100.5
; you can also enter multiple values,rrdata1
rrdata2
rrdata3
—for example,198.51.100.5
10.2.3.4
...
Delete a resource record set
Console
To delete an existing resource record set, follow these steps:
-
In the Google Cloud console, go to the Cloud DNS zonespage.
-
Click the zone for which you want to delete the resource record set.
-
On the Zone detailspage, next to the DNS name of the resource record set that you want to delete, select the checkbox.
-
Click Delete record sets.
gcloud
To delete an existing resource record set, use the gcloud dns record-sets delete
command:
gcloud dns record-sets delete RRSET_NAME \ --type= RRSET_TYPE \ --zone= MANAGED_ZONE
Replace the following:
-
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
. -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix
API
To delete an existing resource record set, use the resourceRecordSets.delete
method:
DELETE https://www.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ MANAGED_ZONE /rrsets/ RRSET_NAME / RRSET_TYPE
Replace the following:
-
PROJECT_ID
: the ID of the project -
MANAGED_ZONE
: the managed zone that this resource record set is affiliated with—for example,my-zone-name
; the name of this resource record set must have the DNS name of the managed zone as its suffix -
RRSET_NAME
: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example,test.example.com
-
RRSET_TYPE
: the resource record type of this resource record set—for example,A
.
Select resource record types
A
The host's numeric address, in IPv4 dotted decimal format. The A
record type maps an IPv4 address to a domain name and
determines where the requests for the domain name are
directed—for example, 192.0.2.91
.
AAAA
The host's numeric IP address, in IPv6 hexadecimal format. The AAAA
(quad A) record type maps an IPv6 address to
a domain name and determines where the requests for the domain
name are directed—for example, 2001:db8::8bd:1002
.
ALIAS
(Preview)The canonical name to resolve for incoming address queries—for
example, example.my-cdn.net
. When an A/AAAA query
reaches an ALIAS record, the ALIAS's canonical name is resolved to
determine the returned IP addresses. You can only add an ALIAS record
at the apex of a domain.
CAA
The certificate authorities that are authorized to issue certificates
for this domain—for example, ca.example.net
.
Create a CAA
record type to ensure that unauthorized
CAs don't issue certificates to your domain.
CNAME
The DNS alias for an A
record—for example, ftp.example.com
is a DNS alias to www.example.com
. In this example, ftp.example.com
is a service present in the same server
as www.example.com
. Links pointing to ftp.example.com
receive the A
record of www.example.com
.
You can also use the CNAME
record type to point to an
entirely different domain name—for example, altostrat.com
is a DNS alias to www.example.com
.
Sometimes, a name server responds with the CNAME
record and the A
record referred to by the CNAME value;
this behavior is called CNAME chasing
.
DNSKEY
The DNSSEC public key that the resolvers use to verify the
authenticity of records using ZSK and KSK
keys—for example, 7200 IN DNSKEY 256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI
. In
this example, 7200
is the TTL, 256
is the
decimal representation of DNSKEY
flags, 3
is the protocol indicator for DNSSEC, and 8
is the
RSA/SHA-256 cryptographic algorithm used for the key.
You can only add this record type in a public and DNSSEC-enabled zone
that is in the Transfer
state. For more information, see Manage DNSSEC configuration
.
DS
The DNSSEC key fingerprint for a secure delegated zone—for
example, 7200 IN DS 31523 5 1
c8761ba5defc26ac7b78e076d7c47fa9f86b9fba
.
In this example, 7200
is the TTL, 31523
is the keytag, 5
is the algorithm,
and 1
is the digest type.
You can only add this record type in a public zone. This record type does not activate DNSSEC for a delegated zone unless you enable (and activate) DNSSEC for this zone. DNSSEC is not enabled by default for zones.
HTTPS
, SVCB
The service priority ( SvcPriority
), which is 0
for aliases and 1-65535
for service
descriptions, TargetName
("." if same as the owner name),
and service parameters ( SvcParams
), consisting of key=value
pairs describing the target endpoint, separated
by spaces. For more details, see the draft specification
.
IPSECVPNKEY
The IPsec public VPN key. The IPSECVPNKEY
record type enables opportunistic
encryption through IPsec tunnels
—for example, 10 1 2 192.0.2.1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt==
.
You can only add this record type in a public zone.
MX
A preference number and DNS name of a mail exchange server that
receives emails on behalf of your domain. SMTP servers prefer servers
with lower preference numbers. 0
is the lowest preference number
that you can enter.
For example: 1 mail.example.com.
Ensure that there is a space between the preference number and the
DNS name. The MX record that you enter must end with a period or
trailing dot ( .
).
You can create multiple records with different priorities to configure backup mail servers or use the same priority to distribute the load across multiple mail servers.
For example, to direct your email to your Google Workspace account, enter the following:
-
1 ASPMX.L.GOOGLE.COM.
-
5 ALT1.ASPMX.L.GOOGLE.COM.
-
5 ALT2.ASPMX.L.GOOGLE.COM.
NAPTR
The name authority pointer rules used for mapping Uniform Resource
Names (URN) by Dynamic Delegation Discovery System (DDDS)
applications—for example, 100 10 "u" "sip+E2U"
"!^.*$!sip:information@example.com!i"
. For more information,
see RFC 3403
.
The NAPTR
record type is used by DDDS applications to
convert or replace one value with another to find a URN.
NS
The DNS name of the authoritative name server that provides DNS
services for your domain or subdomain. Your NS
records
must match the name servers for your zone—for example, ns-1.example.com
.
PTR
The Fully Qualified Domain Name (FQDN) or the canonical name of the
domain that maps to an IP address—for example, server-1.example.com
.
The PTR
record type is typically used for reverse lookups.
SPF
The SPF
record set type is deprecated. Use TXT
records starting with v=spf1
instead. SPF
type records are not used by modern email software.
SRV
The data that specifies the location, that is, the hostname and
port number, of servers for a particular service—for example, 0 1 587 mail.example.com
.
For more information, see RFC 2782 .
SSHFP
The SSH server algorithm number, fingerprint type number, and key
fingerprint—for example, 2 1 123456789abcdef67890123456789abcdef67890
.
Use this record type only if you have enabled DNSSEC for this zone.
TLSA
The DNS-based Authentication of Named Entities (DANE) TLSA Certificate Association information.
A TLSA
record contains
information used to validate X.509 certificates
(such as certificates used by HTTPS) without depending on one of a
preconfigured set of certificate authorities (CAs) signing them—for example, 1 1 2 92003ba34942dc74152e2f2c408d29ec
. In this example, 1
is the protocol indicator for DNSSEC, 1
is the public key, and 2
is the RSA/SHA-256 cryptographic
algorithm used for the key.
Use this record type only if you have enabled DNSSEC for this zone.
TXT
Text data, which can contain arbitrary text and can also be used to define machine-readable data, such as security or abuse prevention information.
A TXT record may contain one or more text strings; the
maximum length of each string is 255 characters
. If your record data is more than 255
bytes, divide your record into 255-byte strings and enclose each
string in quotation marks—for example, "String one 255 bytes" "String two 255 bytes"
.
Mail agents and other software agents concatenate multiple strings.
Enclose each string in quotation marks—for example, "Hello world" "Bye world"
.
Each TXT record has a 1000-character limit. If you need to increase this limit, contact Google Cloud support .
What's next
- To get information about
gcloud
commands for record sets, seegcloud dns record-sets
. - To check the status of
gcloud
or API operations, see Monitor DNS propagation . - To access API information, see the
Changes
API method . - To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting .
- To get an overview of Cloud DNS, see Cloud DNS overview .