Stay organized with collectionsSave and categorize content based on your preferences.
This document describes how to configure and use DNS64 server policies with
Virtual Private Cloud (VPC) networks.
Before you begin
DNS64 server policies don't apply to dual-stack virtual machine (VM)
instances, IPv4-only VM instances, serverless workloads, or
requests sent to endpoints created by
aninbound DNS server
policy.
Make sure that you have the required permissions to create a DNS64 server
policy.
Permissions required for this task
To perform this task, you must have been granted the following permissionsorthe following IAM roles.
Permissions
dns.policies.createto create a DNS64 server policy
dns.policies.deleteto delete a DNS64 server policy
dns.policies.getto fetch the current configuration of a DNS64 server policy
dns.policies.listto list all DNS server policies associated with a project
dns.policies.updateto update a DNS64 server policy
dns.managedZones.listto list managed zones
Roles
DNS Administrator (roles/dns.admin)
Create a DNS64 server policy
Create a DNS64 server policy to enable communication between IPv6-only
workloads and IPv4-only destinations.
After you create a DNS64 server policy, the following occurs when
an IPv6 (AAAA) record is queried:
If anAAAADNS record exists, the DNS server returns an IPv6
address. Your workload connects by using that IPv6 address.
If noAAAADNS record exists, Cloud DNS looks forArecords.
Cloud DNS then creates IPv6 addresses for the IPv4 addresses in theArecord, by using the64:ff9b::/96IPv6 prefix.
To create a DNS64 server policy, follow these steps.
NETWORK_URL: the fully qualified URL of the
VPC network that your DNS server policy must bind to,
formatted as follows:https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME.
Specify the network that contains the IPv6-only subnets and instances.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document details the configuration and usage of DNS64 server policies within Virtual Private Cloud (VPC) networks, enabling communication between IPv6-only workloads and IPv4-only destinations.\u003c/p\u003e\n"],["\u003cp\u003eDNS64 server policies are used to translate IPv4 addresses to IPv6 addresses when an \u003ccode\u003eAAAA\u003c/code\u003e DNS record does not exist for the queried domain, using the \u003ccode\u003e64:ff9b::/96\u003c/code\u003e IPv6 prefix.\u003c/p\u003e\n"],["\u003cp\u003eCreating a DNS64 server policy requires specific permissions, including \u003ccode\u003edns.policies.create\u003c/code\u003e, \u003ccode\u003edns.policies.delete\u003c/code\u003e, \u003ccode\u003edns.policies.get\u003c/code\u003e, \u003ccode\u003edns.policies.list\u003c/code\u003e, and \u003ccode\u003edns.policies.update\u003c/code\u003e, or the DNS Administrator role.\u003c/p\u003e\n"],["\u003cp\u003eDNS64 server policies can be managed using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool or the \u003ccode\u003epolicies.create\u003c/code\u003e API, where you can create, verify, and disable the policy as needed.\u003c/p\u003e\n"],["\u003cp\u003ePre-GA products and features, like the ones described, are available "as is," might have limited support, and are subject to the "Pre-GA Offerings Terms" in the General Service Terms.\u003c/p\u003e\n"]]],[],null,["# Configure DNS64\n\nThis document describes how to configure and use DNS64 server policies with\nVirtual Private Cloud (VPC) networks.\n\nBefore you begin\n----------------\n\n- DNS64 server policies don't apply to dual-stack virtual machine (VM) instances, IPv4-only VM instances, serverless workloads, or requests sent to endpoints created by an [inbound DNS server\n policy](/dns/docs/server-policies-overview#dns-server-policy-in).\n- Make sure that you have the required permissions to create a DNS64 server policy.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* the following IAM roles.\n\n**Permissions**\n\n- `dns.policies.create` to create a DNS64 server policy\n- `dns.policies.delete` to delete a DNS64 server policy\n- `dns.policies.get` to fetch the current configuration of a DNS64 server policy\n- `dns.policies.list` to list all DNS server policies associated with a project\n- `dns.policies.update` to update a DNS64 server policy\n- `dns.managedZones.list` to list managed zones\n\n**Roles**\n\n- DNS Administrator (`roles/dns.admin`)\n\nCreate a DNS64 server policy\n----------------------------\n\nCreate a DNS64 server policy to enable communication between IPv6-only\nworkloads and IPv4-only destinations.\n\nAfter you create a DNS64 server policy, the following occurs when\nan IPv6 (`AAAA`) record is queried:\n\n- If an `AAAA` DNS record exists, the DNS server returns an IPv6 address. Your workload connects by using that IPv6 address.\n- If no `AAAA` DNS record exists, Cloud DNS looks for `A` records. Cloud DNS then creates IPv6 addresses for the IPv4 addresses in the `A` record, by using the `64:ff9b::/96` IPv6 prefix.\n\nTo create a DNS64 server policy, follow these steps. \n\n### gcloud\n\nTo create a DNS64 server policy, run the [`gcloud dns policies\ncreate` command](/sdk/gcloud/reference/dns/policies/create): \n\n```\ngcloud dns policies create NAME \\\n --description=DESCRIPTION \\\n --networks=VPC_NETWORK_LIST \\\n --enable-dns64-all-queries\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: a name for the policy\n- \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: a description for the policy\n- \u003cvar translate=\"no\"\u003eVPC_NETWORK_LIST\u003c/var\u003e: a comma-delimited list of VPC networks that the DNS server policy binds to\n\n### Terraform\n\n```\nresource \"google_dns_policy\" \"default\" {\n name = \"NAME\"\n\n dns64_config {\n scope {\n all_queries = true\n }\n }\n\n alternative_name_server_config {\n target_name_servers {\n ipv4_address = \"PRIVATE_IP_ADDRESS\"\n forwarding_path = \"private\"\n }\n target_name_servers {\n ipv4_address = \"PUBLIC_IP_ADDRESS\"\n }\n }\n\n networks {\n network_url = google_compute_network.default.id\n }\n}\n\nresource \"google_compute_network\" \"default\" {\n name = \"network\"\n auto_create_subnetworks = false\n}\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: a name for the outbound DNS64 policy\n- \u003cvar translate=\"no\"\u003ePRIVATE_IP_ADDRESS\u003c/var\u003e: the IP address of an alternative name server using a private forwarding path\n- \u003cvar translate=\"no\"\u003ePUBLIC_IP_ADDRESS\u003c/var\u003e: the IP address of a different alternative name server\n\n### API\n\nTo create a DNS64 server policy, use the\n[`policies.create` method](/dns/docs/reference/rest/v1/policies/create): \n\n```\nPOST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/policies\n{\n \"kind\": \"dns#policy\",\n \"networks\": [\n {\n \"kind\": \"dns#policyNetwork\",\n \"networkUrl\": \"NETWORK_URL\"\n }\n ],\n \"dns64Config\":\n {\n \"scope\":\n {\n allQueries: true,\n }\n }\n }\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n- \u003cvar translate=\"no\"\u003eNETWORK_URL\u003c/var\u003e: the fully qualified URL of the VPC network that your DNS server policy must bind to, formatted as follows: `https://www.googleapis.com/compute/v1/projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/global/networks/`\u003cvar translate=\"no\"\u003eVPC_NETWORK_NAME\u003c/var\u003e. Specify the network that contains the IPv6-only subnets and instances.\n\nVerify if a DNS64 server policy is enabled\n------------------------------------------\n\n### gcloud\n\nTo list all DNS server policies in your project, run the\n[`dns policies list` command](/sdk/gcloud/reference/dns/policies/list): \n\n```\ngcloud dns policies list\n```\n\nTo get detailed information about a specific DNS64 server policy, run the\n[`gcloud dns policies describe` command](/sdk/gcloud/reference/dns/policies/describe): \n\n```\ngcloud dns policies describe NAME\n```\n\nReplace \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e with the name of the DNS64 server\npolicy about which you want detailed information.\n\nDisable a DNS64 server policy\n-----------------------------\n\n### gcloud\n\nTo disable a DNS64 server policy, run the [`dns policies update` command](/sdk/gcloud/reference/dns/policies/update): \n\n```\ngcloud dns policies update NAME \\\n --no-enable-dns64-all-queries\n```\n\nReplace \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e with the name of the DNS64 server\npolicy that you want to disable.\n\nWhat's next\n-----------\n\n- To configure NAT64 for Public NAT translation from IPv6 to IPv4 addresses, follow the instructions in [Create a Cloud NAT gateway](/nat/docs/set-up-manage-network-address-translation#create-nat-gateway).\n- To get an overview of DNS server policies, see [DNS server policies](/dns/docs/server-policies-overview).\n- To find solutions for common issues that you might encounter when using Cloud DNS, see [Troubleshoot Cloud DNS](/dns/docs/troubleshooting)."]]
