This document includes the best practices and guidelines for Cloud DNS when running generative AI workloads on Google Cloud. Use Cloud DNS with Vertex AI to register, manage, and serve your domain.
Required Cloud DNS controls
The following controls are strongly recommended when using Cloud DNS.
Enable DNS Security Extensions
The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It doesn't provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.
Within Cloud DNS, enable DNSSEC in the following places:
- DNS zone
- Top-level domain (TLD)
- DNS resolution
- Cloud DNS
- SC-7
- SC-8
- PR.AC-5.1
- PR.AC-5.2
- PR.DS-2.1
- PR.DS-2.2
- PR.DS-5.1
- PR.PT-4.1
- DE.CM-1.1
- DE.CM-1.2
- DE.CM-1.3
- DE.CM-1.4
Optional Cloud DNS controls
We recommend that you implement the following security controls in folders that contain generative AI workloads.
Use zonal DNS
The compute.setNewProjectDefaultToZonalDNSOnly
boolean constraint lets you set the internal DNS setting for new projects to use zonal DNS only. Use zonal DNS because it offers higher reliability compared to individual zones because zonal DNS isolates failures in the DNS registration .
- Organization policy
constraints/compute.setNewProjectDefaultToZonalDNSOnly
=
-
True
- AC-3
- AC-17
- AC-20
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.PT-3.1
- PR.PT-4.1
