In a recent blog post, Google has announced Cloud DNS forwarding, allowing resources, both in the cloud and on-premises, to find each other through DNS. These capabilities deliver the option to either implement Google DNS or one's private authoritative server as a DNS provider.
The DNS forwarding service is an extension of Google's Cloud DNS and provides the option to set up a DNS infrastructure entirely according to the wishes of the owner of the network. One option is to manage all requests using Cloud DNS, which is known as inbound forwarding and lets on-premises resources go through Cloud DNS to resolve any name over Cloud VPN or Cloud Interconnect.
By default, the VPC network's name resolution services are not available outside of that network. You can make them available to systems in on-premises networks connected using Cloud VPN or Cloud Interconnect by creating a DNS policy to enable inbound DNS forwarding to the VPC network. When enabled, systems in the connected networks can query an internal IP address in your VPC network in order to make use of its name resolution services.
Alternatively, there is the possibility to utilize an existing DNS server, including BIND or Active Directory, by leveraging outbound forwarding, in which case all DNS requests will be forwarded to this resource.
You can change the VPC name resolution order by creating a DNS policy that specifies a list of alternative name servers. When you do this, the alternative name servers become the only source that GCP queries for all DNS requests submitted by VMs in the VPC using their metadata server.
Another option is to implement a mix of the two previous options by implementing forwarding zones, permitting the additional authoritative servers to work alongside Cloud DNS.
This is similar in setup to a private zone in that it is associated with a DNS name and can be bound to multiple networks. However, the forwarding zone does not contain any records. All matching queries for a forwarding zone are forwarded to a set of destination DNS servers instead. As is the case with alternative name server, the destination is a list of IP addresses.
Source: https://cloud.google.com/dns/images/dns-forwarding-1.svg
Additionally, DNS forwarding also provides other added features. For example, it allows to cache queries, so these won't travel back to the initial source, delivering improved performance. Moreover, according to Google, "DNS forwarding is a fully managed service - no need to use additional software or your own compute and support resources."
Moreover, seeing how all this is implemented in Cloud DNS instead of on the machines using the DNS resources, it allows separating concerns between the operations and infrastructure teams, as discussed by Niels Buekers, founder and head of Cloud Platform at Fourcast.
This way, the networking team can take care of the host project, while hiding away all this complexity for operational colleagues who only need to manage the VM's, not the network, in the services project. They just create an instance in the service project using the Shared VPC and BOOM, they are automatically configured to access the DNS over the VPN connection managed in the host project.
Important to notice is that DNS forwarding is currently in beta, and as such is still under development, meaning additional changes are still expected.