Build Cloud DNS record sets for public and private managed zones.
Last verified: May 2026
The managed zone name in GCP (e.g. "my-zone", not the DNS name)
Fully qualified domain name, must end with a trailing dot
Maps a hostname to an IPv4 address, e.g. 192.0.2.1
Output will appear here...The builder generates Cloud DNS record sets via the gcloud dns record-sets transaction model: it creates a transaction file with the appropriate add/remove operations, validates record format per RFC, and outputs the gcloud command sequence to apply changes atomically. For Terraform output, it generates google_dns_record_set resources with the same TTL and rrdatas values for cross-tool consistency.
The GCP Cloud DNS Builder helps you create DNS record set configurations for both public and private managed zones in Google Cloud DNS. It supports A, AAAA, CNAME, MX, TXT, SRV, NS, PTR, and CAA record types with proper TTL settings and record-specific validation. The tool generates gcloud CLI commands and Terraform configurations.
You're consolidating DNS for a recently-acquired company. Their DNS lives in another provider with 200+ records and you need to migrate to Cloud DNS without downtime. You export the existing zone file, paste each record type into the builder, and generate gcloud commands in a transaction. Because Cloud DNS transactions are atomic, you can apply all 200 records in a single change — clients either see the old state or the complete new state, never a partial cut-over. After applying, you change the registrar's NS records to point at Cloud DNS and migration is complete with zero observed downtime.
Cloud DNS private zones are billed per VPC network they're attached to. If you have a fleet of VPCs that all need a shared internal zone (e.g., corp.internal), use DNS peering from each VPC to a single hub VPC instead of attaching the zone N times. Same resolution, fraction of the cost.
Always set CAA records on every domain you own, even ones you're not currently using. A single '0 issue ";"' record blocks all certificate issuance — perfect for parked domains where any cert request is suspicious. Without CAA, those domains are an open door for an attacker who compromises any CA.
Cloud DNS doesn't support split-horizon natively in the same way some on-prem DNS servers do. To get split-horizon (different answers from inside vs outside the VPC), create two zones with the same name — one public managed zone and one private managed zone. The private zone takes precedence inside the VPC.
Public managed zones resolve from the internet and are used for externally facing services. Private managed zones resolve only from authorized VPC networks and are used for internal service discovery. Private zones can override public DNS for split-horizon configurations.
Cloud DNS charges per managed zone (approximately $0.20/month for the first 25 zones) and per million queries ($0.40 for the first billion). There is no per-record charge. Private zones have similar pricing with charges for each VPC network they are attached to.
Yes. Cloud DNS supports DNSSEC for public managed zones. When enabled, it automatically signs zone records and manages key rotations. You need to add the DS record to your domain registrar to complete the chain of trust. Private zones do not support DNSSEC.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.