Docs

Adding DNS as a Traffic Source

Suggest Edits

1. Enable DNS logging

Before you can start, you need to use DNS policies to enable logging for your networks.

When you enable query logging, every DNS query to a Cloud DNS private managed zone is logged, see more on this topic from GCP's own documentation.

To enable logging for a network that does not have a DNS policy, you'll need to run the dns policies create command using the GCP Cloud Shell terminal.

  1. Click the icon in the upper right to open GCP Cloud Shell in your web browser.
  1. Copy the following command and edit it, changing netodocsdns to your own preferred policy name, and netodocsnet to the name of your network you want to enable DNS logging on. 
gcloud dns policies create netodocsdns \
    --networks=netodocsnet \
    --enable-logging \
    --description=netodocsdnspolicy

  1. Paste the command into Cloud Shell and hit enter
  1. you may see this question: API [dns.googleapis.com] not enabled on project [netodocs]. Would you like to enable and retry (this will take a few minutes)? (y/N)?, just hit Y here.
  2. When the command has completed successfully and DNS logging is enabled, you should see something like the following:

🚧

Troubleshooting steps

2. Create a sink


  1. Go to Log router
  1. Click Create sink
  1. Give your sink any name in step 1, for Sink destination in step 2, Select sink service Cloud Pub/Sub topic and select Create a topic

Taking a brief detour to create a new topic for DNS inside of the Sink destination wizard


  1. Give your new topic any name, enable message retention and set it to 1 day, leave everything else set as default, and click Create.

Add a filter to include DNS logs in the sink

Now that our new topic has been created, we're back in the Sink creation wizard.

  1. You need to add Cloud DNS logs to the sink by using an inclusion filter of resource.type="dns_query"
  1. This is how your finalized wizard should look when you're ready to click Create Sink, including your newly created topic, and a successfully saved inclusion filter.

3. Create a Pub/Sub Pull Subscription to the new DNS topic

  1. Go to topics
  1. Find your DNS topic you created in a previous step, click the : to access Actions, and click Create subscription
  1. Give your subscription any name, and set the Delivery type to Pull
  1. Set the Message retention duration to 1 day
  1. Finally, for the Retry policy enable Retry after exponential backoff delay and leave the reset set as defaults.

4. Add Netography's GCP service account as a principal to the Pub/Sub subscription


  1. Go to the Subscriptions page in the Google Cloud console.

  1. Select the subscription you created in the previous step to bring up the subscription info panel on the right.
  1. Select Add Principal in the info panel on the far right.
  1. Add [email protected] as the New principal, and assign Pub/Sub -> Pub/Sub Subscriber for the role, then click Save.

5. Add a new GCP DNS traffic source to Fusion

  1. In the Fusion portal, click the ⚙️ -> Settings -> Traffic Sources -> Add Traffic Source -> DNS GCP
  1. Give your DNS integration any name, enter your GCP Project ID and the new Subscription ID you created in the previous steps. Click Save.

👍

You're done!

Updated 16 days ago