Table: gcp_dns_managed_zone - Query Google Cloud DNS Managed Zones using SQL
Google Cloud DNS is a scalable, reliable, and managed authoritative Domain Name System (DNS) service running on the same infrastructure as Google. It provides a simple, cost-effective way to make your applications and services available to your users. This service translates requests for domain names like www.google.com into IP addresses like 74.125.29.101.
Table Usage Guide
The gcp_dns_managed_zone table provides insights into DNS Managed Zones within Google Cloud DNS. As a network engineer, explore zone-specific details through this table, including DNS configuration, visibility, and associated metadata. Utilize it to uncover information about zones, such as those with private visibility, DNSSEC state, and the verification of DNS configurations.
Examples
Basic info
Explore the basic information about Google Cloud Platform's DNS managed zones, such as their names, identifiers, DNS names, creation times, and visibility settings. This query can help you gain insights into the configuration and status of your DNS managed zones to ensure they are set up as expected.
select name, id, dns_name, creation_time, visibilityfrom gcp_dns_managed_zone;select name, id, dns_name, creation_time, visibilityfrom gcp_dns_managed_zone;List public zones with DNSSEC disabled
Explore which public zones have the DNSSEC feature disabled. This can be used to identify potential security vulnerabilities in your DNS configuration.
select name, id, dns_name, dnssec_config_state, visibilityfrom gcp_dns_managed_zonewhere visibility = 'public' and ( dnssec_config_state is null or dnssec_config_state = 'off' );select name, id, dns_name, dnssec_config_state, visibilityfrom gcp_dns_managed_zonewhere visibility = 'public' and ( dnssec_config_state is null or dnssec_config_state = 'off' );Control examples
- 3.3 Ensure that DNSSEC is enabled for Cloud DNS
- 3.3 Ensure that DNSSEC is enabled for Cloud DNS
- 3.3 Ensure that DNSSEC is enabled for Cloud DNS
- 3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
- 3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
- 3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
- 3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
- 3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
- 3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
- Ensure that DNSSEC is enabled for Cloud DNS
- Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
- Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
Schema for gcp_dns_managed_zone
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| creation_time | timestamp with time zone | The time that this resource was created on the server. | |
| description | text | A user-specified, human-readable description of the managed zone. | |
| dns_name | text | The DNS name of this managed zone. | |
| dnssec_config_default_key_specs | jsonb | Specifies parameters for generating initial DnsKeys for this ManagedZone. | |
| dnssec_config_non_existence | text | Specifies the mechanism for authenticated denial-of-existence responses. | |
| dnssec_config_state | text | Specifies whether DNSSEC is enabled, and what mode it is in. | |
| forwarding_config_target_name_servers | jsonb | A list of target name servers to forward to. | |
| id | bigint | The unique identifier for the resource, defined by the server. | |
| kind | text | The type of the resource. | |
| labels | jsonb | A set labels attached with the resource. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| name | text | = | An user assigned, friendly name that identifies the resource. |
| name_server_set | text | Specifies the NameServerSet for this ManagedZone. A NameServerSet is a set of DNS name servers that all host the same ManagedZones. | |
| name_servers | jsonb | Delegate your managed_zone to these virtual name servers; defined by the server. | |
| peering_config_target_network | jsonb | Specifies the configuration of the network with which to peer. | |
| private_visibility_config_networks | jsonb | A set of Virtual Private Cloud resources that the zone is visible from. | |
| project | text | The GCP Project in which the resource is located. | |
| self_link | text | Server-defined URL for the managed zone. | |
| service_directory_config_namespace_deletion_time | timestamp with time zone | The time that the namespace backing this zone was deleted. | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| visibility | text | Specifies the zone's visibility. public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_dns_managed_zone