Table: gcp_dns_policy - Query Google Cloud DNS Policies using SQL
Google Cloud DNS Policies are a resource that allows users to configure how DNS queries are handled in Google Cloud. These policies can be used to control DNS behavior in a flexible and granular way, such as by configuring DNS forwarding, alternative name servers, or enabling private DNS zones. Google Cloud DNS Policies provide a way to manage DNS settings across multiple networks, improving network security and reliability.
Table Usage Guide
The gcp_dns_policy table provides insights into DNS Policies within Google Cloud DNS. As a network engineer or a security analyst, explore policy-specific details through this table, including configurations, settings, and associated metadata. Utilize it to uncover information about policies, such as those with specific forwarding paths, the alternative name servers, and the status of private DNS zones.
Examples
Basic info
Explore the configuration settings of your Google Cloud Platform's DNS policies to understand their current setup. This can help in identifying instances where inbound forwarding or logging is enabled, which can be crucial for security and network management.
select name, id, kind, enable_inbound_forwarding, enable_logging, target_name_serversfrom gcp_dns_policy;select name, id, kind, enable_inbound_forwarding, enable_logging, target_name_serversfrom gcp_dns_policy;List DNS policies with logging disabled
Discover the DNS policies that have logging disabled. This can be useful to identify potential security risks or compliance issues related to lack of logging in your GCP environment.
select name, id, enable_loggingfrom gcp_dns_policywhere not enable_logging;select name, id, enable_loggingfrom gcp_dns_policywhere enable_logging = 0;List DNS policies not associated with any network
Discover policies in Google Cloud Platform's DNS service that aren't linked to any network. This can help identify unused resources or potential configuration issues.
select name, id, networksfrom gcp_dns_policywhere networks = '[]';select name, id, networksfrom gcp_dns_policywhere networks = '[]';Query examples
Control examples
- CIS v1.2.0 > 2 Logging and Monitoring > 2.12 Ensure that Cloud DNS logging is enabled for all VPC networks
- CIS v1.3.0 > 2 Logging and Monitoring > 2.12 Ensure that Cloud DNS logging is enabled for all VPC networks
- CIS v2.0.0 > 2 Logging and Monitoring > 2.12 Ensure that Cloud DNS logging is enabled for all VPC networks
- CIS v3.0.0 > 2 Logging and Monitoring > 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
- Ensure that Cloud DNS logging is enabled for all VPC networks
Schema for gcp_dns_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| description | text | A mutable string of at most 1024 characters associated with this resource for the user's convenience. Has no effect on the policy's function. | |
| enable_inbound_forwarding | boolean | Allows networks bound to this policy to receive DNS queries sent by VMs or applications over VPN connections. When enabled, a virtual IP address will be allocated from each of the sub-networks that are bound to this policy. | |
| enable_logging | boolean | Controls whether logging is enabled for the networks bound to this policy. Defaults to no logging if not set. | |
| id | bigint | An unique identifier for the resource, defined by the server. | |
| kind | text | The type of the resource. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| name | text | = | An user assigned name for this policy. |
| networks | jsonb | A list of network names specifying networks to which this policy is applied. | |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| target_name_servers | jsonb | Sets an alternative name server for the associated networks. When specified, all DNS queries are forwarded to a name server that you choose. Names such as .internal are not available when an alternative name server is specified. | |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_dns_policy