1

On https://cloud.google.com/dns/docs/monitoring documentation page there is a command to enable GCP DNS query logging that does not work:

gcloud dns managed-zones update zonename --log-dns-queries

When command from documentation is issued following error message is displayed:

ERROR: (gcloud.dns.managed-zones.update) unrecognized arguments: --enable-logging

Is it possible on GCP to turn on logging for an existing public managed zone using the dns managed-zones update command?

John Hanley
  • 74,467
  • 6
  • 95
  • 159
M14d3n
  • 6,326
  • 1
  • 15
  • 10

1 Answers1

2

The argument that you are using does not exist (--log-dns-queries).

To enable Google Cloud DNS logging, create a policy

gcloud dns policies create mypolicy \
--description='My Policy' \
--networks=network1 
--enable-logging

Cloud DNS logging tracks queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone.

I reviewed the documentation that shows the command that you are using. I am not sure, but first create a policy and then try the command. I think that is why the error message specifies a different argument. However, creating the policy does enable logging, so that is actually redundant.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thank you for fast response. Documentation is claiming that it is possible to enable logging for public zone without using policy but documented argument (--log-dns-queries) does not exist :-( In order to create VPC network Compute Engine API must be enabled and it will automatically provide "default" network. Will command `gcloud dns policies create logging --description="Logging" --networks="default" --enable-logging` start logging for all public managed zones or some additional configuration is needed in order to connect public managed zones with default network? – M14d3n Nov 08 '21 at 20:26
  • @M14d3n - Google Cloud DNS does not have logging options on what is logged. It is either enabled or disabled. You are enabling logging for the DNS server in a VPC and not a specific zone. I searched the **gcloud** source code and the argument **log-dns-queries** does not exist so there is an issue with the documentation. – John Hanley Nov 08 '21 at 20:43
  • DNS managed zones are resolving public queries and were created before Compute Engine was enabled and before default VPC was created. I wonder if enabling logging for default VPC will start logging for public managed zones or GCP DNS logging for public managed zones is not possible, will try to test that tomorrow – M14d3n Nov 08 '21 at 21:06
  • @M14d3n VPC logging and DNS logging are two different things. Think about costs before enabling VPC logging. – John Hanley Nov 08 '21 at 21:11
  • Enabling DNS logging for default VPC should result in minimal cost. Question is will that workaround log contain queries for public managed zones created in Google Cloud DNS before Compute Engine API was enabled or GCP is not supporting public managed DNS logging at all - ie. command enabling logging for an existing public managed zone is not implemented and there is no workaround for public managed DNS logging. – M14d3n Nov 08 '21 at 21:26
  • If you enable VPC logging, you will see queries from the VPC to Cloud DNS and the responses. The format of the logging is different and you will not see the actual DNS request/response structure. – John Hanley Nov 08 '21 at 21:28
  • In fact VPC is not needed for Google Cloud DNS public managed zones. All queries were coming from Internet - there should be no queries coming from default VPC that is created just to enable configuring `gcloud dns policies create logging --description="Logging" --networks="default" --enable-logging`. The question is if that command will start logging DNS queries coming from Internet to public managed zones in Google Cloud DNS managed service as a workaround for not implemented command that would not require creating default VPC. – M14d3n Nov 08 '21 at 21:38
  • I've checked, it is not possible to enable logging for Google Cloud DNS public zone type. Solution with VPC works only for Google Cloud DNS private zone type. Google Cloud DNS public zone type is generating wrong command when you try to edit private zone type... Will try to see if something can be done through DNS v1beta2 API... – M14d3n Nov 08 '21 at 22:34
  • Can you share a reference that you cannot enable DNS logging for public zones? This link says you can: https://cloud.google.com/dns/docs/monitoring – John Hanley Nov 08 '21 at 22:37
  • To turn on logging for an existing public managed zone, run the dns managed-zones update command: `gcloud dns managed-zones update ZONE_NAME --log-dns-queries`. Since argument --log-dns-queries is not recognized it is not possible to start logging for public zones - they are not associated with VPC so it is not possible to use dns policy for private zones. I used API https://cloud.google.com/dns/docs/reference/v1/managedZones/patch to enable logging for public zone but it seems there are no DNS query entries in the log event after I set `"cloudLoggingConfig": { "enableLogging": true }` – M14d3n Nov 08 '21 at 23:19
  • 2
    I had the same issue, the command was unrecognized `$ gcloud dns managed-zones update xxxxxxx --log-dns-queries ERROR: (gcloud.dns.managed-zones.update) unrecognized arguments: --log-dns-queries` I had to update the tool `gcloud components update` and then it worked fine. However even though it's enabled it doesn't actually log anything – Gareth Hastings Nov 10 '21 at 11:03
  • Version `364.0.0 (2021-11-09)` added support for that command `Cloud DNS ▪ Added cloud logging support for gcloud dns managed-zones.` – Gareth Hastings Nov 10 '21 at 11:04
  • 1
    `$ gcloud dns managed-zones update xxxxxxx --log-dns-queries Updating managed zone [xxxxxxx]...done.` `$ gcloud dns managed-zones describe xxxxxxx cloudLoggingConfig: enableLogging: true kind: dns#managedZoneCloudLoggingConfig` – Gareth Hastings Nov 10 '21 at 11:05
  • 1
    Thank you for update, I've opened issue at https://issuetracker.google.com/issues/205590514 and it seems they are working on it. Hopefully DNS queries will soon start to appear in log. – M14d3n Nov 11 '21 at 05:37