Google Cloud DNS

Cloud DNS quotas managed zones records per zone queries per second

By Sai Kiran Pandrala · Last verified: 2026-05-31 · Source: Google Cloud docs, Google Cloud Community, community Q&A

At a glance
ServiceGoogle Cloud DNS
CloudGoogle Cloud (GCP)
Guide typeProcedure
Skill levelIntermediate to advanced
Time15 - 60 minutes depending on account size

If you hit Cloud DNS quotas managed zones records per zone queries per second on Google Cloud DNS in production, the steps below are the path most teams take in 2026. None of them require opening a support case unless your environment has a paid-tier dependency that Google Cloud owns.

What cloud dns quotas managed zones records per zone queries per second actually involves on Google Cloud DNS

Real-world context. Last time I walked through this on a real machine, the budget shook out to ~Rs 0 INR for the fix, support adds Rs 2,500 to Rs 80,000 INR per month (around $30 to $960 USD/month). Plan for ~15 to 45 minutes actually at the keyboard, and ~1 to 4 hours including IAM review and validation once you factor in the back-and-forth. Keep an Owner or relevant IAM role, gcloud CLI signed in, and a Cloud Logging filter ready within arm’s reach before you start — stopping mid-step to hunt for them is how a 30-minute job turns into an afternoon.

This task on Cloud DNS is one of the more searched operational topics on AWS in the last 12 months. The procedure below is the path that works in a current AWS account with default IAM and standard VPC config.

The rest of this page is the structured fix path. Start with diagnose, then remediation, then the automation options so you do not have to do this by hand the next time it surfaces. Verify and safety sections at the end are the discipline that keeps the fix from regressing in production.

Diagnose first, fix second

Run gcloud auth list and gcloud config list first. About one in five 'why does this not work' tickets are actually 'I am in the wrong account' or 'my session expired and the SDK is using stale credentials or ADC pointed at the wrong project'. The 5-second sanity check costs nothing and saves real time when the answer is that simple.

Diff against last known good. The last config change you made is the cause about three quarters of the time, even when the change should not have mattered. Use Asset Inventory snapshot history (or your Terraform / Deployment Manager or Terraform drift report) to see the actual delta between the resource state when it worked and when it broke. The change you remember is often not the only change that happened.

Reproduce the failure with the gcloud CLI in --debug mode. The full SigV4 request payload it emits, plus the exact endpoint URL it resolved to, is what Google Cloud Support uses to verify policy, region, or parameter issues without you having to share IAM credentials. Save the debug output to a file with gcloud ... --debug 2> debug.log and you can search it for the failed aws.request entry.

Solution-focused remediation path

If the issue points at IAM, do not start by adding * to a policy. Use IAM Policy Troubleshooter and IAM Recommender against the failed action to see the minimum scope. Adding * is the fastest way to fail your next Google Cloud Architecture Framework security review, and it usually does not even fix the issue because the explicit deny is often coming from a higher level (Org Policy, RCP, or permission boundary), not a missing allow.

If you cannot reproduce the failure consistently, the cause is probably a race condition or a session-cache issue. Run the call with --profile set to a fresh STS session, in a different region you control, with a single concurrent request. If it works there but fails in your normal setup, the difference is the bug.

If networking is suspect, use Network Intelligence Connectivity Tests. It is the only tool that simulates the full ENI-to-ENI path including firewall rules, hierarchical firewall policies, routes, and VPC Service Controls perimeters in one call. Manual trace is slower and misses transitive issues. The analyzer charges $0.10 per analysis - cheaper than a 30-minute call with your network team.

Automate this fix so you do not do it twice

Wire the fix into Eventarc for self-healing

If the failure mode is recurring, automate the remediation instead of the diagnosis. Eventarc Scheduler or rules that watch Cloud Logging events for the specific error code can invoke a Lambda that runs the same fix you would run by hand. The Lambda must be idempotent (re-running it on already-healthy resources must be a no-op) and must emit a Cloud Monitoring metric so you can track how often the auto-fix fires. A spike in auto-fix invocations is itself a signal worth alerting on.

# Eventarc rule pattern (JSON)
{ "source": ["aws.google"], "detail-type": ["Google Cloud API Call via Cloud Audit Logs"], "detail": { "errorCode": ["AccessDenied", "ThrottlingException"] }
}

Automate the fix with Python and boto3

For anything you do more than twice, write a small Python script. The boto3 pattern below uses paginators (so it does not blow up on accounts with thousands of resources), explicit region binding, and a dry-run flag that defaults to True. Keep the script under 100 lines; if it grows beyond that, you are building a tool and should put it behind a Lambda with proper logging.

import boto3, sys
DRY_RUN = '--apply' not in sys.argv
client = boto3.client('google', region_name='us-east-1')
paginator = client.get_paginator('describe_...')
for page in paginator.paginate(): for item in page.get('Items', []): if item.get('Status') == 'FAILED': if DRY_RUN: print(f'[dry-run] would fix {item["Id"]}') else: client.modify_...(ResourceId=item['Id']) print(f'fixed {item["Id"]}')

Codify the fix in Terraform or Deployment Manager

When you reach for the console to fix the same issue twice, the third occurrence should be solved in IaC, not in the console. Terraform's terraform import and Deployment Manager or Terraform's resource importer let you adopt the existing resource into state without recreating it. Lock the corrected attribute behind a variable so the next operator does not have to rediscover the value. Add a moved {} block or Deployment Manager or Terraform resource refactor to keep the diff clean.

Common pitfalls and what to watch for

The most common pitfall when fixing this on Google Cloud DNS is treating it as a one-off rather than as a recurring class of incident. The same misconfiguration tends to happen again after a deployment, a role rotation, or a region migration unless the fix is codified. Add a Org Policy or VPC Service Controls constraint, Organization Policy condition, or Org Policy or VPC Service Controls rule that prevents the same misconfig from being introduced again. Documentation alone does not survive turnover.

Another common trap: confirming the fix on a single resource and assuming the fleet is healthy. Loop your check across every account, region, and IAM principal that could exhibit the same symptom. If you cannot enumerate the affected scope without a script, you do not yet understand the scope.

Verify the fix worked

Safety, rollback, blast radius

FAQ

How long does cloud dns quotas managed zones records per zone queries per second typically take on Google Cloud?
For most Google Cloud DNS environments, 15 to 60 minutes including verification. Large multi-account setups, anything touching Org Policys at the Organizations level, or cross-region replication can stretch to half a day because Google Cloud has to wait for replication and IAM session caches.
Is there a rollback path?
Yes for most Google Cloud DNS changes. Export the existing config to JSON via gcloud google describe-... first, then commit it before you change anything. A few operations are one-way (Cloud KMS key deletion past the pending window, region migration, account closure). Check the Google Cloud doc for the specific API before you commit.
Will this affect dependent Google Cloud services?
Often yes. Google Cloud DNS resources are usually referenced by other workloads (Cloud Run services, GKE workloads, IAM-bound apps, Cloud CDN origins, downstream pipelines). Use IAM Access Analyzer + Cloud Audit Logs to enumerate consumers before changing a shared resource.
What if my Cloud Console layout does not match these steps?
Cloud Console UI moves quarterly. The Console layout in this page is current as of 2026-05-31 but the underlying CLI / SDK calls do not change as fast. If the Console version differs, fall back to aws CLI or SDK calls - those almost always still work.
Where do I get Google Cloud Support help if I am still stuck?
Open a case via the Google Cloud Support Center with: the request ID + correlation ID, the exact error string, Cloud Audit Log event, and your reproduction steps. Google Cloud Community is the no-cost public alternative - search there first; 80% of common Google Cloud DNS issues already have an answer with an Google-staff-verified flag.

References

Related guides worth a look while you sort this one out: