A company wants to resolve DNS queries for a private zone (e.g., example.internal) from multiple service projects using the same host project's Cloud DNS private zone. Which feature should they use?
Peering enables cross-project DNS resolution.
Why this answer
DNS peering allows Cloud DNS private zones from one project (the host project) to be resolved by VPCs in other projects (service projects) without requiring Shared VPC or network connectivity. By setting up a DNS peering zone in each service project that targets the host project's private zone, DNS queries for example.internal are forwarded to the host project's authoritative DNS servers. This is the correct approach because it directly enables cross-project DNS resolution for private zones while keeping the zones managed centrally.
Exam trap
The trap here is that candidates often confuse Shared VPC with DNS resolution, assuming that network connectivity automatically enables DNS resolution across projects, but DNS peering is a separate configuration required for private zone resolution.
How to eliminate wrong answers
Option A is wrong because Shared VPC provides network connectivity and resource sharing across projects, but it does not inherently enable DNS resolution of private zones from one project to another; DNS peering is needed for that. Option C is wrong because DNS forwarding is used to send queries to an external DNS server (e.g., on-premises or a custom resolver), not to resolve private zones from another Google Cloud project. Option D is wrong because creating a public zone would expose the internal DNS records to the internet, defeating the purpose of a private zone and introducing security risks.