question

GloriaGu-MSFT avatar image
0 Votes"
GloriaGu-MSFT asked CandyLuo-MSFT answered

Does MS DNS server allow setting up automatic denial of registration to certain IPs, ranges, or subnets?

Since most of our users are on VPN now, our DNS servers are registering both their local home network's local LAN addresses (usually 192.168 addresses, of course), which we definitely don't want in our DNS, and the Palo Alto globalprotect VPN addresses, which is what we do want.

I don't want to set a GPO that would unset the "register this connection in DNS" entry on their WiFi and LAN NICs, since I know that some of them do occasionally come into the building, use the wifi, and don't need the VPN.

I figure we have a hacky option of a frequently-running script on one of the DNS servers, which checks for RFC 1918 addresses in DNS and then deletes them, but it would be much more elegant if there was a setting in MS DNS server I could put in that would deny registrations that contained addresses, ranges, or subnets we didn't want.

Does anyone know if this is possible? Our two DNS servers are Server 2016 and 2012. I found DNS policies are a 'new' thing for server 2016, which I hadn't heard about, but that seems to be more for queries, not registration.

Does anyone have any suggestions?

Thread source link: https://social.technet.microsoft.com/Forums/zh-CN/1489e63d-722a-45d7-b4aa-48b6dbeb7b8b/does-ms-dns-server-allow-setting-up-automatic-denial-of-registration-to-certain-ips-ranges-or?forum=winserveripamdhcpdns

windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Welcome to our new Microsoft Q&A Platform.

>>Does anyone know if this is possible? Our two DNS servers are Server 2016 and 2012. I found DNS policies are a 'new' thing for server 2016, which I hadn't heard about, but that seems to be more for queries, not registration.

Unfortunately, there is no build-in way in MS DNS could achieve your goal. As you said, DNS policies can be used to block queries from a specific subnet, not registration.

The possible method that might achieve your goal is script, however,writing scripts might be more complex.

Best Regards,

Candy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.