question

DanRothbart-6970 avatar image
0 Votes"
DanRothbart-6970 asked DanRothbart-6970 answered

DNS policy for single host

My goal is to have DNS queries for a certain host record return a different value for one of our offices. They will be the only area that should have a different result. All other offices and external requests should remain unchanged.

I performed the following, following the guidance of https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/primary-geo-location :

  1. Created DNS server client subnets on all DC's (our DC's are DNS servers, using AD integrated DNS) individually: Add-DnsServerClientSubnet -Name "Test_Client" -IPv4Subnet "10.1.2.0/24" -confirm -passthru -computername DC01

  2. Created zone scopes on all DC's individually: Add-DnsServerZoneScope -ZoneName "abc.com" -Name "abc_Test" -Verbose -PassThru -ComputerName DC01

  3. Created record for zone scope abc_test: Add-DnsServerResourceRecord -ZoneName "abc.com" -A -Name "mailtest" -IPv4Address "10.1.2.25" -ZoneScope "abc.test" -computername DC01

  4. Checked contents of the zone scopes on all DC's. All match: get-DnsServerResourceRecord -ZoneName abc.com -zonescope "abc_test" -computername DC01

HostName RecordType Type Timestamp TimeToLive RecordData


@ NS 2 0 01:00:00 DC01.abc.com.
@ NS 2 0 01:00:00 DC04.abc.com.
@ NS 2 0 01:00:00 DC03.abc.com.
@ NS 2 0 01:00:00 DC02.abc.com.
@ SOA 6 0 01:00:00 [3][DC03.abc.com.][hostmaster.abc.com.]
testrecord A 1 0 01:00:00 10.1.2.25

6 . Then I created policy: Add-DnsServerQueryResolutionPolicy -Name "Test" -Action ALLOW -ClientSubnet "eq,Test_Client" -ZoneScope "abc_test,1" -ZoneName "abc.com" -computername DC01


I tested resolution with NSLookup. From a client in the desired client subnet it resolved the record for testrecord properly, as did all other clients. The issue was that for clients in that subnet, they were unable to resolve any other records. Other clients on that site, outside of the client subnet specified, had no resolution issues.

Should there be any other records in the ZoneScope other than the NS, SOA , and records to resolve differently?

Thank you for any help.

Dan

windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DanRothbart-6970 avatar image
0 Votes"
DanRothbart-6970 answered

The resolution was to add the FQDN criteria to the definition of the DNS policy. This restricted the DNS requests which would use the new Zone Scope to the ones listed; all others will continue to use the mail DNS zone scope.

Add-DnsServerQueryResolutionPolicy -Name "Test" -Action ALLOW -ClientSubnet "eq,Test_Client" -FQDN "eq,testrecord.abc.com" -ZoneScope "abc_test,1" -ZoneName "abc.com" -computername DC01

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.