My DNSServerQueryResolutionPolicy Problem

Question

question

agfreesafety3-6849 asked Mar 22, '22 agfreesafety3-6849 answered Mar 28, '22

My DNSServerQueryResolutionPolicy Problem

I am trying to establish a DNS policy. I haven't been successful in doing so. I have a forward lookup zone, named {redacted}.internal, with three subdomains/zone scopes underneath it.

I'm trying to configure this so that resources in the prod zone scope (aka prod.{redacted}.internal) ignore resources in the qa zonescope (aka qa.{redacted}.internal).

...so I tried it twice, unsuccessfully, trying two slightly different ways of defining the identity of the zone scope:

Any idea what I'm doing wrong?

Also, I noticed that when I defined the three zone scopes, the filename field (that's supposed to represent the forward lookup zone) was blank...

So this lead me to look in the sys32 --> DNS folder, and I noticed that there's no .dns folder for this zone/subdomain.

Could the lack of the .dns folder be the reason why I haven't been able to get the add-DnsServerQueryResolutionPolicy to work?

windows-server-powershell windows-dhcp-dns

dns.png (10.3 KiB)

pwsh.png (142.8 KiB)

zonescope.png (11.8 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-23T07:51:35.627Z

GaryReynolds answered Mar 23, '22 GaryReynolds commented Mar 27, '22

Hi @agfreesafety3-6849

I have already responded to your other question but here is some more specific information about the command you have tried so far:

 Add-DNSServerQueryResolutionPolicy -name prodqablock -action ignore -clientsubnet "eq,qa" -zonescope "prod,1" -zonename "abc.internal"

The reason you are getting the error is that you have specified the -zonescope parameter, you will need to create a ZoneScope called "prod" for the abc.internal, however, ZoneScopes in the context of DNS policies is to provide different answers to queries based on a policy, which doesn't match what you are trying to do. This command also assumes that ClientSubnet called has already been created called "qa".

If you want to block the production machines from querying the qa.abc.internal zone, you will need to use the following commands:

 Add-DnsServerClientSubnet -name ProdMachines -ipv4subnet 192.168.1.0/24
 Add-DnsServerQueryResolutionPolicy -name prodqablock -action ignore -fqdn "EQ,qa.abc.internal" -ClientSubnet "EQ,ProdMachines"

Gary.

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

agfreesafety3-6849 · Mar 23 at 06:03 PM

Thank you, that worked. Now when we test (using Linux machines) the block seems to work every other try. It'll block on the first try, then on the next the policy doesn't work, but then it does again the next time.

Is there a setting in the resolv.conf file that administers this behavior or something? I don't know a whole lot about Linux.

0 ·

GaryReynolds agfreesafety3-6849 · Mar 23 at 09:11 PM

If you have multiple DNS servers, you must complete the commands on all the domain controllers.

0 ·

agfreesafety3-6849 GaryReynolds · Mar 24 at 02:12 PM

I put the policies on the secondary DNS host manually and checked both Powershell's side by side to make sure they're the same, and the issue is still occuring. Any other ideas? And thanks for your time and ideas.

0 ·

Show more comments

Answer 2 · 2022-03-28T15:13:46.937Z

agfreesafety3-6849 answered Mar 28, '22

I found the issue; there was two different A Records for the same server, one of which was in a different lookup zone. After removing one of the A Records it's working as-expected.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question