question

agfreesafety3-6849 avatar image
0 Votes"
agfreesafety3-6849 asked GaryReynolds answered

Help with DNS Server Query

I am trying to establish a DNS policy. I haven't been successful in doing so. I have a forward lookup zone, named {redacted}.internal, with three subdomains/zone scopes underneath it.


I'm trying to configure this so that resources in the prod zone scope (aka prod.{redacted}.internal) ignore resources in the qa zonescope (aka qa.{redacted}.internal).

...so I tried it twice, unsuccessfully, trying two slightly different ways of defining the identity of the zone scope.


Any idea what I'm doing wrong?

Also, I noticed that when I defined the three zone scopes, the filename field (that's supposed to represent the forward lookup zone) was blank...

So this lead me to look in the sys32 --> DNS folder, and I noticed that there's no .dns folder for this zone/subdomain.

Could the lack of the .dns folder be the reason why I haven't been able to get the add-DnsServerQueryResolutionPolicy to work?

windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @agfreesafety3-6849

resources in the prod zone scope

Are you able to provide a bit more information on what you mean by this. The DNS policies support the following ways to identify how to apply the policy, fqdn being queried, client's IP/range, query type, transport or IP protocol used. I'm not aware of a method that will enable you to specific if the client's FQDN is a member of a specific zone.

Typically you would create clientsubnet which contains the IP addresses or range of the production machines, then create a policy to ignore or deny query for the qa.{redacted}.internal zone based on the clientsubnet.

 Add-DnsserverClientsubnet -name Prod -ipv4subnet 192.168.1.38/32
 Add-DNSServerQueryResolutionPolicy -name blockprod -action ignore -fqdn "EQ,*.blocked.com" -clientsubnet "EQ,Prod"

the filename field was blank

If this is related to the output of the Get-DNSServerZoneScope cmdlet, then this means that the DNS zone has been stored in the Active Directory.

Please provide the details of the approaches you have tried already, as it might help understand why it's failing.

Gary.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.