i have some dcs separated by firewalls. so, i need ldap queries (not just AD queries) from clients in certain subnets to only use DCs in certain subnets. so i want dns queries from those subnets for the domain name 'domain.com' to only return the IPs of domain controllers I want.
on a dns server, i do the following.
add-dnsserverclientsubnet -Name "mySubnet" -IPv4Subnet "10.160.8.0/21"
add-dnsserverzonescope "domain.com" -name "myZonesecope"
Add-DnsServerResourceRecord -ZoneName "domain.com" -A -name "@" -IPv4Address 10.160.12.8 -ZoneScope "myZonescope"
Add-DnsServerResourceRecord -ZoneName "domain" -A -name "@" -IPv4Address 10.160.12.9 -ZoneScope "myZonescope"
Add-DnsServerQueryResolutionPolicy -ZoneName "domain.com" -name "myPolicy" -Action ALLOW -ClientSubnet "eq,mySubnet" -ZoneScope "myZonescope,1;domain.com,2"
included the second 'domain.com' zone in the policy allow list, because in earlier tests, if a record did not exist in myZonescope, it just failed to resolve, instead of falling back to the original zone.
so if i now go to a client that lives in mySubnet and uses the DNS server where i applied these settings, and do an NSlookup for 'domain.com', i only get the two IPs in myZonescope. awesome!. but if i click the up arrow and do another nslookup, i get every DC in domain.com again. next time? just myZonescope records. next time? all DCs in domain.com.
also if i ping domain.com, i get a round robin response of every DC in domain.com.
looking in myZonescope, i also saw NS records for every DC in domain.com, in addition to the two A records i specified above. i deleted all those NS records to test, but the behavior persists - every other nslookup from the same client, i get the policy-based responses, and every other one, i get every DC in domain.com.
