使用 DNS 原則 DNS 查詢上套用篩選Use DNS Policy for Applying Filters on DNS Queries

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以了解如何在 Windows Server 設定 DNS 原則®2016 建立查詢篩選器根據您所提供的條件。You can use this topic to learn how to configure DNS policy in Windows Server® 2016 to create query filters that are based on criteria that you supply.

查詢篩選 DNS 原則中的,讓您設定根據 DNS 查詢和傳送 DNS 查詢 DNS client 的方式自訂回應 DNS 伺服器。Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query.

例如,您可以設定 DNS 原則的查詢篩選封鎖清單封鎖來自已知的惡意網域,DNS 查詢防止 DNS 網域這些回應查詢。For example, you can configure DNS policy with query filter Block List that blocks DNS queries from known malicious domains, which prevents DNS from responding to queries from these domains. 從 DNS 伺服器傳送無回應,因為惡意網域成員的 DNS 查詢逾時。Because no response is sent from the DNS server, the malicious domain member's DNS query times out.

另一個範例是建立查詢篩選允許的特定設定的將特定的名稱解析用的允許清單。Another example is to create a query filter Allow List that allows only a specific set of clients to resolve certain names.

查詢準則 Query filter criteria

您可以下列條件建立任何邏輯組合查詢篩選器 (和/或日不)。You can create query filters with any logical combination (AND/OR/NOT) of the following criteria.

名稱Name 描述Description
Client 子網路Client Subnet 預先定義的 client 子網路的名稱。Name of a predefined client subnet. 用來確認寄查詢子網路。Used to verify the subnet from which the query was sent.
傳輸通訊協定Transport Protocol 傳輸通訊協定查詢中使用。Transport protocol used in the query. 可能的值為 UDP 與 TCP。Possible values are UDP and TCP.
網際網路通訊協定Internet Protocol 用於查詢網路通訊協定。Network protocol used in the query. 可能的值為 IPv4 和 IPv6。Possible values are IPv4 and IPv6.
伺服器介面 IP 位址Server Interface IP address 網路介面收到 DNS 要求的 DNS 伺服器的 IP 位址IP address of the network interface of the DNS server that received the DNS request
FQDNFQDN 完整網域名稱中查詢記錄使用萬用字元可使用。Fully Qualified Domain Name of record in the query, with the possibility of using a wild card.
查詢類型Query Type 查詢記錄類型 \ (A、 SRV、 TXT 等。 )Type of record being queried (A, SRV, TXT, etc.)
一天的時間Time of Day 查詢收到的時間。Time of day the query is received.

下列範例顯示如何建立篩選 DNS 原則的任一封鎖或允許 DNS 名稱解析查詢。The following examples show you how to create filters for DNS policy that either block or allow DNS name resolution queries.

注意

此主題中的範例命令使用 Windows PowerShell 命令新增-DnsServerQueryResolutionPolicyThe example commands in this topic use the Windows PowerShell command Add-DnsServerQueryResolutionPolicy. 如需詳細資訊,請查看新增-DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

封鎖查詢的網域Block queries from a domain

有時您可能要封鎖 DNS 名稱解析為惡意的您找出的網域或不符合您的組織使用方針的網域。In some circumstances you might want to block DNS name resolution for domains that you have identified as malicious, or for domains that do not comply with the usage guidelines of your organization. 您可以使用 DNS 原則完成網域封鎖查詢。You can accomplish blocking queries for domains by using DNS policy.

您在此範例中設定原則不會建立任何特定區域 – 改為您建立伺服器層級原則套用到所有 DNS 伺服器上設定的區域。The policy that you configure in this example is not created on any particular zone – instead you create a Server Level Policy that is applied to all zones configured on the DNS server. 伺服器層級原則是第一個評估,因此第一次在查詢時符合接收 DNS 伺服器。Server Level Policies are the first to be evaluated and thus first to be matched when a query is received by the DNS server.

下列範例命令設定伺服器層級原則封鎖任何查詢網域中的尾碼 contosomalicious.comThe following example command configures a Server Level Policy to block any queries with the domain suffix contosomalicious.com.

Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicy" -Action IGNORE -FQDN "EQ,*.contosomalicious.com" -PassThru

注意

當您設定動作參數值略過、 DNS 伺服器設定為完全拖放以無回應查詢。When you configure the Action parameter with the value IGNORE, the DNS server is configured to drop queries with no response at all. 如此 DNS client 逾惡意網域中。This causes the DNS client in the malicious domain to time out.

子網路從封鎖查詢Block queries from a subnet

此範例中,您可以封鎖查詢子網路中的找到一些惡意程式碼感染病毒並嘗試連絡惡意網站使用您的 DNS 伺服器。With this example, you can block queries from a subnet if it is found to be infected by some malware and is trying to contact malicious sites using your DNS server.

[新增 DnsServerClientSubnet-命名為 「 MaliciousSubnet06 「-IPv4Subnet 172.0.33.0/24-過渡` Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.33.0/24 -PassThru

新增 DnsServerQueryResolutionPolicy-命名為 「 BlockListPolicyMalicious06 「-控制項略過 ClientSubnet 」 EQ MaliciousSubnet06 「-過渡 'Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE -ClientSubnet "EQ,MaliciousSubnet06" -PassThru `

下例示範如何使用子網路準則 FQDN 條件搭配封鎖子網路受感染的特定惡意網域查詢。The following example demonstrates how you can use the subnet criteria in combination with the FQDN criteria to block queries for certain malicious domains from infected subnets.

Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE -ClientSubnet "EQ,MaliciousSubnet06" –FQDN “EQ,*.contosomalicious.com” -PassThru

封鎖一種查詢Block a type of query

您可能需要封鎖特定類型的查詢伺服器上的名稱解析。You might need to block name resolution for certain types of queries on your servers. 例如,您可以封鎖 '任何' 查詢,用來建立放大攻擊惡意。For example, you can block the ‘ANY’ query, which can be used maliciously to create amplification attacks.

Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicyQType" -Action IGNORE -QType "EQ,ANY" -PassThru

允許查詢,僅的網域Allow queries only from a domain

您可以只使用 DNS 原則封鎖查詢,您可以使用它們來自動核准查詢特定網域或子網路。You can not only use DNS policy to block queries, you can use them to automatically approve queries from specific domains or subnets. 當您設定允許清單中時,DNS 伺服器僅封鎖來自其他網域所有其他查詢時處理查詢允許網域中,從。When you configure Allow Lists, the DNS server only processes queries from allowed domains, while blocking all other queries from other domains.

下列範例命令可讓僅電腦和裝置 contoso.com 和子女網域中查詢 DNS 伺服器。The following example command allows only computers and devices in the contoso.com and child domains to query the DNS server.

Add-DnsServerQueryResolutionPolicy -Name "AllowListPolicyDomain" -Action IGNORE -FQDN "NE,*.contoso.com" -PassThru

允許查詢,僅限從子網路Allow queries only from a subnet

您也可以建立允許列出的 IP 子網路,使會忽略所有查詢不來自這些子網路。You can also create Allow Lists for IP subnets, so that all queries not originating from these subnets are ignored.

Add-DnsServerClientSubnet -Name "AllowedSubnet06" -IPv4Subnet 172.0.33.0/24 -PassThru Add-DnsServerQueryResolutionPolicy -Name "AllowListPolicySubnet” -Action IGNORE -ClientSubnet "NE, AllowedSubnet06" -PassThru

[允許只有特定 QTypesAllow only certain QTypes

您可以到 QTYPEs 套用允許清單。You can apply Allow Lists to QTYPEs.

例如,如果您有查詢 DNS 伺服器介面 164.8.1.1 外部針對,只有特定 QTYPEs 允許查詢,如 SRV 或 TXT 記錄內部伺服器的名稱解析或監控所使用的其他 QTYPEs 時。For example, if you have external customers querying DNS server interface 164.8.1.1, only certain QTYPEs are allowed to be queried, while there are other QTYPEs like SRV or TXT records which are used by internal servers for name resolution or for monitoring purposes.

Add-DnsServerQueryResolutionPolicy -Name "AllowListQType" -Action IGNORE -QType "NE,A,AAAA,MX,NS,SOA" –ServerInterface “EQ,164.8.1.1” -PassThru

您可以建立數千 DNS 原則根據您的資料傳輸管理的需求,且所有的新原則已經套用動態-不需要重新 DNS 伺服器-連入查詢。You can create thousands of DNS policies according to your traffic management requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.