DNS 原則概觀DNS Policies Overview

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

若要深入了解 DNS 原則,這是在 Windows Server 2016 中的新功能,您可以使用此主題。You can use this topic to learn about DNS Policy, which is new in Windows Server 2016. 您可以使用地理位置資料傳輸管理依據時間、 智慧型 DNS 回應 DNS 原則管理設定為 split\ 蛋部署,單一 DNS 伺服器上 DNS 查詢套用篩選。You can use DNS Policy for Geo-Location based traffic management, intelligent DNS responses based on the time of day, to manage a single DNS server configured for split-brain deployment, applying filters on DNS queries, and more. 下列項目提供更多有關這些功能的詳細資料。The following items provide more detail about these capabilities.

  • 應用程式負載平衡。Application Load Balancing. 當您完成部署多次應用程式的不同位置時,您可以使用 DNS 原則,以平衡流量載入之間動態應用程式的配置流量載入的不同的應用程式執行個體。When you have deployed multiple instances of an application at different locations, you can use DNS policy to balance the traffic load between the different application instances, dynamically allocating the traffic load for the application.

  • Geo\ 位置型流量管理。Geo-Location Based Traffic Management. 您可以使用 DNS 原則,以允許回應 DNS client 查詢 client 和資源嘗試 client 連接的地理位置為基礎的主要和次要 DNS 伺服器 client 提供接近資源的 IP 位址。You can use DNS Policy to allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.

  • 請分割大腦 DNS。Split Brain DNS. 、 Split\ 蛋 DNS 記錄分為不同區域範圍上相同的 DNS 伺服器,並 DNS 用收到依據戶端是否內部或外部用的回應。With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients receive a response based on whether the clients are internal or external clients. 您可以設定 split\ 蛋 DNS 整合 Active Directory 區域或區域獨立 DNS 伺服器上。You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone DNS servers.

  • 篩選。Filtering. 您可以設定來建立查詢篩選器根據您所提供的準則 DNS 原則。You can configure DNS policy to create query filters that are based on criteria that you supply. 查詢篩選 DNS 原則中的,讓您設定根據 DNS 查詢和傳送 DNS 查詢 DNS client 的方式自訂回應 DNS 伺服器。Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query.

  • Forensics。Forensics. 您可以將 non\ 存在 IP 位址,而不將它們想瀏覽電腦惡意 DNS 用使用 DNS 原則。You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead of directing them to the computer they are trying to reach.

  • 一天的時間型重新導向。Time of day based redirection. 您可以將應用程式流量跨不同的分散執行個體的應用程式,使用 DNS 原則根據一天的時間,使用 DNS 原則。You can use DNS policy to distribute application traffic across different geographically distributed instances of an application by using DNS policies that are based on the time of day.

新的概念New Concepts

為了建立上面所列的案例的支援原則,則必須無法辨識的區域的網路、其他項目之間上用群組中記錄群組。In order to create policies to support the scenarios listed above, it is necessary to be able to identify groups of records in a zone, groups of clients on a network, among other elements. 這些項目會以下列新 DNS 物件:These elements are represented by the following new DNS objects:

  • Client 子網路: client 子網路物件代表 IPv4 或 IPv6 子網路,查詢提交 DNS 伺服器。Client subnet: a client subnet object represents an IPv4 or IPv6 subnet from which queries are submitted to a DNS server. 您可以建立子網路,若要稍後定義根據要求來自何種子網路上套用原則。You can create subnets to later define policies to be applied based on what subnet the requests come from. 例如,在分割大腦 DNS 案例中,要求解析度的名稱,例如www.microsoft.com可以回答從內部子網路,以戶端內部 IP 位址和戶端外部子網路中不同的 IP 位址。For instance, in a split brain DNS scenario, the request for resolution for a name such as www.microsoft.com can be answered with an internal IP address to clients from internal subnets, and a different IP address to clients in external subnets.

  • 遞迴範圍:遞迴領域的唯一的執行個體群組的控制遞迴 DNS 伺服器上的設定。Recursion scope: recursion scopes are unique instances of a group of settings that control recursion on a DNS server. 遞迴範圍包含轉送程式的清單,並指定遞迴是否已支援。A recursion scope contains a list of forwarders and specifies whether recursion is enabled. DNS 伺服器可以有許多遞迴範圍。A DNS server can have many recursion scopes. DNS 伺服器遞迴原則可讓您選擇的一組查詢遞迴範圍。DNS server recursion policies allow you to choose a recursion scope for a set of queries. 如果不是授權 DNS 伺服器某些查詢、DNS 伺服器遞迴原則可讓您控制如何解析那些查詢。If the DNS server is not authoritative for certain queries, DNS server recursion policies allow you to control how to resolve those queries. 您可以指定哪些轉寄使用,以及是否要使用遞迴器。You can specify which forwarders to use and whether to use recursion.

  • 區域領域: DNS 區域可以有多個區域領域,與每個包含他們自己的 DNS 記錄設定的區域範圍。Zone scopes: a DNS zone can have multiple zone scopes, with each zone scope containing their own set of DNS records. 相同記錄可能會出現在多個領域,以不同的 IP 位址。The same record can be present in multiple scopes, with different IP addresses. 此外,區域轉送完成區域範圍層級。Also, zone transfers are done at the zone scope level. 這表示記錄區域中的範圍主要區域會將它們傳輸到相同的時區範圍在次要的區域。That means that records from a zone scope in a primary zone will be transferred to the same zone scope in a secondary zone.

原則的類型Types of Policy

DNS 原則的狀態層級的類型。DNS Policies are divided by level and type. 您可以使用查詢解析度原則,以定義查詢處理和區域傳輸原則,以定義區域轉送發生的方式。You can use Query Resolution Policies to define how queries are processed, and Zone Transfer Policies to define how zone transfers occur. 您可以將套用原則各種伺服器層級或區域層級。You can apply Each policy type at the server level or the zone level.

查詢解析度原則Query Resolution Policies

您可以使用 DNS 查詢解析度原則,來指定如何傳入的解析度查詢由 DNS 伺服器。You can use DNS Query Resolution Policies to specify how incoming resolution queries are handled by a DNS server. 每個 DNS 查詢解析度原則包含下列項目:Every DNS Query Resolution Policy contains the following elements:

欄位Field 描述Description 可能的值Possible values
名稱Name 原則的名稱Policy name -最多 256 個字元- Up to 256 characters
-可以包含任何字元有效的檔案名稱- Can contain any character valid for a file name
狀態State 原則狀態Policy state 讓(預設值)- Enable (default)
-停用- Disabled
層級Level 原則層級Policy level 伺服器- Server
區域- Zone
處理訂單Processing order 一旦查詢歸類層級,適用於伺服器找到的查詢符合的條件,並套用查詢的第一個原則Once a query is classified by level and applies on, the server finds the first policy for which the query matches the criteria and applies it to query -數值- Numeric value
每個原則包含相同層級,以及適用於值唯一值- Unique value per policy containing the same level and applies on value
控制項目Action DNS 伺服器所執行的動作Action to be performed by DNS server -允許(預設值區域層級)- Allow (default for zone level)
-拒絕伺服器層級(預設值)- Deny (default on server level)
-忽略- Ignore
條件Criteria 原則條件(和(或),以及原則套用符合的條件的清單Policy condition (AND/OR) and list of criterion to be met for policy to be applied 條件電信業者(和/或)- Condition operator (AND/OR)
-(請條件如下表所示)標準清單- List of criteria (see the criterion table below)
範圍Scope 時區範圍和每個範圍加權的值的清單。List of zone scopes and weighted values per scope. 用於負載平衡 distribution 加權的值。Weighted values are used for load balancing distribution. 例如,如果此清單會包含 datacenter1 的 3 輕量的以及 datacenter2 與減重 5 個伺服器將回應記錄從 datacentre1 退出 8 要求三次For instance, if this list includes datacenter1 with a weight of 3 and datacenter2 with a weight of 5 the server will respond with a record from datacentre1 three times out of eight requests 式(依名稱)區域範圍和重量清單- List of zone scopes (by name) and weights

注意

伺服器層級原則僅能值拒絕略過為動作。Server level policies can only have the values Deny or Ignore as an action.

DNS 原則條件欄位是由兩個項目所組成:The DNS policy criteria field is composed of two elements:

名稱Name 描述Description 範例值Sample values
Client 子網路Client Subnet 傳輸通訊協定查詢中使用。Transport protocol used in the query. 可能的項目是UDPTCPPossible entries are UDP and TCP - 法國 EQ、西班牙、 -解析為 true 如果子網路被視為西班牙或法國- EQ,Spain,France - resolves to true if the subnet is identified as either Spain or France
- 墨西哥 NE、加拿大、 -解析為 true client 子網路是否加拿大和墨西哥以外的任何子網路- NE,Canada,Mexico - resolves to true if the client subnet is any subnet other than Canada and Mexico
傳輸通訊協定Transport Protocol 傳輸通訊協定查詢中使用。Transport protocol used in the query. 可能的項目是UDPTCPPossible entries are UDP and TCP - EQ TCP- EQ,TCP
- EQ UDP- EQ,UDP
網際網路通訊協定Internet Protocol 用於查詢網路通訊協定。Network protocol used in the query. 可能的項目是IPv4IPv6Possible entries are IPv4 and IPv6 - EQ IPv4- EQ,IPv4
- EQ IPv6- EQ,IPv6
伺服器介面 IP 位址Server Interface IP address IP 位址,連入 DNS 伺服器網路介面IP address for the incoming DNS server network interface - EQ 10.0.0.1- EQ,10.0.0.1
- EQ 192.168.1.1- EQ,192.168.1.1
FQDNFQDN Server 的 FQDN 記錄在查詢時,可能會使用萬用字元與FQDN of record in the query, with the possibility of using a wild card - EQ,www.contoso.com -解析 tot rue 只 if 查詢嘗試解析www.contoso.com FQDN- EQ,www.contoso.com - resolves tot rue only the if the query is trying to resolve the www.contoso.com FQDN
- EQ,*.contoso.com,*.woodgrove.com -解析為 true 如果查詢任何記錄結尾的contoso.com或者woodgrove.com- EQ,*.contoso.com,*.woodgrove.com - resolves to true if the query is for any record ending in contoso.comORwoodgrove.com
查詢類型Query Type 使用碼表進行正在類型查詢 (A,SVR,TXT)Type of record being queried (A, SVR, TXT) - EQ,TXT,SRV -解析 tot rue,如果查詢要求 TXT或者SRV 記錄- EQ,TXT,SRV - resolves tot rue if the query is requesting a TXT OR SRV record
- EQ、MX -解析 tot rue,如果查詢 MX 記錄要求- EQ,MX - resolves tot rue if the query is requesting an MX record
一天的時間Time of Day 查詢收到一天的時間Time of day the query is received - 22:00 23:00,10:00-12:00,EQ -解析 tot rue,如果查詢收到 10 上午之間正午,或者之間下午 10 及 11 PM- EQ,10:00-12:00,22:00-23:00 - resolves tot rue if the query is received between 10 AM and noon, OR between 10PM and 11PM

使用上的表做為起點,如下表所示無法用來定義的條件,用來與查詢記錄但 SRV 記錄來自 10.0.0.0 24 子網路中 client TCP 透過 8 之間 10 PM 透過介面 10.0.0.3 contoso.com 網域中的任何類型:Using the table above as a starting point, the table below could be used to define a criterion that is used to match queries for any type of records but SRV records in the contoso.com domain coming from a client in the 10.0.0.0/24 subnet via TCP between 8 and 10 PM through interface 10.0.0.3:

名稱Name 值。Value
Client 子網路Client Subnet EQ,10.0.0.0 24EQ,10.0.0.0/24
傳輸通訊協定Transport Protocol EQ TCPEQ,TCP
伺服器介面 IP 位址Server Interface IP address EQ 10.0.0.3EQ,10.0.0.3
FQDNFQDN EQ,。contoso.comEQ,.contoso.com
查詢類型Query Type NE SRVNE,SRV
一天的時間Time of Day 20:00 22:00,EQEQ,20:00-22:00

可以建立多個查詢解析度原則相同的層級,只要有不同的值為處理訂單。You can create multiple query resolution policies of the same level, as long as they have a different value for the processing order. 多個原則可用時,DNS 伺服器處理輸入查詢以下列方式:When multiple policies are available, the DNS server processes incoming queries in the following manner:

DNS 原則處理

遞迴原則Recursion Policies

遞迴原則的特殊輸入的伺服器層級的原則。Recursion policies are a special type of server level policies. 遞迴原則控制 DNS 伺服器執行遞迴查詢的方式。Recursion policies control how the DNS server performs recursion for a query. 遞迴原則套用只有當查詢處理到達遞迴路徑。Recursion policies apply only when query processing reaches the recursion path. 您可以選擇遞迴的一組查詢 DENY 或略過的值。You can choose a value of DENY or IGNORE for recursion for a set of queries. 或者,您可以選擇的一組查詢轉送程式的設定。Alternatively, you can choose a set of forwarders for a set of queries.

您可以使用原則遞迴實作 Split-brain DNS 設定。You can use recursion policies to implement a Split-brain DNS configuration. 此設定,DNS 伺服器執行遞迴的用查詢,如一組時 DNS 伺服器不會執行適用於其他戶端該查詢遞迴。In this configuration, the DNS server performs recursion for a set of clients for a query, while the DNS server does not perform recursion for other clients for that query.

遞迴原則包含相同的項目包含一般的 DNS 查詢解析度原則,加上的元素,如下表所示:Recursion policies contains the same elements a regular DNS query resolution policy contains, along with the elements in the table below:

名稱Name 描述Description
適用於在遞迴Apply on recursion 指定這項原則僅適用於遞迴使用。Specifies that this policy should only be used for recursion.
遞迴範圍Recursion Scope 遞迴領域的名稱。Name of the recursion scope.

注意

遞迴原則只能建立伺服器層級。Recursion policies can only be created at the server level.

時區傳輸原則Zone Transfer Policies

時區傳輸原則控制是否允許區域或不是您的 DNS 伺服器。Zone transfer policies control whether a zone transfer is allowed or not by your DNS server. 您可以建立區域轉送原則伺服器層級或區域層級。You can create policies for zone transfer at either the server level or the zone level. 伺服器層級原則套用發生 DNS 伺服器上的每個區域傳輸查詢。Server level policies apply on every zone transfer query that occurs on the DNS server. 時區層級原則套用只會在查詢 DNS 伺服器上的區域。Zone level policies apply only on the queries on a zone hosted on the DNS server. 最常見的時區層級原則使用是實作封鎖或安全的清單。The most common use for zone level policies is to implement blocked or safe lists.

注意

時區傳輸原則只能使用 DENY 或略過為動作。Zone transfer policies can only use DENY or IGNORE as actions.

您可以使用伺服器層級區域傳輸原則下列拒絕區域轉送 contoso.com 網域從給定的子網路:You can use the server level zone transfer policy below to deny a zone transfer for the contoso.com domain from a given subnet:

Add-DnsServerZoneTransferPolicy -Name DenyTransferOfCOnsotostoFabrikam -Zone contoso.com -Action DENY -ClientSubnet "EQ,192.168.1.0/24"  

可以建立多個區域轉送原則相同的層級,只要有不同的值為處理訂單。You can create multiple zone transfer policies of the same level, as long as they have a different value for the processing order. 多個原則可用時,DNS 伺服器處理輸入查詢以下列方式:When multiple policies are available, the DNS server processes incoming queries in the following manner:

多個區域傳輸原則 DNS 程序

管理 DNS 原則Managing DNS Policies

您可以建立和透過 PowerShell 管理 DNS 原則。You can create and manage DNS Policies by using PowerShell. 以下範例瀏覽不同樣本,您可以透過 DNS 原則設定:The examples below go through different sample scenarios that you can configure through DNS Policies:

交通管理Traffic Management

您可以直接流量根據 FQDN 到不同的伺服器根據 DNS client 的位置。You can direct traffic based on an FQDN to different servers depending on the location of the DNS client. 下列範例顯示如何建立流量管理原則,以直接從至北美 datacenter 特定子網路和歐洲 datacenter 到另一個子網路針對。The example below shows how to create traffic management policies to direct the customers from a certain subnet to a North American datacenter and from another subnet to a European datacenter.

Add-DnsServerClientSubnet -Name "NorthAmericaSubnet" -IPv4Subnet "172.21.33.0/24"  
Add-DnsServerClientSubnet -Name "EuropeSubnet" -IPv4Subnet "172.17.44.0/24"  
Add-DnsServerZoneScope -ZoneName "Contoso.com" -Name "NorthAmericaZoneScope"  
Add-DnsServerZoneScope -ZoneName "Contoso.com" -Name "EuropeZoneScope"  
Add-DnsServerResourceRecord -ZoneName "Contoso.com" -A -Name "www" -IPv4Address "172.17.97.97" -ZoneScope "EuropeZoneScope"  
Add-DnsServerResourceRecord -ZoneName "Contoso.com" -A -Name "www" -IPv4Address "172.21.21.21" -ZoneScope "NorthAmericaZoneScope"  
Add-DnsServerQueryResolutionPolicy -Name "NorthAmericaPolicy" -Action ALLOW -ClientSubnet "eq,NorthAmericaSubnet" -ZoneScope "NorthAmericaZoneScope,1" -ZoneName "Contoso.com"  
Add-DnsServerQueryResolutionPolicy -Name "EuropePolicy" -Action ALLOW -ClientSubnet "eq,EuropeSubnet" -ZoneScope "EuropeZoneScope,1" -ZoneName contoso.com  

第一次並列的指令碼建立 client 適用於北美地區和歐洲子網路物件。The first two lines of the script create client subnet objects for North America and Europe. 並列之後,建立一個每個地區 contoso.com 網域中的時區範圍。The two lines after that create a zone scope within the contoso.com domain, one for each region. 並列之後,在不同的 IP 位址、歐洲的另一個適用於北美地區 ww.contoso.com 將相關聯的每個區域建立記錄。The two lines after that create a record in each zone that associates ww.contoso.com to different IP address, one for Europe, another one for North America. 最後,指令碼的最後一個行建立兩個 DNS 查詢解析度原則,其中套用到北美子網路,另一個歐洲子網路。Finally, the last lines of the script create two DNS Query Resolution Policies, one to be applied to the North America subnet, another to the Europe subnet.

封鎖查詢的網域Block queries for a domain

您可以使用 DNS 查詢解析度原則封鎖查詢網域。You can use a DNS Query Resolution Policy to block queries to a domain. 以下範例封鎖所有查詢 treyresearch.net:The example below blocks all queries to treyresearch.net:

Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicy" -Action IGNORE -FQDN "EQ,*.treyresearch.com"  

子網路從封鎖查詢Block queries from a subnet

您也可以封鎖來自特定子網路查詢。You can also block queries coming from a specific subnet. 下方的指令碼建立子網路的 172.0.33.0 月 24,,然後建立的原則,忽略來自子網路所有查詢:The script below creates a subnet for 172.0.33.0/24 and then creates a policy to ignore all queries coming from that subnet:

Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.33.0/24  
Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyMalicious06" -Action IGNORE -ClientSubnet  "EQ,MaliciousSubnet06"  

允許內部戶端遞迴Allow recursion for internal clients

您可以控制遞迴,使用 DNS 查詢解析度原則。You can control recursion by using a DNS Query Resolution Policy. 以下的範例可用於賦予遞迴內部用戶端的外部戶端分割大腦案例中停用。The sample below can be used to enable recursion for internal clients, while disabling it for external clients in a split brain scenario.

Set-DnsServerRecursionScope -Name . -EnableRecursion $False   
Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True  
Add-DnsServerQueryResolutionPolicy -Name "SplitBrainPolicy" -Action ALLOW -ApplyOnRecursion -RecursionScope "InternalClients" -ServerInterfaceIP  "EQ,10.0.0.34"  

第一次列指令碼中的變更預設遞迴範圍,只要名為「。」(若要停用遞迴點。)The first line in the script changes the default recursion scope, simply named as "." (dot) to disable recursion. 在第二列建立遞迴範圍名為InternalClients以遞迴支援。The second line creates a recursion scope named InternalClients with recursion enabled. 第三行建立套用原則和新建立透過伺服器的 IP 位址 10.0.0.34 介面提供任何查詢遞迴範圍。And the third line creates a policy to apply the newly create recursion scope to any queries coming in through a server interface that has 10.0.0.34 as an IP address.

建立伺服器區層級傳輸原則Create a server level zone transfer policy

您可以控制區域轉送更精細的形式透過區域轉送原則。You can control zone transfer in a more granular form by using DNS Zone Transfer policies. 以下範例指令碼用於允許指定子網路上的任何伺服器區傳輸:The sample script below can be used to allow zone transfers for any server on a given subnet:

Add-DnsServerClientSubnet -Name "AllowedSubnet" -IPv4Subnet 172.21.33.0/24  
Add-DnsServerZoneTransferPolicy -Name "NorthAmericaPolicy" -Action IGNORE -ClientSubnet "ne,AllowedSubnet"  

第一次列指令碼中的建立子網路物件名為AllowedSubnet封鎖 IP 172.21.33.0 24。The first line in the script creates a subnet object named AllowedSubnet with the IP block 172.21.33.0/24. 在第二列建立允許先前建立的子網路上的任何 DNS 伺服器區域轉送區域傳輸原則。The second line creates a zone transfer policy to allow zone transfers to any DNS server on the subnet previously created.

建立區域層級區域傳輸原則Create a zone level zone transfer policy

您也可以建立區域層級區域傳輸原則。You can also create zone level zone transfer policies. 以下範例忽略 contoso.com 來自伺服器的介面,可的 10.0.0.33 的 IP 位址的區域轉移任何要求:The example below ignores any request for a zone transfer for contoso.com coming in from a server interface that has an IP address of 10.0.0.33:

Add-DnsServerZoneTransferPolicy -Name "InternalTransfers" -Action IGNORE -ServerInterfaceIP "ne,10.0.0.33" -PassThru -ZoneName "contoso.com"  

DNS 原則案例DNS Policy Scenarios

如有關如何使用 DNS 原則的特定案例,請查看本指南下列主題。For information on how to use DNS policy for specific scenarios, see the following topics in this guide.