透過主要伺服器使用地理位置流量管理的 DNS 原則Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers

適用於:Windows Server (半年通道),Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以了解如何設定 DNS 原則以允許主要 DNS 伺服器回應 DNS 用戶端查詢,根據地理位置的用戶端和資源的用戶端嘗試連線,用戶端提供 IP ad包裝法之最接近的資源。You can use this topic to learn how to configure DNS Policy to allow primary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.

重要

此案例說明如何部署地理位置流量管理的 DNS 原則,當您使用只有主要 DNS 伺服器。This scenario illustrates how to deploy DNS policy for geo-location based traffic management when you are using only primary DNS servers. 當您有主要和次要 DNS 伺服器時,您也可以完成地理位置流量管理。You can also accomplish geo-location based traffic management when you have both primary and secondary DNS servers. 如果您有主要-次要部署,先完成本主題中的步驟,然後完成 本主題中所提供的步驟使用與主要-次要部署地理位置型流量管理的DNS原則.If you have a primary-secondary deployment, first complete the steps in this topic, and then complete the steps that are provided in the topic Use DNS Policy for Geo-Location Based Traffic Management with Primary-Secondary Deployments.

使用新的 DNS 原則,您可以建立可讓 DNS 伺服器回應要求的網頁伺服器的 IP 位址的用戶端查詢的 DNS 原則。With new DNS policies, you can create a DNS policy that allows the DNS server to respond to a client query asking for the IP address of a Web server. Web 伺服器執行個體可能位於不同實體位置的不同資料中心。Instances of the Web server might be located in different datacenters at different physical locations. DNS 可以評估用戶端和 Web 伺服器位置,然後藉由提供用戶端與 Web 伺服器的 IP 位址位於實體上更接近用戶端的 Web 伺服器回應對用戶端要求。DNS can assess the client and Web server locations, then respond to the client request by providing the client with a Web server IP address for a Web server that is physically located closer to the client.

您可以使用下列的 DNS 原則參數來控制來自 DNS 用戶端查詢 DNS 伺服器回應。You can use the following DNS policy parameters to control the DNS server responses to queries from DNS clients.

  • 用戶端子網路Client Subnet. 預先定義的用戶端的子網路名稱。Name of a predefined client subnet. 用來驗證傳送查詢的子網路。Used to verify the subnet from which the query was sent.
  • 傳輸通訊協定Transport Protocol. 傳輸通訊協定查詢中使用。Transport protocol used in the query. 可能的項目都UDPTCPPossible entries are UDP and TCP.
  • 網際網路通訊協定Internet Protocol. 在查詢中使用的網路通訊協定。Network protocol used in the query. 可能的項目都IPv4IPv6Possible entries are IPv4 and IPv6.
  • 伺服器介面的 IP 位址Server Interface IP address. DNS 伺服器收到 DNS 要求的網路介面的 IP 位址。IP address of the network interface of the DNS server which received the DNS request.
  • FQDNFQDN. 完整格式網域名稱 (FQDN) 的記錄,在查詢中,可能會使用萬用字元。The Fully Qualified Domain Name (FQDN) of the record in the query, with the possibility of using a wild card.
  • 查詢類型Query Type. (A、 SRV、 TXT 等) 進行查詢的記錄的類型。Type of record being queried (A, SRV, TXT, etc.).
  • 當日時間Time of Day. 在收到查詢的日期時間。Time of day the query is received.

使用邏輯運算子 (和/或) 以制定原則運算式,您可以結合下列的準則。You can combine the following criteria with a logical operator (AND/OR) to formulate policy expressions. 當這些運算式相符時,原則應該執行下列動作之一。When these expressions match, the policies are expected to perform one of the following actions.

  • 忽略Ignore. DNS 伺服器以無訊息方式卸除的查詢。The DNS server silently drops the query.
  • 拒絕Deny. DNS 伺服器回應失敗回應與該查詢。The DNS server responds that query with a failure response.
  • 允許Allow. DNS 伺服器上一步以管理流量的回應。The DNS server responds back with traffic managed response.

地理位置型流量管理範例Geo-Location Based Traffic Management Example

以下是如何使用 DNS 原則以達到根據用戶端,執行 DNS 查詢的實體位置的流量重新導向的範例。Following is an example of how you can use DNS policy to achieve traffic redirection on the basis of the physical location of the client that performs a DNS query.

這個範例會使用兩個虛構公司服務-Contoso 的雲端服務提供 web 與網域託管解決方案,為 Woodgrove 餐飲業,它會提供在多個城市的食物傳遞服務全球各地且具有網站 woodgrove.com。This example uses two fictional companies - Contoso Cloud Services, which provides web and domain hosting solutions; and Woodgrove Food Services, which provides food delivery services in multiple cities across the globe, and which has a Web site named woodgrove.com.

Contoso 的雲端服務有兩個資料中心,一個在美國和歐洲的另一個。Contoso Cloud Services has two datacenters, one in the U.S. and another in Europe. 在歐洲資料中心裝載食物,排序 woodgrove.com 的入口網站。The European datacenter hosts a food ordering portal for woodgrove.com.

若要確保 woodgrove.com 客戶,從其網站取得回應的體驗,Woodgrove 想歐洲的用戶端導向到歐洲資料中心和美國的用戶端導向至在美國資料中心。To ensure that woodgrove.com customers get a responsive experience from their website, Woodgrove wants European clients directed to the European datacenter and American clients directed to the U.S. datacenter. 在其他地方位於世界各地的客戶可以導向至其中一個資料中心。Customers located elsewhere in the world can be directed to either of the datacenters.

下圖說明此案例。The following illustration depicts this scenario.

地理位置型流量管理範例

DNS 名稱解析程序會如何運作How the DNS name resolution process works

在名稱解析過程中,使用者會嘗試連線到 www.woodgrove.com。During the name resolution process, the user tries to connect to www.woodgrove.com. 這會導致 DNS 名稱解析要求傳送到已在使用者電腦上的網路連接屬性中設定的 DNS 伺服器。This results in a DNS name resolution request that is sent to the DNS server that is configured in the Network Connection properties on the user's computer. 一般而言,這是做為快取的解析程式中,本機 ISP 所提供的 DNS 伺服器,而且會被視為 LDNS。Typically, this is the DNS server provided by the local ISP acting as a caching resolver, and is referred as the LDNS.

如果 DNS 名稱不存在於 LDNS 的本機快取,LDNS 伺服器將查詢轉寄到 woodgrove.com 的授權 DNS 伺服器。If the DNS name is not present in the local cache of LDNS, the LDNS server forwards the query to the DNS server that is authoritative for woodgrove.com. 授權 DNS 伺服器回應與要求記錄 (www.woodgrove.com) LDNS 伺服器接著會記錄快取在本機,再將它傳送給使用者的電腦。The authoritative DNS server responds with the requested record (www.woodgrove.com) to the LDNS server, which in turn caches the record locally before sending it to the user's computer.

Contoso 的雲端服務會使用 DNS 伺服器的原則,因為授權 DNS 伺服器裝載 contoso.com 已傳回地理位置流量管理回應。Because Contoso Cloud Services uses DNS Server policies, the authoritative DNS server that hosts contoso.com is configured to return geo-location based traffic managed responses. 這會導致歐洲的用戶端的方向在歐洲資料中心和美國的用戶端的方向,美國資料中心,在圖中所述。This results in the direction of European Clients to the European datacenter and the direction of American Clients to the U.S. datacenter, as depicted in the illustration.

在此案例中,授權 DNS 伺服器通常會看到來自 LDNS 伺服器而,很少,來自使用者的電腦名稱解析要求。In this scenario, the authoritative DNS server usually sees the name resolution request coming from the LDNS server and, very rarely, from the user's computer. 因為這個緣故,在授權 DNS 伺服器所見,才會進行名稱解析要求的來源 IP 位址會是電腦的 LDNS 伺服器而非使用者。Because of this, the source IP address in the name resolution request as seen by the authoritative DNS server is that of the LDNS server and not that of the user's computer. 不過,當您設定地理位置時,使用 LDNS 伺服器的 IP 位址基礎回應提供使用者地理位置的合理估計的查詢因為使用者查詢他的當地 ISP 的 DNS 伺服器。However, using the IP address of the LDNS server when you configure geo-location based query responses provides a fair estimate of the geo-location of the user, because the user is querying the DNS server of his local ISP.

注意

DNS 原則會使用 UDP/TCP 封包,其中包含將 DNS 查詢中的寄件者 IP。DNS policies utilize the sender IP in the UDP/TCP packet that contains the DNS query. 如果查詢達到透過多個的解析程式/LDNS 躍點的主要伺服器,該原則會考慮的 DNS 伺服器收到查詢的最後一個解析程式 IP。If the query reaches the primary server through multiple resolver/LDNS hops, the policy will consider only the IP of the last resolver from which the DNS server receives the query.

如何設定基礎查詢回應的地理位置的 DNS 原則How to configure DNS Policy for Geo-Location Based Query Responses

若要設定的地理位置查詢回應的 DNS 原則,您必須執行下列步驟。To configure DNS policy for geo-location based query responses, you must perform the following steps.

  1. 建立 DNS 用戶端的子網路Create the DNS Client Subnets
  2. 建立區域的範圍Create the Scopes of the Zone
  3. 將記錄新增至區域範圍Add Records to the Zone Scopes
  4. 建立原則Create the Policies

注意

您必須有權管理您想要設定區域的 DNS 伺服器上執行這些步驟。You must perform these steps on the DNS server that is authoritative for the zone you want to configure. 中的成員資格DnsAdmins,或同等權限,才能執行下列程序。Membership in DnsAdmins, or equivalent, is required to perform the following procedures.

下列各節提供詳細的設定指示。The following sections provide detailed configuration instructions.

重要

下列各節包含 Windows PowerShell 命令範例包含許多參數的範例值。The following sections include example Windows PowerShell commands that contain example values for many parameters. 請確定這些命令列中的範例值取代是適用於您的部署,然後再執行這些命令的值。Ensure that you replace example values in these commands with values that are appropriate for your deployment before you run these commands.

建立 DNS 用戶端的子網路Create the DNS Client Subnets

第一個步驟是識別的子網路或 IP 位址空間,您要將流量重新導向的區域。The first step is to identify the subnets or IP address space of the regions for which you want to redirect traffic. 例如,如果您想要將流量重新導向適用於美國和歐洲,您需要識別的子網路或 IP 位址空間,這些區域。For example, if you want to redirect traffic for the U.S. and Europe, you need to identify the subnets or IP address spaces of these regions.

您可以從異地 IP 對應來取得這項資訊。You can obtain this information from Geo-IP maps. 根據這些地理 IP 散發套件,您必須建立 「 DNS 用戶端的子網路。 」Based on these Geo-IP distributions, you must create the "DNS Client Subnets." DNS 用戶端的子網路是從中查詢傳送至 DNS 伺服器的 IPv4 或 IPv6 子網路的邏輯群組。A DNS Client Subnet is a logical grouping of IPv4 or IPv6 subnets from which queries are sent to a DNS server.

您可以使用下列 Windows PowerShell 命令來建立 DNS 用戶端的子網路。You can use the following Windows PowerShell commands to create DNS Client Subnets.

Add-DnsServerClientSubnet -Name "USSubnet" -IPv4Subnet "192.0.0.0/24"  
  
Add-DnsServerClientSubnet -Name "EuropeSubnet" -IPv4Subnet "141.1.0.0/24"  
  

如需詳細資訊,請參閱 < 新增 DnsServerClientSubnetFor more information, see Add-DnsServerClientSubnet.

建立區域範圍Create Zone Scopes

用戶端子網路設定之後,您必須分割您想要重新導向至兩個不同的區域範圍,其流量一個範圍,您已設定 DNS 用戶端子網路的每個區域。After the client subnets are configured, you must partition the zone whose traffic you want to redirect into two different zone scopes, one scope for each of the DNS Client Subnets that you have configured.

比方說,如果您想要將 DNS 名稱 www.woodgrove.com 流量重新導向,您必須建立兩個不同的區域範圍 woodgrove.com 區域、 一個用於美國和歐洲的其中一個。For example, if you want to redirect traffic for the DNS name www.woodgrove.com, you must create two different zone scopes in the woodgrove.com zone, one for the U.S. and one for Europe.

區域範圍內是區域的唯一的執行個體。A zone scope is a unique instance of the zone. DNS 區域可以有多個區域範圍,與包含它自己的 DNS 記錄集的每個區域範圍。A DNS zone can have multiple zone scopes, with each zone scope containing its own set of DNS records. 同一筆記錄中可以存在多個領域,具有不同 IP 位址或相同的 IP 位址。The same record can be present in multiple scopes, with different IP addresses or the same IP addresses.

注意

根據預設,在區域範圍存在於 DNS 區域。By default, a zone scope exists on the DNS zones. 此區域範圍與區域有相同的名稱,此範圍上運作的舊版 DNS 作業。This zone scope has the same name as the zone and legacy DNS operations work on this scope.

您可以使用下列 Windows PowerShell 命令來建立區域範圍。You can use the following Windows PowerShell commands to create zone scopes.

Add-DnsServerZoneScope -ZoneName "woodgrove.com" -Name "USZoneScope"  
  
Add-DnsServerZoneScope -ZoneName "woodgrove.com" -Name "EuropeZoneScope"  

如需詳細資訊,請參閱 < 新增 DnsServerZoneScopeFor more information, see Add-DnsServerZoneScope.

將記錄新增至區域範圍Add Records to the Zone Scopes

現在,您必須新增代表 web 伺服器主機的兩個區域範圍的記錄。Now you must add the records representing the web server host into the two zone scopes.

例如, USZoneScopeEuropeZoneScopeFor example, USZoneScope and EuropeZoneScope. USZoneScope,在中,您可以新增位於美國資料中心; 的 IP 位址 192.0.0.1,記錄 www.woodgrove.com而且 EuropeZoneScope 中您可以將相同的記錄 (www.woodgrove.com) 141.1.0.1 歐洲資料中心內的 IP 位址。In USZoneScope, you can add the record www.woodgrove.com with the IP address 192.0.0.1, which is located in a U.S. datacenter; and in EuropeZoneScope you can add the same record (www.woodgrove.com) with the IP address 141.1.0.1 in the European datacenter.

您可以使用下列 Windows PowerShell 命令,將記錄新增至區域範圍。You can use the following Windows PowerShell commands to add records to the zone scopes.

Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "192.0.0.1" -ZoneScope "USZoneScope  
  
Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "141.1.0.1" -ZoneScope "EuropeZoneScope"  

在此範例中,您也必須使用下列 Windows PowerShell 命令將記錄新增至預設的區域範圍,以確保,在世界的其餘部分仍然可以存取 woodgrove.com 網頁伺服器從兩個資料中心。In this example, you must also use the following Windows PowerShell commands to add records into the default zone scope to ensure that the rest of the world can still access the woodgrove.com web server from either of the two datacenters.

Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "192.0.0.1"   
  
Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "141.1.0.1"
  

ZoneScope預設範圍中的記錄時,未包含參數。The ZoneScope parameter is not included when you add a record in the default scope. 這是將記錄新增至標準 DNS 區域相同。This is the same as adding records to a standard DNS zone.

如需詳細資訊,請參閱 < 新增 DnsServerResourceRecordFor more information, see Add-DnsServerResourceRecord.

建立原則Create the Policies

建立子網路之後,資料分割 (區域範圍),而且您已新增記錄,您必須建立連接的子網路和資料分割的原則,以便中 DNS 用戶端子網路的其中一個來源的查詢時,會傳回查詢回應正確的範圍內的區域。After you have created the subnets, the partitions (zone scopes), and you have added records, you must create policies that connect the subnets and partitions, so that when a query comes from a source in one of the DNS client subnets, the query response is returned from the correct scope of the zone. 沒有任何原則所需的對應預設區域範圍。No policies are required for mapping the default zone scope.

您可以使用下列 Windows PowerShell 命令來建立 DNS 原則,DNS 用戶端的子網路連結和區域範圍。You can use the following Windows PowerShell commands to create a DNS policy that links the DNS Client Subnets and the zone scopes.

Add-DnsServerQueryResolutionPolicy -Name "USPolicy" -Action ALLOW -ClientSubnet "eq,USSubnet" -ZoneScope "USZoneScope,1" -ZoneName "woodgrove.com"  
  
Add-DnsServerQueryResolutionPolicy -Name "EuropePolicy" -Action ALLOW -ClientSubnet "eq,EuropeSubnet" -ZoneScope "EuropeZoneScope,1" -ZoneName "woodgrove.com"  
 

如需詳細資訊,請參閱 < 新增 DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

現在已設定 DNS 伺服器,以必要的 DNS 原則,將根據地理位置的流量重新導向。Now the DNS server is configured with the required DNS policies to redirect traffic based on geo-location.

當 DNS 伺服器收到名稱解析查詢時,DNS 伺服器會評估 DNS 要求,根據設定的 DNS 原則中的欄位。When the DNS server receives name resolution queries, the DNS server evaluates the fields in the DNS request against the configured DNS policies. 如果在 名稱解析要求的來源 IP 位址會符合任何原則,相關聯的區域範圍來回應查詢,並將使用者導向的地理位置最接近它們的資源。If the source IP address in the name resolution request matches any of the policies, the associated zone scope is used to respond to the query, and the user is directed to the resource that is geographically closest to them.

您可以建立數以千計的 DNS 原則根據您的流量管理需求,而且所有新的原則都會套用動態-不需要重新啟動 DNS 伺服器-在傳入的查詢。You can create thousands of DNS policies according to your traffic management requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.