地理位置的使用 DNS 原則的資料傳輸主要伺服器管理Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以了解如何設定 DNS 原則,以允許主要回應 DNS client 查詢 client 和資源嘗試 client 連接的地理位置為基礎的 DNS 伺服器 client 提供接近資源的 IP 位址。You can use this topic to learn how to configure DNS Policy to allow primary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.

重要

本案例示範如何部署的地理位置資料傳輸管理 DNS 原則,當您正在使用只主要 DNS 伺服器。This scenario illustrates how to deploy DNS policy for geo-location based traffic management when you are using only primary DNS servers. 當您有主要及次要 DNS 伺服器,您也可以完成地理位置資料傳輸管理。You can also accomplish geo-location based traffic management when you have both primary and secondary DNS servers. 如果您的主要次要部署,先完成此主題中的步驟,然後完成此主題中所提供的步驟使用 DNS 原則主要次要部署的地理位置型流量管理的If you have a primary-secondary deployment, first complete the steps in this topic, and then complete the steps that are provided in the topic Use DNS Policy for Geo-Location Based Traffic Management with Primary-Secondary Deployments.

有了新的 DNS 原則,您可以建立 DNS 原則的允許要求的網頁伺服器的 IP 位址 client 查詢回應 DNS 伺服器。With new DNS policies, you can create a DNS policy that allows the DNS server to respond to a client query asking for the IP address of a Web server. 執行個體的網頁伺服器可能位於在不同的所在位置的不同資料中心。Instances of the Web server might be located in different datacenters at different physical locations. DNS 可以評估 client 與 Web 伺服器位置,然後 client 要求提供 client 與 Web 伺服器的 IP 位址位於實際靠近 client 的網頁伺服器的回應。DNS can assess the client and Web server locations, then respond to the client request by providing the client with a Web server IP address for a Web server that is physically located closer to the client.

您可以使用下列的 DNS 原則參數控制從 DNS 用查詢的 DNS 伺服器回應。You can use the following DNS policy parameters to control the DNS server responses to queries from DNS clients.

  • Client 子網路Client Subnet. 預先定義的 client 子網路的名稱。Name of a predefined client subnet. 用來確認寄查詢子網路。Used to verify the subnet from which the query was sent.
  • 傳輸通訊協定Transport Protocol. 傳輸通訊協定查詢中使用。Transport protocol used in the query. 可能的項目是UDPTCPPossible entries are UDP and TCP.
  • 網際網路通訊協定Internet Protocol. 用於查詢網路通訊協定。Network protocol used in the query. 可能的項目是IPv4IPv6Possible entries are IPv4 and IPv6.
  • 伺服器介面 IP 位址Server Interface IP address. 網路介面收到 DNS 要求的 DNS 伺服器的 IP 位址。IP address of the network interface of the DNS server which received the DNS request.
  • FQDNFQDN. 完全完整網域名稱 (FQDN) 查詢中的資料的使用萬用字元可使用。The Fully Qualified Domain Name (FQDN) of the record in the query, with the possibility of using a wild card.
  • 查詢輸入Query Type. 記錄查詢(A、SRV、TXT 等)的類型。Type of record being queried (A, SRV, TXT, etc.).
  • 一天的時間Time of Day. 查詢收到的時間。Time of day the query is received.

您可以在邏輯電信業者(和/或)制訂原則運算式結合下列條件。You can combine the following criteria with a logical operator (AND/OR) to formulate policy expressions. 這些運算式比對,當原則應該可以執行下列任何動作。When these expressions match, the policies are expected to perform one of the following actions.

  • 忽略Ignore. DNS 伺服器以無訊息方式卸除查詢。The DNS server silently drops the query.
  • 拒絕Deny. DNS 伺服器看查詢做出的回應失敗。The DNS server responds that query with a failure response.
  • Allow. DNS 伺服器會再與管理流量回應回應。The DNS server responds back with traffic managed response.

地理位置型流量管理範例Geo-Location Based Traffic Management Example

以下是使用 DNS 原則達到流量重新導向以執行 DNS 查詢 client 的所在位置為基礎的範例。Following is an example of how you can use DNS policy to achieve traffic redirection on the basis of the physical location of the client that performs a DNS query.

此範例中使用兩個虛構公司-Contoso 雲端服務,提供網頁和網域裝載方案。及 Woodgrove 食物服務提供多個城市的食物傳送服務全球有名 woodgrove.com 的網站。This example uses two fictional companies - Contoso Cloud Services, which provides web and domain hosting solutions; and Woodgrove Food Services, which provides food delivery services in multiple cities across the globe, and which has a Web site named woodgrove.com.

Contoso 雲端服務將有兩個資料中心,其中在美國和歐洲另一個。Contoso Cloud Services has two datacenters, one in the U.S. and another in Europe. 歐洲 datacenter 主控訂購 woodgrove.com 入口網站食物。The European datacenter hosts a food ordering portal for woodgrove.com.

為了確保 woodgrove.com 針對回應式體驗從他們的網站,Woodgrove 想要歐洲戶端導向歐洲 datacenter 美國戶端導向美國資料中心。To ensure that woodgrove.com customers get a responsive experience from their website, Woodgrove wants European clients directed to the European datacenter and American clients directed to the U.S. datacenter. 針對其他地方找到世界可以導向的資料中心。Customers located elsewhere in the world can be directed to either of the datacenters.

下圖描述此案例。The following illustration depicts this scenario.

地理位置型流量管理範例

如何 DNS 名稱解析程序運作方式How the DNS name resolution process works

在名稱解析過程中,使用者會嘗試 www.woodgrove.com 連接。這會導致 DNS 名稱解析要求傳送給中網路使用者的電腦上屬性設定 DNS 伺服器。During the name resolution process, the user tries to connect to www.woodgrove.com. This results in a DNS name resolution request that is sent to the DNS server that is configured in the Network Connection properties on the user's computer. 一般而言,這是本機 ISP 做為 [快取器,提供的 DNS 伺服器,並且指 LDNS。Typically, this is the DNS server provided by the local ISP acting as a caching resolver, and is referred as the LDNS.

如果不 LDNS 本機快取中顯示的 DNS 名稱,LDNS 伺服器會將 DNS 伺服器的 woodgrove.com 授權查詢。授權 DNS 伺服器的 LDNS 伺服器,依序傳送到電腦的使用者之前本機快取記錄回應要求記錄 (www.woodgrove.com)。If the DNS name is not present in the local cache of LDNS, the LDNS server forwards the query to the DNS server that is authoritative for woodgrove.com. The authoritative DNS server responds with the requested record (www.woodgrove.com) to the LDNS server, which in turn caches the record locally before sending it to the user's computer.

因為 Contoso 雲端服務會使用 DNS 伺服器原則,該主機 contoso.com 返回地理位置設定授權 DNS 伺服器根據流量受管理的回應。Because Contoso Cloud Services uses DNS Server policies, the authoritative DNS server that hosts contoso.com is configured to return geo-location based traffic managed responses. 這會導致方向的歐洲用歐洲 datacenter 和的美國用的方向來美國 datacenter,如下圖所示。This results in the direction of European Clients to the European datacenter and the direction of American Clients to the U.S. datacenter, as depicted in the illustration.

在本案例中的授權 DNS 伺服器,通常會看到提供從 LDNS 伺服器,很少,使用者電腦的名稱解析要求。In this scenario, the authoritative DNS server usually sees the name resolution request coming from the LDNS server and, very rarely, from the user's computer. 因此中所見授權 DNS 伺服器的名稱解析要求, 來源 IP 位址是電腦的 LDNS 伺服器的而非使用者。Because of this, the source IP address in the name resolution request as seen by the authoritative DNS server is that of the LDNS server and not that of the user's computer. 不過,當您設定的地理位置時使用 LDNS 伺服器的 IP 位址根據查詢回應提供公平估計的地理位置的使用者,因為使用者查詢他本機 ISP 的 DNS 伺服器。However, using the IP address of the LDNS server when you configure geo-location based query responses provides a fair estimate of the geo-location of the user, because the user is querying the DNS server of his local ISP.

注意

DNS 原則利用寄件者 IP 中包含了 DNS 查詢 UDP 與 TCP 封包。DNS policies utilize the sender IP in the UDP/TCP packet that contains the DNS query. 如果查詢達到透過多個解析日 LDNS 躍點主要伺服器,原則會將只的 IP 的 DNS 伺服器接收查詢的最後一個解析。If the query reaches the primary server through multiple resolver/LDNS hops, the policy will consider only the IP of the last resolver from which the DNS server receives the query.

如何 DNS 原則設定的地理位置型查詢回應How to configure DNS Policy for Geo-Location Based Query Responses

若要設定的地理位置查詢回應 DNS 原則,您必須執行下列步驟。To configure DNS policy for geo-location based query responses, you must perform the following steps.

  1. 建立 DNS Client 子網路Create the DNS Client Subnets
  2. 建立的區域的領域Create the Scopes of the Zone
  3. 若要的區域領域加入資料Add Records to the Zone Scopes
  4. [建立原則Create the Policies

注意

您必須是針對您想要設定的區域授權的 DNS 伺服器上執行這些步驟。You must perform these steps on the DNS server that is authoritative for the zone you want to configure. 資格在DnsAdmins,或等,才能執行下列程序。Membership in DnsAdmins, or equivalent, is required to perform the following procedures.

下列章節提供詳細的設定指示操作。The following sections provide detailed configuration instructions.

重要

以下的各節包含包含許多參數值範例範例 Windows PowerShell 命令。The following sections include example Windows PowerShell commands that contain example values for many parameters. 請確認值是適用於您的部署,執行下列命令之前,先取代範例值這些命令列中。Ensure that you replace example values in these commands with values that are appropriate for your deployment before you run these commands.

建立 DNS Client 子網路Create the DNS Client Subnets

找出子網路的 IP 位址,您想要重新導向流量地區空間是第一個步驟。The first step is to identify the subnets or IP address space of the regions for which you want to redirect traffic. 例如,如果您想要將流量美國和歐洲重新導向,您需要找出子網路的 IP 位址空間這些地區。For example, if you want to redirect traffic for the U.S. and Europe, you need to identify the subnets or IP address spaces of these regions.

您可以從地理 IP 「 地圖 」 來取得此資訊。You can obtain this information from Geo-IP maps. 依據這些地理 IP 散發,您必須建立」DNS Client 子」。Based on these Geo-IP distributions, you must create the "DNS Client Subnets." DNS Client 子網路是 IPv4 或 IPv6 子網路,查詢會傳送至 DNS 伺服器的邏輯群組。A DNS Client Subnet is a logical grouping of IPv4 or IPv6 subnets from which queries are sent to a DNS server.

若要建立 DNS Client 子網路,您可以使用下列的 Windows PowerShell 命令。You can use the following Windows PowerShell commands to create DNS Client Subnets.

Add-DnsServerClientSubnet -Name "USSubnet" -IPv4Subnet "192.0.0.0/24"  

Add-DnsServerClientSubnet -Name "EuropeSubnet" -IPv4Subnet "141.1.0.0/24"  

如需詳細資訊,請查看新增-DnsServerClientSubnetFor more information, see Add-DnsServerClientSubnet.

建立區域範圍Create Zone Scopes

Client 子網路設定之後,您必須磁碟分割的流量您想要重新導向至兩種不同的區域範圍,領域 DNS Client 子網路,您所設定的區域。After the client subnets are configured, you must partition the zone whose traffic you want to redirect into two different zone scopes, one scope for each of the DNS Client Subnets that you have configured.

例如,如果您想要重新導向之 DNS 名稱 www.woodgrove.com 流量,您必須建立兩種不同的區域範圍 woodgrove.com 區域,另一個用於美國和歐洲的其中一個。For example, if you want to redirect traffic for the DNS name www.woodgrove.com, you must create two different zone scopes in the woodgrove.com zone, one for the U.S. and one for Europe.

時區領域是區域的唯一執行個體。A zone scope is a unique instance of the zone. DNS 區域可以有多個區域領域,與每個包含 DNS 記錄它自己設定的區域範圍。A DNS zone can have multiple zone scopes, with each zone scope containing its own set of DNS records. 相同記錄可能會出現在多個領域,以不同的 IP 位址或相同的 IP 位址。The same record can be present in multiple scopes, with different IP addresses or the same IP addresses.

注意

根據預設,區域領域存在於 DNS 區域。By default, a zone scope exists on the DNS zones. 這個區域領域區域具有相同的名稱,並在這個領域中工作舊版 DNS 作業。This zone scope has the same name as the zone and legacy DNS operations work on this scope.

您可以使用下列的 Windows PowerShell 命令來建立區域範圍。You can use the following Windows PowerShell commands to create zone scopes.

Add-DnsServerZoneScope -ZoneName "woodgrove.com" -Name "USZoneScope"  

Add-DnsServerZoneScope -ZoneName "woodgrove.com" -Name "EuropeZoneScope"  

如需詳細資訊,請查看新增-DnsServerZoneScopeFor more information, see Add-DnsServerZoneScope.

若要的區域領域加入資料Add Records to the Zone Scopes

現在,您必須將記錄代表網頁伺服器主機成兩個區域範圍。Now you must add the records representing the web server host into the two zone scopes.

例如,USZoneScopeEuropeZoneScopeFor example, USZoneScope and EuropeZoneScope. 您可以在 USZoneScope、加入記錄 www.woodgrove.com IP 位址 192.0.0.1 位於美國資料中心。並在 EuropeZoneScope 您可以使用的 IP 位址 141.1.0.1 歐洲 datacenter 中新增相同記錄 (www.woodgrove.com)。In USZoneScope, you can add the record www.woodgrove.com with the IP address 192.0.0.1, which is located in a U.S. datacenter; and in EuropeZoneScope you can add the same record (www.woodgrove.com) with the IP address 141.1.0.1 in the European datacenter.

您可以使用下列 Windows PowerShell 命令若要的區域領域加入資料。You can use the following Windows PowerShell commands to add records to the zone scopes.

Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "192.0.0.1" -ZoneScope "USZoneScope  

Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "141.1.0.1" -ZoneScope "EuropeZoneScope"  

在此範例中,您必須以確保世界的其餘部分仍然可以存取 woodgrove.com 網頁伺服器的其中兩個 datacenter 預設區域領域中新增記錄也使用下列 Windows PowerShell 命令。In this example, you must also use the following Windows PowerShell commands to add records into the default zone scope to ensure that the rest of the world can still access the woodgrove.com web server from either of the two datacenters.

Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "192.0.0.1"   

Add-DnsServerResourceRecord -ZoneName "woodgrove.com" -A -Name "www" -IPv4Address "141.1.0.1"

ZoneScope當您新增記錄中的預設範圍時,不包含參數。The ZoneScope parameter is not included when you add a record in the default scope. 這是標準 DNS 時區新增記錄相同。This is the same as adding records to a standard DNS zone.

如需詳細資訊,請查看新增-DnsServerResourceRecordFor more information, see Add-DnsServerResourceRecord.

[建立原則Create the Policies

子網路建立後的磁碟分割(區域領域),而且您已新增記錄、查詢回應 DNS client 子網路的來源查詢時,會傳回正確的範圍的區域的您必須建立連接子網路和的磁碟分割的原則。After you have created the subnets, the partitions (zone scopes), and you have added records, you must create policies that connect the subnets and partitions, so that when a query comes from a source in one of the DNS client subnets, the query response is returned from the correct scope of the zone. 不原則所需的對應區域預設範圍。No policies are required for mapping the default zone scope.

您可以使用下列的 Windows PowerShell 命令來建立 DNS 原則連結 DNS Client 子網路,以及區域範圍。You can use the following Windows PowerShell commands to create a DNS policy that links the DNS Client Subnets and the zone scopes.

Add-DnsServerQueryResolutionPolicy -Name "USPolicy" -Action ALLOW -ClientSubnet "eq,USSubnet" -ZoneScope "USZoneScope,1" -ZoneName "woodgrove.com"  

Add-DnsServerQueryResolutionPolicy -Name "EuropePolicy" -Action ALLOW -ClientSubnet "eq,EuropeSubnet" -ZoneScope "EuropeZoneScope,1" -ZoneName "woodgrove.com"  

如需詳細資訊,請查看新增-DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

立即所需的 DNS 原則,將根據地理位置資料傳輸與設定的 DNS 伺服器。Now the DNS server is configured with the required DNS policies to redirect traffic based on geo-location.

當 DNS 伺服器接收名稱解析查詢時、DNS 伺服器評估 DNS 要求針對 DNS 原則設定中的欄位。When the DNS server receives name resolution queries, the DNS server evaluates the fields in the DNS request against the configured DNS policies. 如果名稱解析要求來源 IP 位址比對任何原則,相關的區域範圍用來回應查詢,和使用者導向它們地理位置最接近的資源。If the source IP address in the name resolution request matches any of the policies, the associated zone scope is used to respond to the query, and the user is directed to the resource that is geographically closest to them.

您可以建立數千 DNS 原則根據您的資料傳輸管理的需求,且所有的新原則已經套用動態-不需要重新 DNS 伺服器-連入查詢。You can create thousands of DNS policies according to your traffic management requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.