使用 DNS Split\ 蛋 DNS 部署原則Use DNS Policy for Split-Brain DNS Deployment

適用於:Windows Server 2016Applies To: Windows Server 2016

您可以使用本主題以了解如何在 Windows Server 設定 DNS 原則®對於 split-brain DNS 部署,2016年有兩個版本的單一區域-一個內部使用者在您的組織企業網路,另一個外部使用者,通常是在網際網路上的使用者。You can use this topic to learn how to configure DNS policy in Windows Server® 2016 for split-brain DNS deployments, where there are two versions of a single zone - one for the internal users on your organization intranet, and one for the external users, who are typically users on the Internet.

注意

如何使用 DNS 原則 split\ 蛋 DNS Active Directory 部署整合 DNS 區域中的資訊,請查看使用 DNS 原則 Split-Brain DNS Active Directory 中的For information on how to use DNS Policy for split-brain DNS deployment with Active Directory integrated DNS Zones, see Use DNS Policy for Split-Brain DNS in Active Directory.

之前,此案例,您必須 DNS 系統管理員,維護兩個不同的 DNS 伺服器,每個設定的使用者,內外每個提供服務。Previously, this scenario required that DNS administrators maintain two different DNS servers, each providing services to each set of users, internal and external. 如果只有數區域中的資料可讓您已 split\ brained 或兩個區域 (內外) 已委派給相同的父系網域,這會成為管理問題。If only a few records inside the zone were split-brained or both instances of the zone (internal and external) were delegated to the same parent domain, this became a management conundrum.

另一個 split-brain 部署的組態案例 DNS 名稱解析是選擇性遞迴控制項。Another configuration scenario for split-brain deployment is Selective Recursion Control for DNS name resolution. 有時中的企業 DNS 伺服器都必須執行遞迴解析度內部的使用者,在網際網路上,同時也必須做為外部使用者的授權名稱伺服器,並封鎖遞迴它們。In some circumstances, the Enterprise DNS servers are expected to perform recursive resolution over the Internet for the internal users, while they also must act as authoritative name servers for external users, and block recursion for them.

本主題包含下列各節。This topic contains the following sections.

DNS Split-Brain 部署的範例Example of DNS Split-Brain Deployment

以下是您可以如何使用 DNS 原則來完成之前所述的 split-brain DNS 案例的範例。Following is an example of how you can use DNS policy to accomplish the previously described scenario of split-brain DNS.

本節下列主題。This section contains the following topics.

此範例中使用虛構公司,以 Contoso,維持在 www.career.contoso.com 更上層樓網站。This example uses one fictional company, Contoso, which maintains a career Web site at www.career.contoso.com.

網站有兩個版本,一個用於內部使用者內部職位何處可使用。The site has two versions, one for the internal users where internal job postings are available. 在本機的 IP 位址 10.0.0.39 使用此內部網站。This internal site is available at the local IP address 10.0.0.39.

第二個版本的相同的網站,可在公用 IP 位址 65.55.39.10 公用版本。The second version is the public version of the same site, which is available at the public IP address 65.55.39.10.

DNS 原則不存在,系統管理員,才能主機上不同的 Windows Server DNS 伺服器下列兩個區域和管理另行購買。In the absence of DNS policy, the administrator is required to host these two zones on separate Windows Server DNS servers and manage them separately.

使用 DNS 原則這些區域可以立即裝載相同的 DNS 伺服器上。Using DNS policies these zones can now be hosted on the same DNS server.

下圖描述此案例。The following illustration depicts this scenario.

Split-Brain DNS 部署

DNS Split-Brain 部署的運作方式How DNS Split-Brain Deployment Works

時所需的 DNS 原則設定的 DNS 伺服器,每個名稱解析要求被評估 DNS 伺服器上的原則。When the DNS server is configured with the required DNS policies, each name resolution request is evaluated against the policies on the DNS server.

伺服器介面用於在此範例中為準則內外戶端來區分公司。The server Interface is used in this example as the criteria to differentiate between the internal and external clients.

如果時,收到查詢伺服器介面比對任何原則,相關的區域範圍用來查詢回應。If the server interface upon which the query is received matches any of the policies, the associated zone scope is used to respond to the query.

因此,在我們的範例,私人 IP (10.0.0.56) 上接收 www.career.contoso.com DNS 查詢收到 DNS 回應包含內部 IP 位址。和在公用網路介面收到 DNS 查詢接收 DNS 回應包含 (這是正常查詢解析度一樣) 的區域預設範圍的公用 IP 位址。So, in our example, the DNS queries for www.career.contoso.com that are received on the private IP (10.0.0.56) receive a DNS response that contains an internal IP address; and the DNS queries that are received on the public network interface receive a DNS response that contains the public IP address in the default zone scope (this is the same as normal query resolution).

如何設定 DNS Split-Brain 部署How to Configure DNS Split-Brain Deployment

若要使用 DNS 原則設定 DNS Split-Brain 部署,您必須使用下列步驟。To configure DNS Split-Brain Deployment by using DNS Policy, you must use the following steps.

下列章節提供詳細的設定指示操作。The following sections provide detailed configuration instructions.

重要

以下的各節包含包含許多參數值範例範例 Windows PowerShell 命令。The following sections include example Windows PowerShell commands that contain example values for many parameters. 請確認值是適用於您的部署,執行下列命令之前,先取代範例值這些命令列中。Ensure that you replace example values in these commands with values that are appropriate for your deployment before you run these commands.

建立區域範圍Create the Zone Scopes

時區領域是區域的唯一執行個體。A zone scope is a unique instance of the zone. DNS 區域可以有多個區域領域,與每個包含 DNS 記錄它自己設定的區域範圍。A DNS zone can have multiple zone scopes, with each zone scope containing its own set of DNS records. 相同記錄可能會出現在多個領域,以不同的 IP 位址或相同的 IP 位址。The same record can be present in multiple scopes, with different IP addresses or the same IP addresses.

注意

根據預設,區域領域存在於 DNS 區域。By default, a zone scope exists on the DNS zones. 這個區域領域作為區域,具有相同的名稱,並在這個領域中工作舊版 DNS 作業。This zone scope has the same name as the zone, and legacy DNS operations work on this scope. 這個預設區域的範圍會主機外部 www.career.contoso.com 的版本。This default zone scope will host the external version of www.career.contoso.com.

您可以使用下列命令範例分割建立內部區域領域區域範圍 contoso.com。You can use the following example command to partition the zone scope contoso.com to create an internal zone scope. 內部區域範圍會用來保留內部 www.career.contoso.com 的版本。The internal zone scope will be used to keep the internal version of www.career.contoso.com.

Add-DnsServerZoneScope -ZoneName "contoso.com" -Name "internal"

如需詳細資訊,請查看新增-DnsServerZoneScopeFor more information, see Add-DnsServerZoneScope

若要的區域領域加入資料Add Records to the Zone Scopes

下一個步驟是加入 (的外部戶端) 代表預設與 Web 伺服器主機的兩個區域領域-內部到的資料。The next step is to add the records representing the Web server host into the two zone scopes - internal and default (for external clients).

在內部區域範圍,記錄www.career.contoso.com使用的 IP 位址 10.0.0.39,也就是私人 IP; 中新增了在 [預設區域領域相同記錄, www.career.contoso.com,使用的 IP 位址 65.55.39.10 中新增了。In the internal zone scope, the record www.career.contoso.com is added with the IP address 10.0.0.39, which is a private IP; and in the default zone scope the same record, www.career.contoso.com, is added with the IP address 65.55.39.10.

– ZoneScope記錄被新增到區域預設範圍時範例下列命令中提供的參數。No –ZoneScope parameter is provided in the following example commands when the record is being added to the default zone scope. 這是類似記錄加入香草區域。This is similar to adding records to a vanilla zone.

Add-DnsServerResourceRecord -ZoneName "contoso.com" -A -Name "www.career" -IPv4Address "65.55.39.10" Add-DnsServerResourceRecord -ZoneName "contoso.com" -A -Name "www.career" -IPv4Address "10.0.0.39” -ZoneScope "internal"

如需詳細資訊,請查看新增-DnsServerResourceRecordFor more information, see Add-DnsServerResourceRecord.

建立 DNS 原則Create the DNS Policies

伺服器介面外部網路和連絡找出您所建立的時區範圍之後,您必須建立連接內外區域領域 DNS 原則。After you have identified the server interfaces for the external network and internal network and you have created the zone scopes, you must create DNS policies that connect the internal and external zone scopes.

注意

此範例中為準則使用伺服器介面,來區分內外戶端。This example uses the server interface as the criteria to differentiate between the internal and external clients. 區分外部和內部另一個方法是使用 client 子網路為條件。Another method to differentiate between external and internal clients is by using client subnets as a criteria. 如果您找出內部戶端所屬的子網路,您可以設定來區分根據 client 子網路的 DNS 原則。If you can identify the subnets to which the internal clients belong, you can configure DNS policy to differentiate based on client subnet. 如何設定流量管理使用 client 子網路條件資訊,請查看使用 DNS 原則主要伺服器的地理位置型流量管理的For information on how to configure traffic management using client subnet criteria, see Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers.

當 DNS 伺服器接收私人介面在查詢時,從內部區域範圍傳回 DNS 查詢回應。When the DNS server receives a query on the private interface, the DNS query response is returned from the internal zone scope.

注意

不原則所需的對應區域預設範圍。No policies are required for mapping the default zone scope.

在下列範例命令中,10.0.0.56 是 IP 位址的私人網路介面上,在上圖中所示。In the following example command, 10.0.0.56 is the IP address on the private network interface, as shown in the previous illustration.

Add-DnsServerQueryResolutionPolicy -Name "SplitBrainZonePolicy" -Action ALLOW -ServerInterface "eq,10.0.0.56" -ZoneScope "internal,1" -ZoneName contoso.com

如需詳細資訊,請查看新增-DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

DNS 選擇性遞迴控制項的範例Example of DNS Selective Recursion Control

以下是您可以如何使用 DNS 原則來完成之前所述的 DNS 選擇性遞迴控制案例的範例。Following is an example of how you can use DNS policy to accomplish the previously described scenario of DNS selective recursion control.

本節下列主題。This section contains the following topics.

此範例中使用與先前的範例,以 Contoso,維持在 www.career.contoso.com 更上層樓網站相同虛構公司。This example uses the same fictional company as in the previous example, Contoso, which maintains a career Web site at www.career.contoso.com.

DNS split-brain 部署範例中,回應外部和內部戶端相同的 DNS 伺服器,並提供不同的答案。In the DNS split-brain deployment example, the same DNS server responds to both the external and internal clients and provides them with different answers.

某些 DNS 部署可能需要執行遞迴名稱解析為除了作為外部戶端授權名稱伺服器內部戶端相同的 DNS 伺服器。Some DNS deployments might require the same DNS server to perform recursive name resolution for internal clients in addition to acting as the authoritative name server for external clients. 這個情況稱為 DNS 選擇性遞迴控制項。This circumstance is called DNS selective recursion control.

在舊版的 Windows Server、 讓遞迴適用於對短片它已支援的所有區域整個 DNS 伺服器上。In previous versions of Windows Server, enabling recursion meant that it was enabled on the whole DNS server for all zones. 因為外部查詢也聆聽 DNS 伺服器,遞迴被支援和外部戶端,開放解析程式進行的 DNS 伺服器。Because the DNS server is also listening to external queries, recursion is enabled for both internal and external clients, making the DNS server an open resolver.

設定開放解析可能受到資源耗盡,可能會被濫用惡意用來建立反映攻擊 DNS 伺服器。A DNS server that is configured as an open resolver might be vulnerable to resource exhaustion and can be abused by malicious clients to create reflection attacks.

因此,Contoso DNS 系統管理員不想 contoso.com 的外部戶端執行遞迴名稱解析為的 DNS 伺服器。Because of this, Contoso DNS administrators do not want the DNS server for contoso.com to perform recursive name resolution for external clients. 有時,只需要遞迴內部戶端,控制項遞迴控制可能會封鎖外部戶端。There is only a need for recursion control for internal clients, while recursion control can be blocked for external clients.

下圖描述此案例。The following illustration depicts this scenario.

選擇遞迴控制項

如何 DNS 選擇性遞迴控制運作How DNS Selective Recursion Control Works

如果您收到 Contoso DNS 伺服器是未經授權的查詢,如的 www.microsoft.com,然後名稱解析要求評估 DNS 伺服器上的原則。If a query for which the Contoso DNS server is non-authoritative is received, such as for www.microsoft.com, then the name resolution request is evaluated against the policies on the DNS server.

這些查詢未落在任何時區,因為區域層級原則 \ 不評估 (如 split-brain example\ 中所定義)。Because these queries do not fall under any zone, the zone level policies (as defined in the split-brain example) are not evaluated.

DNS 伺服器評估遞迴原則及接收到的私人介面相符查詢SplitBrainRecursionPolicyThe DNS server evaluates the recursion policies, and the queries that are received on the private interface match the SplitBrainRecursionPolicy. 這項原則指向尚未遞迴遞迴範圍。This policy points to a recursion scope where recursion is enabled.

DNS 伺服器執行從網際網路、 www.microsoft.com 取得解答遞迴,然後回應本機快取。The DNS server then performs recursion to get the answer for www.microsoft.com from the Internet, and caches the response locally.

如果查詢收到外部介面、 DNS 原則找不到,以及預設遞迴設定-這是停用-套用。If the query is received on the external interface, no DNS policies match, and the default recursion setting - which in this case is Disabled - is applied.

如此可防止 server 作為的外部戶端,開放解析時它做為 [快取的內部戶端器。This prevents the server from acting as an open resolver for external clients, while it is acting as a caching resolver for internal clients.

如何設定 DNS 選擇性遞迴控制項How to Configure DNS Selective Recursion Control

若要使用 DNS 原則設定 DNS 選擇性遞迴控制項,您必須使用下列步驟。To configure DNS selective recursion control by using DNS Policy, you must use the following steps.

建立 DNS 遞迴範圍Create DNS Recursion Scopes

遞迴範圍是唯一的執行個體群組的控制遞迴 DNS 伺服器上的設定。Recursion scopes are unique instances of a group of settings that control recursion on a DNS server. 遞迴範圍包含轉送程式的清單,並指定遞迴是否已支援。A recursion scope contains a list of forwarders and specifies whether recursion is enabled. DNS 伺服器可以有許多遞迴範圍。A DNS server can have many recursion scopes.

舊版遞迴設定和轉送程式清單稱為遞迴預設範圍。The legacy recursion setting and list of forwarders are referred to as the default recursion scope. 您無法新增或移除預設遞迴範圍由名稱點 (".").You cannot add or remove the default recursion scope, identified by the name dot (“.”).

在此範例中,預設遞迴已停用,遞迴功能的位置建立新遞迴領域內部戶端時。In this example, the default recursion setting is disabled, while a new recursion scope for internal clients is created where recursion is enabled.

Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True 

如需詳細資訊,請查看新增-DnsServerRecursionScopeFor more information, see Add-DnsServerRecursionScope

建立 DNS 遞迴原則Create DNS Recursion Policies

您可以選擇一組查詢符合的條件特定的遞迴範圍遞迴原則建立 DNS 伺服器。You can create DNS server recursion policies to choose a recursion scope for a set of queries that match specific criteria.

如果您的 DNS 伺服器不適用於某些查詢、 DNS 伺服器遞迴原則可讓您控制如何解析查詢。If the DNS server is not authoritative for some queries, DNS server recursion policies allow you to control how to resolve the queries.

在此範例中,內部遞迴遞迴支援的範圍是相關聯的私人網路介面In this example, the internal recursion scope with recursion enabled is associated with the private network interface

您可以使用下列命令範例設定 DNS 遞迴原則。You can use the following example command to configure DNS recursion policies.

Add-DnsServerQueryResolutionPolicy -Name "SplitBrainRecursionPolicy" -Action ALLOW -ApplyOnRecursion -RecursionScope "InternalClients" -ServerInterfaceIP  "EQ,10.0.0.39"

如需詳細資訊,請查看新增-DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

現在 DNS 伺服器設定選擇性遞迴控制內部戶端支援是以所需的 DNS 原則 split-brain 名稱伺服器或 DNS 伺服器。Now the DNS server is configured with the required DNS policies for either a split-brain name server or a DNS server with selective recursion control enabled for internal clients.

您可以建立數千 DNS 原則根據您的資料傳輸管理的需求,且所有的新原則已經套用動態-不需要重新 DNS 伺服器-連入查詢。You can create thousands of DNS policies according to your traffic management requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.

如需詳細資訊,請查看DNS 原則案例指南For more information, see DNS Policy Scenario Guide.