在 Windows Server 的 DNS 伺服器中的新功能What's New in DNS Server in Windows Server

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題描述新增或變更 Windows Server 2016 中的網域名稱系統 」 (DNS) 伺服器功能。This topic describes the Domain Name System (DNS) server functionality that is new or changed in Windows Server 2016.

Windows Server 2016 DNS 伺服器提供下列幾個方面美化的支援。In Windows Server 2016, DNS Server offers enhanced support in the following areas.

功能Functionality 新的或改進New or Improved 描述Description
DNS 原則DNS Policies New 您可以設定 DNS 原則,若要指定 DNS 伺服器回應 DNS 查詢的方式。You can configure DNS policies to specify how a DNS server responds to DNS queries. DNS 回應可以根據 client IP 位址 (位置),以及幾個其他的參數時間。DNS responses can be based on client IP address (location), time of the day, and several other parameters. 定位感知 DNS、 流量管理、 負載平衡、 split-brain DNS 及其他案例,可讓 DNS 原則。DNS policies enable location-aware DNS, traffic management, load balancing, split-brain DNS, and other scenarios.
回應速率限制 (RRL)Response Rate Limiting (RRL) New 您可以讓您的 DNS 伺服器上的回應速率限制。You can enable response rate limiting on your DNS servers. 執行此動作,您避免使用您的 DNS 伺服器起始阻斷服務 DNS client 攻擊惡意系統。By doing this, you avoid the possibility of malicious systems using your DNS servers to initiate a denial of service attack on a DNS client.
DNS 為基礎的驗證的命名實體 (DANE)DNS-based Authentication of Named Entities (DANE) New 您可以使用 TLSA (傳輸層級的安全性驗證) 記錄 DNS 用狀態哪些 CA 應該針對您的網域名稱的憑證,以提供的資訊。You can use TLSA (Transport Layer Security Authentication) records to provide information to DNS clients that state what CA they should expect a certificate from for your domain name. 如此可防止位置某人可能會損壞 DNS 快取指向他們自己的網站,並提供他們所發行的其他 CA 憑證在中央男人攻擊。This prevents man-in-the-middle attacks where someone might corrupt the DNS cache to point to their own website, and provide a certificate they issued from a different CA.
無法辨識的記錄支援Unknown record support New 您可以新增記錄明確不支援的 Windows DNS 伺服器使用未知的記錄功能。You can add records which are not explicitly supported by the Windows DNS server using the unknown record functionality.
IPv6 根提示IPv6 root hints New 您可以使用的原生 IPV6 根提示支援執行網際網路名稱解析使用 IPV6 根伺服器。You can use the native IPV6 root hints support to perform internet name resolution using the IPV6 root servers.
Windows PowerShell 支援Windows PowerShell Support 已改進Improved 新的 Windows PowerShell cmdlet 可用的 DNS 伺服器。New Windows PowerShell cmdlets are available for DNS Server.

DNS 原則DNS Policies

您可以使用地理位置資料傳輸管理依據時間、 智慧型 DNS 回應 DNS 原則管理設定為 split\ 蛋部署,單一 DNS 伺服器上 DNS 查詢套用篩選。You can use DNS Policy for Geo-Location based traffic management, intelligent DNS responses based on the time of day, to manage a single DNS server configured for split-brain deployment, applying filters on DNS queries, and more. 下列項目提供更多有關這些功能的詳細資料。The following items provide more detail about these capabilities.

  • 應用程式負載平衡。Application Load Balancing. 當您完成部署多次應用程式的不同位置時,您可以使用 DNS 原則,以平衡流量載入之間動態應用程式的配置流量載入的不同的應用程式執行個體。When you have deployed multiple instances of an application at different locations, you can use DNS policy to balance the traffic load between the different application instances, dynamically allocating the traffic load for the application.

  • Geo\ 位置型流量管理。Geo-Location Based Traffic Management. 您可以使用 DNS 原則,以允許回應 DNS client 查詢 client 和資源嘗試 client 連接的地理位置為基礎的主要和次要 DNS 伺服器 client 提供接近資源的 IP 位址。You can use DNS Policy to allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.

  • 請分割大腦 DNS。Split Brain DNS. 、 Split\ 蛋 DNS 記錄分為不同區域範圍上相同的 DNS 伺服器,並 DNS 用收到依據戶端是否內部或外部用的回應。With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients receive a response based on whether the clients are internal or external clients. 您可以設定 split\ 蛋 DNS 整合 Active Directory 區域或區域獨立 DNS 伺服器上。You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone DNS servers.

  • 篩選。Filtering. 您可以設定來建立查詢篩選器根據您所提供的準則 DNS 原則。You can configure DNS policy to create query filters that are based on criteria that you supply. 查詢篩選 DNS 原則中的,讓您設定根據 DNS 查詢和傳送 DNS 查詢 DNS client 的方式自訂回應 DNS 伺服器。Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query.

  • Forensics。Forensics. 您可以將 non\ 存在 IP 位址,而不將它們想瀏覽電腦惡意 DNS 用使用 DNS 原則。You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead of directing them to the computer they are trying to reach.

  • 一天的時間型重新導向。Time of day based redirection. 您可以將應用程式流量跨不同的分散執行個體的應用程式,使用 DNS 原則根據一天的時間,使用 DNS 原則。You can use DNS policy to distribute application traffic across different geographically distributed instances of an application by using DNS policies that are based on the time of day.

您也可以使用 DNS 原則,針對 Active Directory 整合 DNS 區域。You can also use DNS policies for Active Directory integrated DNS zones.

如需詳細資訊,請查看DNS 原則案例指南For more information, see the DNS Policy Scenario Guide.

回應速率限制Response Rate Limiting

您可以設定 RRL 控制要如何應付 DNS client 要求時您的伺服器收到目標相同 client 的數個要求。You can configure RRL settings to control how to respond to requests to a DNS client when your server receives several requests targeting the same client. 執行此動作,您可以防止其他人使用您的 DNS 伺服器阻服務 (Dos) 攻擊給我們。By doing this, you can prevent someone from sending a Denial of Service (Dos) attack using your DNS servers. 例如,自動機器人程式網路要求傳送到您為名字使用電腦的 IP 位址的 DNS 伺服器。For instance, a bot net can send requests to your DNS server using the IP address of a third computer as the requestor. RRL,而您的 DNS 伺服器可能會回應所有的要求,流第三個電腦。Without RRL, your DNS servers might respond to all the requests, flooding the third computer. 當您使用 RRL 時,您可以設定的下列設定:When you use RRL, you can configure the following settings:

  • 回應秒Responses per second. 這是最大的次數到 client 一秒中提供相同的回應。This is the maximum number of times the same response will be given to a client within one second.

  • 錯誤秒Errors per second. 這是最大的次數用中一秒傳送錯誤回應。This is the maximum number of times an error response will be sent to the same client within one second.

  • 視窗Window. 這是數秒鐘的回應 client 將會暫時停用如果太多要求。This is the number of seconds for which responses to a client will be suspended if too many requests are made.

  • 遺漏速率Leak rate. 這是 DNS 伺服器會暫停回應期間查詢回應的頻率。This is how frequently the DNS server will respond to a query during the time responses are suspended. 例如,伺服器暫停回應 client 到 10 秒,且遺漏速率 5,如果伺服器會仍然回應一個查詢傳送每個 5 查詢。For instance, if the server suspends responses to a client for 10 seconds, and the leak rate is 5, the server will still respond to one query for every 5 queries sent. 這可讓合法戶端取得 DNS 伺服器會套用的回應速度子網路上 FQDN 限制時,即使的回應。This allows the legitimate clients to get responses even when the DNS server is applying response rate limiting on their subnet or FQDN.

  • TC 速率TC rate. 這用來告知您可以嘗試時回應 client 會暫停的 TCP 連接 client。This is used to tell the client to try connecting with TCP when responses to the client are suspended. 例如,如果 TC 速率是 3 伺服器暫停指定 client 的回應,伺服器會發出要求收到每 3 個查詢的 TCP 連接。For instance, if the TC rate is 3, and the server suspends responses to a given client, the server will issue a request for TCP connection for every 3 queries received. 請確定您的值為 TC 速率低於遺漏速度,讓 client 透過 TCP 連接之前遺漏回應的選項。Make sure the value for TC rate is lower than the leak rate, to give the client the option to connect via TCP before leaking responses.

  • 最大的回應Maximum responses. 這是最大回應伺服器會發給 client 時回應會暫停的數目。This is the maximum number of responses the server will issue to a client while responses are suspended.

  • 白色清單網域White list domains. 這是要排除 RRL 設定的網域清單。This is a list of domains to be excluded from RRL settings.

  • 白色清單子網路White list subnets. 這是要排除 RRL 設定子網路清單。This is a list of subnets to be excluded from RRL settings.

  • 白色清單伺服器介面White list server interfaces. 這是要排除 RRL 設定的 DNS 伺服器介面的清單。This is a list of DNS server interfaces to be excluded from RRL settings.

DANE 支援DANE support

您可以使用 DANE 支援 \ (RFC 6394 和 6698\) 來指定您 DNS 用來 CA 應該憑證所發行的網域名稱裝載在您的 DNS 伺服器。You can use DANE support (RFC 6394 and 6698) to specify to your DNS clients what CA they should expect certificates to be issued from for domains names hosted in your DNS server. 如此可防止其他人就能破壞 DNS 快取,並其本身的 IP 位址指向 DNS 名稱中中央男人攻擊一種。This prevents a form of man-in-the-middle attack where someone is able to corrupt a DNS cache and point a DNS name to their own IP address.

例如,想像主機安全的網站時,在 www.contoso.com 使用 SSL 使用名 CA1 已知授權的憑證。For instance, imagine you host a secure website that uses SSL at www.contoso.com by using a certificate from a well-known authority named CA1. 其他人仍可能的不同,不讓-知,憑證授權單位名 CA2 取得 www.contoso.com 的憑證。Someone might still be able to get a certificate for www.contoso.com from a different, not-so-well-known, certificate authority named CA2. 然後,裝載假 www.contoso.com 網站的實體可能無法損壞 DNS 快取 client 或伺服器 www.contoto.com 指向他們假的網站。Then, the entity hosting the fake www.contoso.com website might be able to corrupt the DNS cache of a client or server to point www.contoto.com to their fake site. 使用者從 CA2,會顯示憑證可能只是確認它並連接到假的網站。The end user will be presented a certificate from CA2, and may simply acknowledge it and connect to the fake site. DANE,client 想讓要求 contoso.com TLSA 記錄要求的 DNS 伺服器與了 www.contoso.com 憑證已 CA1 的問題。With DANE, the client would make a request to the DNS server for contoso.com asking for the TLSA record and learn that the certificate for www.contoso.com was issues by CA1. 如果出現從另一部 CA 憑證,則會中止連接。If presented with a certificate from another CA, the connection is aborted.

無法辨識的記錄支援Unknown record support

「 未知記錄 」 是 RR RDATA 格式不已知 DNS 伺服器。An "Unknown Record" is an RR whose RDATA format is not known to the DNS server. 新增的支援未知的記錄 (RFC 3597) 類型表示,您可以將不支援使用碼表進行類型新增至 Windows DNS 伺服器區域網路上二進位格式。The newly added support for unknown record (RFC 3597) types means that you can add the unsupported record types into the Windows DNS server zones in the binary on-wire format. Windows 快取解析已經處理不明的記錄類型的能力。The windows caching resolver already has the ability to process unknown record types. Windows DNS 伺服器會執行任何使用碼表進行特定的處理不明記錄,但將會傳送入回應如果查詢接收到它。Windows DNS server will not do any record specific processing for the unknown records, but will send it back in responses if queries are received for it.

IPv6 根提示IPv6 root hints

IPV6 根提示,IANA、 由已新增至 windows DNS 伺服器。The IPV6 root hints, as published by IANA, have been added to the windows DNS server. 網際網路名稱查詢現在可以使用 IPv6 根伺服器執行名稱解析度。The internet name queries can now use IPv6 root servers for performing name resolutions.

Windows PowerShell 支援Windows PowerShell support

下列新的 Windows PowerShell cmdlet 和參數引進 Windows Server 2016。The following new Windows PowerShell cmdlets and parameters are introduced in Windows Server 2016.

  • 新增 DnsServerRecursionScopeAdd-DnsServerRecursionScope. 這個 cmdlet 建立新的領域遞迴 DNS 伺服器上。This cmdlet creates a new recursion scope on the DNS server. 遞迴範圍 DNS 原則用於指定轉寄器會使用 DNS 查詢中的清單。Recursion scopes are used by DNS policies to specify a list of forwarders to be used in a DNS query.

  • 移除-DnsServerRecursionScopeRemove-DnsServerRecursionScope. 這個 cmdlet 移除現有的遞迴範圍。This cmdlet removes existing recursion scopes.

  • 設定-DnsServerRecursionScopeSet-DnsServerRecursionScope. 這個 cmdlet 變更現有遞迴領域的設定。This cmdlet changes the settings of an existing recursion scope.

  • 取得-DnsServerRecursionScopeGet-DnsServerRecursionScope. 這個 cmdlet 擷取現有遞迴領域有關的資訊。This cmdlet retrieves information about existing recursion scopes.

  • 新增 DnsServerClientSubnetAdd-DnsServerClientSubnet. 這個 cmdlet 會建立新的 DNS client 子網路。This cmdlet creates a new DNS client subnet. 子網路會使用 DNS 原則找出 DNS client 所在的位置。Subnets are used by DNS policies to identify where a DNS client is located.

  • 移除-DnsServerClientSubnetRemove-DnsServerClientSubnet. 這個 cmdlet 移除現有的 DNS client 子網路。This cmdlet removes existing DNS client subnets.

  • 設定-DnsServerClientSubnetSet-DnsServerClientSubnet. 這個 cmdlet 變更現有的 DNS client 子網路的設定。This cmdlet changes the settings of an existing DNS client subnet.

  • 取得-DnsServerClientSubnetGet-DnsServerClientSubnet. 這個 cmdlet 擷取現有 DNS client 子網路相關資訊。This cmdlet retrieves information about existing DNS client subnets.

  • 新增 DnsServerQueryResolutionPolicyAdd-DnsServerQueryResolutionPolicy. 這個 cmdlet 建立新的 DNS 查詢解析度原則。This cmdlet creates a new DNS query resolution policy. 用於指定 DNS 查詢解析度原則為何,或如果查詢為回應,以不同的條件。DNS query resolution policies are used to specify how, or if, a query is responded to, based on different criteria.

  • 移除-DnsServerQueryResolutionPolicyRemove-DnsServerQueryResolutionPolicy. 這個 cmdlet 移除現有的 DNS 原則。This cmdlet removes existing DNS policies.

  • 設定-DnsServerQueryResolutionPolicySet-DnsServerQueryResolutionPolicy. 這個 cmdlet 變更現有的 DNS 原則的設定。This cmdlet changes the settings of an existing DNS policy.

  • 取得-DnsServerQueryResolutionPolicyGet-DnsServerQueryResolutionPolicy. 這個 cmdlet 擷取現有 DNS 原則的相關資訊。This cmdlet retrieves information about existing DNS policies.

  • 讓-DnsServerPolicyEnable-DnsServerPolicy. 這個 cmdlet 可讓您現有的 DNS 原則。This cmdlet enables existing DNS policies.

  • 停用-DnsServerPolicyDisable-DnsServerPolicy. 這個 cmdlet 停用現有 DNS 原則。This cmdlet disables existing DNS policies.

  • 新增 DnsServerZoneTransferPolicyAdd-DnsServerZoneTransferPolicy. 這個 cmdlet 會建立新的 DNS 伺服器區傳輸原則。This cmdlet creates a new DNS server zone transfer policy. DNS 區域傳輸原則指定是否拒絕或忽略區域轉送根據不同的條件。DNS zone transfer policies specify whether to deny or ignore a zone transfer based on different criteria.

  • 移除-DnsServerZoneTransferPolicyRemove-DnsServerZoneTransferPolicy. 這個 cmdlet 移除現有的 DNS 伺服器區傳輸原則。This cmdlet removes existing DNS server zone transfer policies.

  • 設定-DnsServerZoneTransferPolicySet-DnsServerZoneTransferPolicy. 這個 cmdlet 變更現有的 DNS 伺服器區傳輸原則設定。This cmdlet changes settings of an existing DNS server zone transfer policy.

  • 取得-DnsServerResponseRateLimitingGet-DnsServerResponseRateLimiting. 這個 cmdlet 擷取 RRL 設定。This cmdlet retrieves RRL settings.

  • 設定-DnsServerResponseRateLimitingSet-DnsServerResponseRateLimiting. 這個 cmdlet 變更 RRL settigns。This cmdlet changes RRL settigns.

  • 新增 DnsServerResponseRateLimitingExceptionlistAdd-DnsServerResponseRateLimitingExceptionlist. 這個 cmdlet DNS 伺服器上建立 RRL 例外清單。This cmdlet creates an RRL exception list on the DNS server.

  • 取得-DnsServerResponseRateLimitingExceptionlistGet-DnsServerResponseRateLimitingExceptionlist. 這個 cmdlet 擷取 RRL excception 清單。This cmdlet retrieves RRL excception lists.

  • 移除-DnsServerResponseRateLimitingExceptionlistRemove-DnsServerResponseRateLimitingExceptionlist. 這個 cmdlet 現有 RRL 例外清單中移除。This cmdlet removes an existing RRL exception list.

  • 設定-DnsServerResponseRateLimitingExceptionlistSet-DnsServerResponseRateLimitingExceptionlist. 這個 cmdlet 變更 RRL 例外清單。This cmdlet changes RRL exception lists.

  • 新增 DnsServerResourceRecordAdd-DnsServerResourceRecord. 這個 cmdlet 已更新以支援未知的記錄類型。This cmdlet was updated to support unknown record type.

  • 取得-DnsServerResourceRecordGet-DnsServerResourceRecord. 這個 cmdlet 已更新以支援未知的記錄類型。This cmdlet was updated to support unknown record type.

  • 移除-DnsServerResourceRecordRemove-DnsServerResourceRecord. 這個 cmdlet 已更新以支援未知的記錄類型。This cmdlet was updated to support unknown record type.

  • 設定-DnsServerResourceRecordSet-DnsServerResourceRecord. 這個 cmdlet 已更新以支援未知的記錄類型This cmdlet was updated to support unknown record type

如需詳細資訊,下列 Windows Server 2016 Windows PowerShell 命令參考主題。For more information, see the following Windows Server 2016 Windows PowerShell command reference topics.

也了See also