DNS Server Recursion Query Policy to Restrict to IPv4

Peter Loveall 96 Reputation points
2020-12-18T12:53:34.85+00:00

I am going to answer my own question but a common issue I have run into is "My ISP is only IPv4 yet my Windows domain is both IPv4 and IPv6." The question is "how do I limit DNS to IPv4 only for recursive lookups while keeping IPv6 internally?

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions
0 comments No comments
{count} votes

Accepted answer
  1. Peter Loveall 96 Reputation points
    2020-12-18T13:02:14.44+00:00

    Starting with Windows 2016, a new capability was added to PowerShell for DNS server. The following query policy will restrict answers to IPv4 only for external addresses while leaving full IPv6 support for internal (domain) addresses:

    Add-DnsServerQueryResolutionPolicy -name "IPv4RecursionPolicy" -Action DENY -ApplyOnRecursion -InternetProtocol "EQ,IPv6"
    

    It is important to note this is only available on Windows Server 2016 and later. This DNS query policy basically says "if using recursion (external to domain), do not answer with IPv6". If you look at the DNS server's cache, it has IPv6 addresses but it will only respond with IPv4 addresses because IPv6 addresses are blocked. This is great for feeding IPv4 restricted Exchange edge transport servers and for locations that do not have IPv6 from their ISP.

    On the DC, you will need to repoint your IPv6 DNS to Auto so one does not get allocated. I also set the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents to 32 so IPv4 is preferred. IPv6 is not disabled, just there to support domain operations onsite.


0 additional answers

Sort by: Most helpful