question

StuartD avatar image
0 Votes"
StuartD asked StuartD answered

DNS Server Policys

Hi,

I am looking for a bit of help, I currently have an internal DNS server that I am trying to setup to respond to local Zones requests only and not forward requests on (for a particular vlan). I thought I might be able to get this done with the Policies but I can not seem to nail down the correct combo to get it work as I would like.

Anyone here know how to do it / If it can be done ?

Thanks


windows-server-2016windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Something here may help.
https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries

--please don't forget to Accept as answer if the reply is helpful--





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered SunnyQi-MSFT edited

Hi,

Thanks for posting in Q&A platform.

Based on provided information, my understanding is you need the DNS server only respond the domain name which belong the zone hosted by itself.

You could try the method in the link which was provided by DSPatrick. You could refer to allow queries only from a domain.

you can use DNS policy to automatically approve queries from specific domains or subnets. When you configure Allow Lists, the DNS server only processes queries from allowed domains, while blocking all other queries from other domains.

The following example command allows only computers and devices in the contoso.com and child domains to query the DNS server.

**Add-DnsServerQueryResolutionPolicy -Name "AllowListPolicyDomain" -Action IGNORE -FQDN "NE,.contoso.com" -PassThru*

And here is a similar thread for your reference:

Server 2016: Use DNS Policies to Allow Queries to Specific Domain from Specific Subnet
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Any progress or updates?

--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StuartD avatar image
0 Votes"
StuartD answered

Sorry for the Radio silence and thank you both for your replies! @DSPatrick I looked at that page before asking here, the issue I was having is that I could not work out how to create the rules to achieve what I was trying to do.

I have mutable VLANS but only wanted the DNS server to respond to Local zone requests for this one particular VLAN.

@SunnyQi-MSFT I also tried that approach the problem I got doing that was when the server responded to the client the client would not fail back to its secondary DNS server and try the look up again.

However for a short term fix I ran up a secondary and pointed that particular VLAN directly to it. From here I was able to set up forwarding so that particular VLAN's upstream DNS server was used since it is the only VLAN pointing to that server. ( Before I was getting around this by using its upstream DNS server as another DNS entry on the local systems in the VLAN )

Doing this has now changed what I need I believe, I have not tried putting this in place yet but if I can add a policy that forces that particular VLAN to use a certain forwarder this would be a better arrangement.

This is currently where things stand so I need to look into creating this new policy to do that if I can.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.