Share via

DNS policy for single host

drothbart 96 Reputation points
2021-09-08T21:30:17.843+00:00

My goal is to have DNS queries for a certain host record return a different value for one of our offices. They will be the only area that should have a different result. All other offices and external requests should remain unchanged.

I performed the following, following the guidance of https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/primary-geo-location :

  1. Created DNS server client subnets on all DC's (our DC's are DNS servers, using AD integrated DNS) individually: Add-DnsServerClientSubnet -Name "Test_Client" -IPv4Subnet "10.1.2.0/24" -confirm -passthru -computername DC01
  2. Created zone scopes on all DC's individually: Add-DnsServerZoneScope -ZoneName "abc.com" -Name "abc_Test" -Verbose -PassThru -ComputerName DC01
  3. Created record for zone scope abc_test: Add-DnsServerResourceRecord -ZoneName "abc.com" -A -Name "mailtest" -IPv4Address "10.1.2.25" -ZoneScope "abc.test" -computername DC01
  4. Checked contents of the zone scopes on all DC's. All match: get-DnsServerResourceRecord -ZoneName abc.com -zonescope "abc_test" -computername DC01

HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
@ NS 2 0 01:00:00 DC01.abc.com.
@ NS 2 0 01:00:00 DC04.abc.com.
@ NS 2 0 01:00:00 DC03.abc.com.
@ NS 2 0 01:00:00 DC02.abc.com.
@ SOA 6 0 01:00:00 [3][DC03.abc.com.][hostmaster.abc.com.]
testrecord A 1 0 01:00:00 10.1.2.25

6 . Then I created policy: Add-DnsServerQueryResolutionPolicy -Name "Test" -Action ALLOW -ClientSubnet "eq,Test_Client" -ZoneScope "abc_test,1" -ZoneName "abc.com" -computername DC01

I tested resolution with NSLookup. From a client in the desired client subnet it resolved the record for testrecord properly, as did all other clients. The issue was that for clients in that subnet, they were unable to resolve any other records. Other clients on that site, outside of the client subnet specified, had no resolution issues.

Should there be any other records in the ZoneScope other than the NS, SOA , and records to resolve differently?

Thank you for any help.

Dan

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions
0 comments
Accepted answer
  1. drothbart 96 Reputation points
    2021-09-15T10:27:27.263+00:00

    The resolution was to add the FQDN criteria to the definition of the DNS policy. This restricted the DNS requests which would use the new Zone Scope to the ones listed; all others will continue to use the mail DNS zone scope.

    Add-DnsServerQueryResolutionPolicy -Name "Test" -Action ALLOW -ClientSubnet "eq,Test_Client" -FQDN "eq,testrecord.abc.com" -ZoneScope "abc_test,1" -ZoneName "abc.com" -computername DC01

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest