Share via

Help with DNS Server Query

agfreesafety3 41 Reputation points
2022-03-22T15:42:38.723+00:00

I am trying to establish a DNS policy. I haven't been successful in doing so. I have a forward lookup zone, named {redacted}.internal, with three subdomains/zone scopes underneath it.

I'm trying to configure this so that resources in the prod zone scope (aka prod.{redacted}.internal) ignore resources in the qa zonescope (aka qa.{redacted}.internal).

...so I tried it twice, unsuccessfully, trying two slightly different ways of defining the identity of the zone scope.

Any idea what I'm doing wrong?

Also, I noticed that when I defined the three zone scopes, the filename field (that's supposed to represent the forward lookup zone) was blank...

So this lead me to look in the sys32 --> DNS folder, and I noticed that there's no .dns folder for this zone/subdomain.

Could the lack of the .dns folder be the reason why I haven't been able to get the add-DnsServerQueryResolutionPolicy to work?

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,406 Reputation points
    2022-03-23T06:09:40.057+00:00

    Hi @agfreesafety3

    resources in the prod zone scope

    Are you able to provide a bit more information on what you mean by this. The DNS policies support the following ways to identify how to apply the policy, fqdn being queried, client's IP/range, query type, transport or IP protocol used. I'm not aware of a method that will enable you to specific if the client's FQDN is a member of a specific zone.

    Typically you would create clientsubnet which contains the IP addresses or range of the production machines, then create a policy to ignore or deny query for the qa.{redacted}.internal zone based on the clientsubnet. 

    Add-DnsserverClientsubnet -name Prod -ipv4subnet 192.168.1.38/32  
Add-DNSServerQueryResolutionPolicy -name blockprod -action ignore -fqdn "EQ,*.blocked.com" -clientsubnet "EQ,Prod"

    the filename field was blank

    If this is related to the output of the Get-DNSServerZoneScope cmdlet, then this means that the DNS zone has been stored in the Active Directory.

    Please provide the details of the approaches you have tried already, as it might help understand why it's failing.

    Gary.

    0 comments