Share via

DNSServerQueryResolutionPolicy Not Blocking

agfreesafety3 41 Reputation points
2022-03-29T16:29:46.643+00:00

This is somewhat related to a similar issue I posted about a few days ago here.

187975-capture.png
I have DENY policies in place for two subdomains and I'm able to get them to ping successfully with no issues.

I had these set to IGNORE before, but due to me still being able to ping between resources in both prod and qa, I removed those two policies and recreated them using DENY instead

I looked in the dns debug log and as expected, there are no "refused" messages anywhere in it.

How do I go about troubleshooting this, when, from what I see, the subnets were defined correctly, and the syntax of the commands are correct (at least I think they are)?

Windows for business Windows Client for IT Pros Networking Network connectivity and file sharing
Windows for business Windows Server User experience PowerShell
Accepted answer
  1. Gary Reynolds 9,621 Reputation points
    2022-03-31T21:26:28.807+00:00

    Ok, now I understand why it's not working.

    The Add-DnsServerQueryPolicy command is used to configure a set of matching rules or criteria, these criteria are then checked against the incoming DNS queries, if all the criteria match, then the action is applied.

    For your policy, I think you are looking for this, please correct if this is wrong:

    • Machines are in the newdev ip address range, that try to resolve *.dev.abc.internal block the query

    These are the commands that you need to enter: 

     Add-DnsServerClientSubnet -name NewDev -ipv4subnet 192.168.1.0/24

    This defines the IP address range of the machines that you want to block from accessing the dev.abc.internal domain. As I mentioned in your other post, there is no method to check if a machine is registered to a specific DNS domain, IP address is the only option to filter at a machine level. 

     Add-DnsServerQueryResolutionPolicy -name prodblock -action deny -fqdn "EQ,*.dev.*abc*.internal" -ClientSubnet "EQ,NewDev"

    This policy will check any incoming query that are for the dev.abc.internal domain, including any entry or subdomains, and the client machine has an IP address in the NewDev IP address range then the query will be blocked. If the FDQN parameter doesn't include a wildcard, only the specified FQDN will be blocked. So to block all entries in a domain, the FQDN parameter would be *.dev.abc.internal.

    The configuration of the DNS policies is very clunky and some sort of verification cmdlet would be useful. I have thought about creating a tool to do this, as my limited playing with the DNS policy has highlighted how painful this is.

    Gary.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,621 Reputation points
    2022-03-29T23:24:22.153+00:00

    Hi @agfreesafety3

    Based on the commands you have entered the policy will only apply to queries for dns zones called 'prodxxxx' or 'qa'. This parameter should be the full domain name, not just the subdomain. It should be prod.abc.internal or qa.abc.internal based on previously provided information.

    When using the ping command it can use either dns or local name resolution. When you run the ping make sure the name returned shows a fqdn, otherwise it's using local name resolution and not the dns server. It's better to use nslookup to check that the policies are working correctly.

    Gary.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.