policy-based dns works half the time

John Curtiss 66 Reputation points

i have some dcs separated by firewalls. so, i need ldap queries (not just AD queries) from clients in certain subnets to only use DCs in certain subnets. so i want dns queries from those subnets for the domain name 'domain.com' to only return the IPs of domain controllers I want.

on a dns server, i do the following.

add-dnsserverclientsubnet -Name "mySubnet" -IPv4Subnet "" 

add-dnsserverzonescope "domain.com" -name "myZonesecope"
Add-DnsServerResourceRecord -ZoneName "domain.com" -A -name "@" -IPv4Address -ZoneScope "myZonescope"
Add-DnsServerResourceRecord -ZoneName "domain" -A -name "@" -IPv4Address -ZoneScope "myZonescope"
Add-DnsServerQueryResolutionPolicy -ZoneName "domain.com" -name "myPolicy" -Action ALLOW -ClientSubnet "eq,mySubnet" -ZoneScope "myZonescope,1;domain.com,2"

*i included the second 'domain.com' zone in the policy allow list, because in earlier tests, if a record did not exist in myZonescope, it just failed to resolve, instead of falling back to the original zone.

so if i now go to a client that lives in mySubnet and uses the DNS server where i applied these settings, and do an NSlookup for 'domain.com', i only get the two IPs in myZonescope. awesome!. but if i click the up arrow and do another nslookup, i get every DC in domain.com again. next time? just myZonescope records. next time? all DCs in domain.com.

also if i ping domain.com, i get a round robin response of every DC in domain.com.

looking in myZonescope, i also saw NS records for every DC in domain.com, in addition to the two A records i specified above. i deleted all those NS records to test, but the behavior persists - every other nslookup from the same client, i get the policy-based responses, and every other one, i get every DC in domain.com.

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. John Curtiss 66 Reputation points

    after further review, the 1 and two in this:

    -ZoneScope "myZonescope,1;domain.com,2"

    are not a 'preference order', but a 'weight.' the way to get myZonescope to answer queries for only the records it contains, but let the default zonescope answer other queries, is to add the

    switch, a la

    Add-DnsServerQueryResolutionPolicy -ZoneName "domain.com" -name "myPolicy" -Action ALLOW -ClientSubnet "eq,mySubnet" -fqdn "eq,domain.com" -ZoneScope "myZonescope,1;domain.com,2"

    this way only queries specifically for that fqdn will match the policy, and anythingelse.domain.com will continue to get resolved by the original zone.

    0 comments No comments

  2. Limitless Technology 39,501 Reputation points

    Hi there,

    I suggest you try editing your command as per the below thread and see if that helps you in getting the expected result when you perform the NSlookup.

    DNS policies not working for split DNS https://learn.microsoft.com/en-us/answers/questions/132492/dns-policies-not-working-for-split-dns.html

    The DNS server will respond to the query in a round-robin fashion if the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that DC.

    Steps to avoid registering unwanted NICs in DNS on a multihomed domain controller https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/unwanted-nic-registered-dns-mulithomed-dc

    How domain controllers are located in Windows https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/how-domain-controllers-are-located


    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  3. John Curtiss 66 Reputation points

    Thank you, but there aren't two nics. The fqdn switch in my second post was the fix.

    0 comments No comments