Policy Based DNS - Name resolution

Mahesh Mahi 46 Reputation points
2020-09-06T18:22:13.397+00:00

HI There,

We are planning to implement Policy based DNS which is introduced in Windows 2016 to achieve the following scenario ;

We have several web applications that are accessed internally, and externally over internet. These applications are published to internet using proxy services. We provide VPN service for users to connect to internal network when they are working from home. We want VPN clients resolve internal IP address of the application when they are in internal network, and use applications' public IP address (internet route) when they are on VPN or outside the corporate network. Applications have same DNS (URL) name internally as well as externally.

Since VPN clients use dedicated address pool belong to internal network, we are planning to use "DNS Policy for Geo-Location Based Traffic Management with Primary Servers" to address this situation. In this case DNS default zone has all resource records with internal IP addresses, and Zonescope that created as part of DNS policy will have resource record for applications that are published over internet with public IP address.

Question is, if I have an application which has resource record (A) available only in the default zone (only A records with internal IP address), whether VPN clients can still resolve the name from default zone if it does not find that resource record in zonescope (public IP address) for that application ?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,374 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,022 questions
0 comments
Accepted answer
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-09-08T07:56:52.747+00:00

    Hi @Mahesh Mahi ,

    I did a test in my lab and configure the following DNS policy:

    23186-image.png

    VPN client can only resolve records in DNS zone scope. They cannot resolve any records in default zone include A records. As the picture below:

    23271-8.png
    23232-9.png

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2020-09-06T18:30:27.177+00:00

    Sounds like you may need a split brain configuration.
    https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment

    --please don't forget to Accept as answer if the reply is helpful--

  2. Dave Patrick 426.1K Reputation points MVP
    2020-09-06T22:46:08.557+00:00

    You may be able to add a record for the public address to the pc's hosts file.
    https://support.microsoft.com/en-us/help/172218/microsoft-tcp-ip-host-name-resolution-order

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  3. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-09-07T07:57:33.097+00:00

    Hi ,

    Question is, if I have an application which has resource record (A) available only in the default zone (only A records with internal IP address), whether VPN clients can still resolve the name from default zone if it does not find resource record in zonescope (public IP address) for that application ?

    As far as I know, DNS policy is used to allow eligible clients to get the corresponding records. So if they did not find resource record in zonescope, then they will always get unresolvable DNS reply instead of lookup default zone.

    Best Regards,

    Candy

    ---------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. Dave Patrick 426.1K Reputation points MVP
    2020-09-07T18:34:24.797+00:00

    I'd check `ipconfig /all' to see that VPN clients are getting the correct gateway and DNS info.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments