Share via

Policy Based DNS - Name resolution

Mahesh Mahi 46 Reputation points
2020-09-06T18:22:13.397+00:00

HI There,

We are planning to implement Policy based DNS which is introduced in Windows 2016 to achieve the following scenario ;

We have several web applications that are accessed internally, and externally over internet. These applications are published to internet using proxy services. We provide VPN service for users to connect to internal network when they are working from home. We want VPN clients resolve internal IP address of the application when they are in internal network, and use applications' public IP address (internet route) when they are on VPN or outside the corporate network. Applications have same DNS (URL) name internally as well as externally.

Since VPN clients use dedicated address pool belong to internal network, we are planning to use "DNS Policy for Geo-Location Based Traffic Management with Primary Servers" to address this situation. In this case DNS default zone has all resource records with internal IP addresses, and Zonescope that created as part of DNS policy will have resource record for applications that are published over internet with public IP address.

Question is, if I have an application which has resource record (A) available only in the default zone (only A records with internal IP address), whether VPN clients can still resolve the name from default zone if it does not find that resource record in zonescope (public IP address) for that application ?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,398 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,024 questions
0 comments
Accepted answer
  1. Candy Luo 12,661 Reputation points Microsoft Vendor
    2020-09-08T07:56:52.747+00:00

    Hi @Mahesh Mahi ,

    I did a test in my lab and configure the following DNS policy:

    23186-image.png

    VPN client can only resolve records in DNS zone scope. They cannot resolve any records in default zone include A records. As the picture below:

    23271-8.png
    23232-9.png

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mahesh Mahi 46 Reputation points
    2020-09-09T10:23:31.073+00:00

    You are right!!, thanks for the update.