none
Dns Server Query Policies not surviving dns server reboots - returns 'Query refused' RRS feed

  • Question

  • I have set up a subnet based query policy in server 2016. Immediately after creation it works great an all of my devices in the subnet are receiving the IP's the way I want them to. If I restart the DNS server, however, it will start returning 'query refused' to the scoped dns queries.

    This is very strange behavior. Is there a bug in DNS policies?

    Monday, June 25, 2018 7:24 PM

All replies

  • Hi,

    Thanks for your question.

    Please try the following suggestions to see if it could be of help.

    • Check your query policy settings after DNS restart. It may be that the query policy has changed. please refer to below link:

    https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries#bkmk_block2

    • Clear the DNS cache through the command ipconfig/flushdns. Then resolve the DNS server address through the nslookup command.
    • Turn off the firewall before testing.
    • Check if DNSSEC is set. please refer to below link:

    https://www.rootusers.com/secure-dns-traffic-using-dnssec-dns-policies/

    Hope you have a nice day!

    Best regards,

    Travis



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 26, 2018 6:35 AM
    Moderator
  • I had DNSSEC and have unsigned and removed it on the zones.

    I wouldn't understand why the query policy would spontaneously change on service restart. Let me clarify here. I am the only creating the policies on the DNS server and I am talking about the restarting the DNS service on the DNS server. I even ran debug logging and all it popped up with was that the query was being denied even though the policy specifically had an ALLOW on this query.

    It is very strange behavior.

    Tuesday, June 26, 2018 4:09 PM
  • Hi,

    Thanks for your reply.

    I suggest you delete the policy and then test the DNS query.If the DNS works after deleting the policy, there is a problem with your policy configuration.

    Please refer to the following link:Windows Server 2016 DNS Policy Deny Subnet Access to Zone

    https://www.virtualizationhowto.com/2017/01/windows-server-2016-dns-policy-deny-subnet-access-to-zone/

    Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Travis



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, June 27, 2018 9:35 AM
    Moderator