none
2016 DNS Policy Query RRS feed

  • Question

  • Hi,

    We have 5 sites with one 2016 DNS Server (integrated via Active Directory) in each site (so 5 DNS servers in total) . We have a main primary zone "xyz.com" and there is approx 50 A records in it. I would like the A record "service.xyz.com" to resolve to a different IP address for each site. I have implemented a DNS policy at site 1 to test. The policy looks like this:

    Add-DnsServerClientSubnet -Name "Site1_Subnet" -IPv4Subnet "192.168.1.0/24"
    Add-DnsServerZoneScope -ZoneName "xyz.com" -Name "Site1_Zone_Scope"
    Add-DnsServerResourceRecord -ZoneName "xyz.com" -A -Name "service" -IPv4Address "192.168.1.10" -ZoneScope "Site1_Zone_Scope”
    Add-DnsServerQueryResolutionPolicy -Name "Site1_Policy" -Action ALLOW -ClientSubnet "eq,Site1_Subnet" -ZoneScope "Site1_Zone_Scope,1" -ZoneName "xyz.com"

    From a client PC on the 192.168.1.0/24 subnet pointing to the DNS server with the policy, "service.xyz.com" resolves to the local address 192.168.1.10, which is what i want.

    BUT

    The issue i have is the other 50 A records for the xyz.com zone do not resolve from that client PC. I know why, because the zone scope only has the one A record which i created..... but is there a way i can get the client to resolve the other xyz.com A records from the main zone which is AD integrated as well? I dont want to have to maintain 5 x local zone scopes for all A records in the original xyz.com.au domain.

    Cheers

    Craig
    Monday, April 23, 2018 1:32 AM

Answers

  •  You did everything right except that you forgot to restrict the Query Resolution Policy to the specific records that are in the Zone Scope. You do this by way of the -FQDN parameter as shown below.

    Add-DnsServerQueryResolutionPolicy -Name "SplitBrainZonePolicy" -Action ALLOW -FQDN "eq,service.xyz.com" -ClientSubnet "eq,Site1_Subnet" -ZoneScope "Site1_Zone_Scope,1" -ZoneName "xyz.com"


    • Proposed as answer by aldsasha Tuesday, April 24, 2018 8:38 AM
    • Marked as answer by Craig_Han Wednesday, April 25, 2018 2:15 AM
    Tuesday, April 24, 2018 6:46 AM

All replies

  • Hi,

    From what I understand of DNS policy I don't think it will be possible to achieve what you are trying to do.

    Best Regards,

    Monday, April 23, 2018 8:39 AM
  •  You did everything right except that you forgot to restrict the Query Resolution Policy to the specific records that are in the Zone Scope. You do this by way of the -FQDN parameter as shown below.

    Add-DnsServerQueryResolutionPolicy -Name "SplitBrainZonePolicy" -Action ALLOW -FQDN "eq,service.xyz.com" -ClientSubnet "eq,Site1_Subnet" -ZoneScope "Site1_Zone_Scope,1" -ZoneName "xyz.com"


    • Proposed as answer by aldsasha Tuesday, April 24, 2018 8:38 AM
    • Marked as answer by Craig_Han Wednesday, April 25, 2018 2:15 AM
    Tuesday, April 24, 2018 6:46 AM
  • Thanks so much aldsasha.... you were bang on the money!!!

    For others out there, my working policy looked like this:

    Add-DnsServerClientSubnet -Name "Site1_Subnet" -IPv4Subnet "192.168.1.0/24"
    Add-DnsServerZoneScope -ZoneName "xyz.com" -Name "Site1_Zone_Scope"
    Add-DnsServerResourceRecord -ZoneName "xyz.com" -A -Name "service" -IPv4Address "192.168.1.10" -ZoneScope "Site1_Zone_Scope”
    Add-DnsServerQueryResolutionPolicy -Name "SplitBrainZonePolicy" -Action ALLOW -FQDN "eq,service.xyz.com" -ClientSubnet "eq,Site1_Subnet" -ZoneScope "Site1_Zone_Scope,1" -ZoneName "xyz.com"


    Wednesday, April 25, 2018 2:20 AM