none
Add-DnsServerQueryResolutionPolicy using ALLOW in a server level policy RRS feed

  • Question

  • Hi there,

    I don't understand part of the description for the cmdlet (https://docs.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverqueryresolutionpolicy?view=win10-ps):

    Example 7 states

    Add-DnsServerQueryResolutionPolicy -Name "SplitBrainPolicy" 
    -Action ALLOW -ApplyOnRecursion -RecursionScope "InternalClients"
    -ServerInterfaceIP "EQ,10.0.0.34"

    but the -ApplyOnRecursion parameter "indicates that this policy is a server level recursion policy."

    In the description above: "Server level policies apply either on the incoming queries or on the recursive outgoing queries. On the incoming queries, server level policies can only DENY or IGNORE."

    Am I assuming correctly that Example 7 is about allowing recursive outgoing queries for clients, that connect to the server via 10.0.0.34?

    And is it furthermore correct to say, that incoming queries would refer to other DNS servers asking for records, which can be either ignored or denied?

    Thanks for your thoughts,

    Dequester

    Saturday, March 9, 2019 5:50 PM

Answers

  • Hi Dequester,

    The document says: Recursion policies are a special class of server level policies. Recursion policies control how the DNS server performs recursion for a query. Recursion policies apply only when query processing reaches the recursion path.

    The above command also has the -RecursionScope parameter. This parameter is also stated in the document: Specifies the scope of recursion. If the policy is a recursion policy, and if a query matches it, the DNS server uses settings from this scope to perform recursion for the query.

    This is not creating a zone level policy, but rather defining a recursive path.

    So the sentence in the article is not wrong. It is still a server-level policy, just recursive policies are special.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Dequester Thursday, March 21, 2019 8:44 PM
    Thursday, March 21, 2019 3:39 AM
  • DNS policy is a new feature of DNS on Windows Server 2016. In DNS for previous Windows Server, recursion could only be enabled/disabled for all client requests. With the DNS policy, DNS server can performs recursion for a set of clients for a query, while the DNS server does not perform recursion for other clients for that query.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Dequester Thursday, March 21, 2019 8:44 PM
    Thursday, March 21, 2019 4:19 AM

All replies

  • Hello Dequester,

    Thank you for posting in this forum.

    In the article you provided, there are these descriptions.

    "Recursion policies are a special class of server level policies. Recursion policies control how the DNS server performs recursion for a query. Recursion policies apply only when query processing reaches the recursion path. You can chose a value of DENY or IGNORE for recursion for a set of queries. Alternatively, you can choose a set of forwarders for a set of queries. To configure this behavior, specify a recursion scope in the recursion policies. You can use recursion policies to implement a Split-brain DNS configuration. In this configuration, the DNS server performs recursion for a set of clients for a query, while the DNS server does not perform recursion for other clients for that query."

    [-RecursionScope "InternalClients"] is the recursion scope you specified.

    The DNS server performs recursion for a set of clients( clients in that scope) for a query, while the DNS server does not perform recursion for other clients for that query.

    Best Regards,

    Leon

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 12, 2019 9:41 AM
  • Hi HK.Leon,

    I'm sorry if my question was too obtuse. I'm trying it a bit more concise:

    I want to know the difference between incoming and outgoing queries as server policies on the former can only use DENY or IGNORE as of the docs I've quoted.

    So I wondered if the client requests in the policy in example 7 can be considered incoming or outgoing.

    Friday, March 15, 2019 11:48 AM
  • Hi Dequester,

    The query type of the client to the DNS server is a recursive query. When the query request arrives at the DNS server, the settings on the DNS server determine whether to perform recursion for the client's query.

    Name resolution has a complete process, let's jump directly to the DNS server part. When the DNS server processes an incoming query, it first checks to see if it has this record in its own "database." If the DNS server does not have this record, it will issue an outgoing query to other DNS servers based on its own configuration. (If the DNS server is configured with a forwarder, the outgoing query from the DNS server to the Forwarder is a recursive query; if the DNS server does not have a forwarder configured, the outgoing query from the DNS server to the Root Hints is an iterative query.)

    The client requests in the policy in example 7 is undoubtedly an incoming query.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 19, 2019 8:08 AM
  • Hi Leon,

    is it correct then, that the sentence in the documentation has an error in it?

    "-ApplyOnRecursion

    Indicates that this policy is a server level recursion policy"

    "Server level policies apply either on the incoming queries or on the recursive outgoing queries. On the incoming queries, server level policies can only DENY or IGNORE.

    The command above seems to define a zone level policy as otherwise it can't be ALLOW. I find it inconsistent the least. If you have further clarifications they are most welcome. Otherwise you can propose your post as answer and I'm going to accept it :).

    Regards,

    Dequester

    Wednesday, March 20, 2019 3:17 PM
  • Hi Dequester,

    The document says: Recursion policies are a special class of server level policies. Recursion policies control how the DNS server performs recursion for a query. Recursion policies apply only when query processing reaches the recursion path.

    The above command also has the -RecursionScope parameter. This parameter is also stated in the document: Specifies the scope of recursion. If the policy is a recursion policy, and if a query matches it, the DNS server uses settings from this scope to perform recursion for the query.

    This is not creating a zone level policy, but rather defining a recursive path.

    So the sentence in the article is not wrong. It is still a server-level policy, just recursive policies are special.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Dequester Thursday, March 21, 2019 8:44 PM
    Thursday, March 21, 2019 3:39 AM
  • DNS policy is a new feature of DNS on Windows Server 2016. In DNS for previous Windows Server, recursion could only be enabled/disabled for all client requests. With the DNS policy, DNS server can performs recursion for a set of clients for a query, while the DNS server does not perform recursion for other clients for that query.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Dequester Thursday, March 21, 2019 8:44 PM
    Thursday, March 21, 2019 4:19 AM