none
Geo Location RRS feed

  • Question

  • Hi,

    I would like to leverage ZoneScopes so that I can redirect traffic from specific services to local proxies on site as opposed to having the agents report back directly to our main DC. So I went ahead and defined the following:

    - Defined my branch site Subnet (Add-DnsServerClientSubnet)

    - Created a new ZoneScope associated it to my org DNS zone (Add-DnsServerZoneScope)

    - Created an A and CNAME record in the new ZoneScope (Add-DnsServerResourceRecord)

    - Created a new policy to redirect the traffic (Add-DnsServerQueryResolutionPolicy)

    Everything works as expected with the exception that I'm unable to resolve records that are in my default ZoneScope. I can only resolve the record that I've added to my new ZoneScope. I attempted to add both zones when defining the policy, see example below. However, now it seems to query the default zone every 3rd query so I think I miss understood the purpose of the weight.

    Add-DnsServerQueryResolutionPolicy -Name "EuropePolicy" -Action ALLOW -ClientSubnet "eq,EuropeSubnet" -ZoneScope "EuropeZoneScope,1;woodgrove.com,2" -ZoneName "woodgrove.com"  
     

    I'm sure I'm missing something but can't seem to figure it out so any advice would be appreciated!

    Thursday, November 7, 2019 1:31 AM

Answers

  • I added the specific record to the resolution policy by using the -FQDN switch. The documentation isn't very clear but I'm assuming that if you do not specify the record the resolution policy assumes you can query any record within the new zone scope and as a result it will never fall back to the default zone scope to search for other records.

    Add-DnsServerQueryResolutionPolicy -Name "WestPolicy" -Action Allow -ClientSubnet "eq,WestSubnet" -fqdn "EQ,salt.orgname.com" -ZoneScope "WestZoneScope,1" -ZoneName "orgname.com"

    • Marked as answer by guilly08 Sunday, November 24, 2019 11:38 AM
    Sunday, November 24, 2019 11:38 AM

All replies

  • Hi ,

    What's the result when you run Get-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" ?

    Please refer to the following link to create policy step by step:

    Add-DnsServerQueryResolutionPolicy

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Friday, November 8, 2019 9:22 AM
  • Get-DnsServerQueryResolutionPolicy returns the one policy that I created using Add-DnsServerQueryResolutionPolicy. My system is in a closed network so I can't provide the output....

    I have referred to the link many times. But as stated I'm not sure how to allow a particular subnet that has a policy assigned to it to be able to resolve all other records that are outside of the zonescope I created.

    Friday, November 8, 2019 12:03 PM
  • Hi ,

    What's the result when you run Get-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" ?

    Please refer to the following link to create policy step by step:

    Add-DnsServerQueryResolutionPolicy

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thanks for your reply. To clarify, I have hundreds of records in the default zone scope at HQ, but would like only one record configured to be geo-based for the off-site locations. Can I include additional/secondary zone scopes to the default zone which will contain only one record, but still permit the clients to resolve all other queries by the default scope? In other words I'd like to avoid recreating all records in each zone scope.
    Friday, November 8, 2019 6:43 PM
  • Hi ,

    >>Can I include additional/secondary zone scopes to the default zone which will contain only one record, but still permit the clients to resolve all other queries by the default scope? In other words I'd like to avoid recreating all records in each zone scope.

    Thanks for your clarifying.

    I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Wednesday, November 13, 2019 7:08 AM
  • Hi ,

    >>Can I include additional/secondary zone scopes to the default zone which will contain only one record, but still permit the clients to resolve all other queries by the default scope? In other words I'd like to avoid recreating all records in each zone scope.

    Thanks for your clarifying.

    I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thank you, I plan on doing more testing tomorrow with the order in which the policies are applied.
    Friday, November 15, 2019 1:23 AM
  • I added the specific record to the resolution policy by using the -FQDN switch. The documentation isn't very clear but I'm assuming that if you do not specify the record the resolution policy assumes you can query any record within the new zone scope and as a result it will never fall back to the default zone scope to search for other records.

    Add-DnsServerQueryResolutionPolicy -Name "WestPolicy" -Action Allow -ClientSubnet "eq,WestSubnet" -fqdn "EQ,salt.orgname.com" -ZoneScope "WestZoneScope,1" -ZoneName "orgname.com"

    • Marked as answer by guilly08 Sunday, November 24, 2019 11:38 AM
    Sunday, November 24, 2019 11:38 AM
  • Hi ,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    Highly appreciate your effort and time!

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, November 25, 2019 1:57 AM