none
Policy based DNS not working RRS feed

  • Question

  • Hi,

    I'm testing out policy based DNS on Windows server 2016 but I'm not sure whether I'm missing something as the policy isn't working.

    My scenario is that I want requests from a specific subnet to resolve to a different IP, and every other subnets will resolve to a default IP. The command I ran is as follows:


    Add-DnsServerClientSubnet -name SpecialSubnet -IPv4Subnet 10.32.0.0/21
    Add-DnsServerZoneScope -ZoneName "test.local" -Name "SpecialZoneScope"
    Add-DnsServerResourceRecord -ZoneName "test.local" -A -Name www -IPv4Address 10.165.115.115
    Add-DnsServerResourceRecord -ZoneName "test.local" -ZoneScope "SpecialZoneScope" -A -Name www -IPv4Address 10.165.115.250
    Add-DnsServerQueryResolutionPolicy -Name "SpecialPolicy" -Action ALLOW -FQDN "eq,www.test.local" -ClientSubnet "eq,SpecialSubnet" -ZoneScope "SpecialZoneScope,1" -ZoneName "test.local"

    When I do nslookup from 10.32.0.0 I get a reply from 10.165.115.115 instead of .250

    We have a mixture of 2012R2 and 2016 Domain Controllers which also run DNS. I point my workstation to DNS server that's running 2016 as I believe policies are ignored on Windows 2012 R2.

    Have I missed anything?

    Thank you in advance.

    Monday, May 6, 2019 2:06 AM

Answers

All replies

  • Hi,

    I have tested the policy on my DNS server, and it works.

    Does clients use windows 2016 as DNS server? You can use nslookup to check the default DNS server.

    I would suggest you check the format of the command, such as double quotes. 

    Please add attribute -PassThru at the end of command to check the result.

    For your reference:

    https://docs.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverqueryresolutionpolicy?view=win10-ps  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 6, 2019 6:39 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 8, 2019 9:27 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 10, 2019 5:12 AM
    Moderator
  • Hi Travis,

    Apologies for the late reply. I finally got a chance to run the command again with -PassThru and I'm still having issues. DNS record still doesn't return the correct IP I wanted when looking up from the special subnet.

    Anything else I'm missing?

    Thank you.

    James.

    Friday, May 17, 2019 6:19 AM
  • Hi,

    I would suggest you check the configuration of the policy, such as client subnet, zonescope, resource records.

    Please refer to the link below:

    https://www.petri.com/network-traffic-management-using-dns-policies-in-windows-server-2016  

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Jamec23 Wednesday, May 29, 2019 12:16 AM
    Monday, May 20, 2019 7:57 AM
    Moderator
  • Thanks for the link. I finally managed to get this to work! What was missing was the second DNS record that needed to be created.

    Thanks again for your help.

    Wednesday, May 29, 2019 12:16 AM
  • Hi,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 29, 2019 6:09 AM
    Moderator