DPCO

Tip of the Day: Understanding and using DNS Policy Configuration Obje... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-th...
| TechNet Search
(http://technet.microsoft.com/)
Sign in (https://blogs.technet.microsoft.com/wp-login.php?aadsso_action=login)
Follow Us
Tip of the Day: Understanding and using

DNS Policy Configuration Objects (https://blogs.technet.microsoft.com
/tip_of_the_day/feed/)
Rate this article

Popular Tags
Shannon Gowen (https://social.technet.microsoft.com/profile/Shannon+Gowen) March 10, 2017
totd
1 (https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-the- (https://blogs.technet.microsoft.com
day-understanding-and-using-dns-policy-configuration-objects/#comments) /tip_of_the_day/tag/totd/)
Share 4 11 7 Robert+Mitchell
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/robertmitchell/
Windows
/tip_of_the_day/tag/windows/
Azure
/tip_of_the_day/tag/azure/)
Shannon Gowen
/tip_of_the_day/tag/shannon-
gowen/)
Bill Fiddes
/tip_of_the_day/tag/bill-fiddes/
Windows 10
/tip_of_the_day/tag/windows-10/
Tim Larson
/tip_of_the_day/tag/tim-larson/
Josh Bender
/tip_of_the_day/tag/josh-bender/
Brian Caton
/tip_of_the_day/tag/brian-caton/
storage
/tip_of_the_day/tag/storage/)
Windows Server 2016

/tip_of_the_day/tag/windows-
server-2016/)
1 of 5 4/17/2017 9:20 PM
for example, which can be used as evaluation criteria, and Servicing

Zone Scopes, which are essentially a zone partition containing unique sets of resource records for a (https://blogs.technet.microsoft.com
zone. /tip_of_the_day/tag/servicing/
Others parameters, such as different types of evaluation criteria and logical operators are added in the AAD
policy expression itself. (https://blogs.technet.microsoft.com
Todays tip looks closer at these policy building blocks, and demonstrates how they can be used. /tip_of_the_day/tag/aad/)
First, A Practical Scenario RDS

To make review of the following policy parameters more meaningful, lets consider a practical DNS policy /tip_of_the_day/tag/rds/)
scenario. This will allow us to see some of the commands and parameters in action as we go.
Shannon Gowen
Woodgrove.com Geo-Location Scenario
Geo-Location Awareness response policies are a common use-case for Windows Server 2016 DNS Policy /tip_of_the_day/tag/shannon-
and can be very effective in helping reduce latency and improve the user experience. They work by gowen/)
directing client connections to a remote resource to the instance of that resource closest to that clients
Surface
physical location.
In this scenario, woodgrove.com has a web resource, with one instance hosted in their Seattle datacenter, /tip_of_the_day/tag/surface/)
and another identical instance hosted in Dublin. To realize the best possible user experience, they want to
O365
use DNS policies to ensure that client connections to www.woodgrove.com (http://www.woodgrove.com)
originating from Europe are directed to the Dublin instance. And client connections originating from
/tip_of_the_day/tag/o365/)
North America are directed to the instance located in Seattle.
We will build the required policies as we go through the following content. Networking
Query Evaluation Parameters /tip_of_the_day/tag/networking/
Criteria Shell
Criteria is used to evaluate incoming queries. DNS policy criteria can include any one or more of these (https://blogs.technet.microsoft.com
types. /tip_of_the_day/tag/shell/)
Archives
April 2017
/tip_of_the_day
/2017/04/)(7)
March 2017
/tip_of_the_day
/2017/03/)(23)
February 2017
/tip_of_the_day
/2017/02/)(20)
January 2017
/tip_of_the_day
/2017/01/)(27)
All of 2017
(https://msdnshared.blob.core.windows.net/media/2017/01/image591.png) (https://blogs.technet.microsoft.com
/tip_of_the_day
*This is contrary to some incorrect public documentation stating the value must be expressed in the GMT
/2017/)(77)
equivalent.
All of 2016
Operators (https://blogs.technet.microsoft.com
/tip_of_the_day
One of two operators, EQ (equal) or NE (not equal), is added to each policy criteria to set its evaluation
/2016/)(201)
logic.
All of 2015
/tip_of_the_day
/2015/)(265)
All of 2014
2 of 5 4/17/2017 9:20 PM
(https://msdnshared.blob.core.windows.net/media/2017/01/image592.png) /tip_of_the_day
/2014/)(255)
Condition
All of 2013
An optional AND/OR condition can be added to specify how the policy treats multiple criteria. In the (https://blogs.technet.microsoft.com
absence of an -condition parameter, the default AND behavior is used, meaning that a query must match /tip_of_the_day
all criteria to trigger a policy. /2013/)(69)
(https://msdnshared.blob.core.windows.net/media/2017/01/image593.png)
Woodgrove.com Scenario
Geo-Location policies commonly use client subnets in its evaluation criteria. The first step in configuring a
policy of this sort is to identify the IP address range for the location/region you want to manage, and
create any required client subnet objects. In a real-life situation where you want to direct traffic
originating from an entire continent, you would need to use Geo-IP maps to determine the appropriate
address ranges. For our scenario however, we are just going to 192.168.1.0/24 and 192.168.2.0/24 to
represent North America and Europe respectively:
Creating Client Subnets:
The following commands create an AmericaSubnet and EuropeSubnet with the values shown.
Add-DnsServerClientSubnet -Name AmericaSubnet -IPv4Subnet

192.168.1.0/24
Add-DnsServerClientSubnet -Name EuropeSubnet -IPv4Subnet

192.168.2.0/24
Note the absence of any reference to either and operator or condition mentioned above. These are added
later in the policy statement, as can any of the other criteria types you may want to use.
Policy Action
The action dictates the behavior of a policy and will vary depending on the purpose of the policy. For
example, some policies may be created to provide a customized name-response based on the criteria so
would use an allow action. Others might be designed to block queries for certain types of records, or
malicious FQDNs. These might use either a deny or ignore action.
At this point, there is nothing to add to the woodgrove policy scenario, as the ALLOW action will be
added later when we create the policy statements.
Scopes
Scopes are the key to providing customized responses in a DNS query resolution policy.
3 of 5 4/17/2017 9:20 PM
In this scenario, the DNS server already hosts a woodgrove.com zone. However, we will need to create two
Zone Scopes: one to hold the records used to respond to North American clients, and the other for the
records used to respond to European clients.
Creating Zone Scopes:
The following commands creates two zone scope, AmericaZoneScope and EuropeZoneScope, within
the woodgrove.com zone.
Add-DnsServerZoneScope -ZoneName woodgrove.com -Name

AmericaZoneScope
Add-DnsServerZoneScope -ZoneName woodgrove.com -Name EuropeZoneScope
Adding the Resource Records:
We must also populate the scopes with resource records to be returned in the event of a policy match. For
our example, we will use the IP 10.0.0.1 as IP for the web server in Seattle, and 10.2.0.1 for the web server
in Dublin.
Add-DnsServerResourceRecord -ZoneName woodgrove.com -A -Name www

-IPv4Address 10.0.0.1 -ZoneScope AmericaZoneScope
Add-DnsServerResourceRecord -ZoneName woodgrove.com -A -Name www

-IPv4Address 10.2.0.1 -ZoneScope EuropeZoneScope
Note that the addition of the -ZoneScope parameter. This is the only difference between using PowerShell
to create a zone scope record, versus creating a regular DNS zone record.
Creating the DNS Policies:
With the ground work laid, we can now create the policies. Two will be required, one to manage North
American traffic and another to manage European traffic.
Add-DnsServerQueryResolutionPolicy -Name AmericaPolicy -Action ALLOW

-ClientSubnet eq,AmericaSubnet -ZoneScope AmericaZoneScope,1 -ZoneName
woodgrove.com
Add-DnsServerQueryResolutionPolicy -Name EuropePolicy -Action ALLOW

-ClientSubnet eq,EuropeSubnet -ZoneScope EuropeZoneScope,1 -ZoneName
woodgrove.com
Note the parameters used in the Add-DnsServerQueryResolutionPolicy command.
The -name parameter is used to create a descriptive name for the policy.
Both policies include an ALLOW action, meaning queries matching the address space referenced in
the -ClientSubnet criteria will receive an answer derived from the scope indicated in the -ZoneScope
4 of 5 4/17/2017 9:20 PM
parameter.
Note the use of the EQ operator in the -ClientSubnet parameter. Using the NE operator here would
reverse the policy logic, causing any query but those originating from the America Subnet to match
and trigger the policy.
Note the numerical value ,1 after the scope name in each policy. The value is meaningless in this
scenario, but in a case where you wanted to load-balance using the records from multiple scopes,
you can adjust this number to reflect the desired ratio. Here is an example, splitting the load
between two datacenters at a 4:1 ratio: -ZoneScope AmericaZoneScope,4;EuropeZoneScope,1
We neednt specify and AND/OR condition as there is only one evaluation criteria. Had there been
multiple criteria, then consideration would have been given to which was most appropriate.
If youve gotten this far, thanks for hanging with this unusually long tip. There is so much more to tell
including the very important topics; how to control policy processing order through precedence, and how
to use PowerShell and other tools to review and troubleshoot policy implementations. Perhaps in another
tip. for now however, you can see more information on DNS policies and DNS policy scenarios here:
DNS Policy Scenario Guide for Windows Server 2016 (https://gallery.technet.microsoft.com/DNS-Policy-

Scenario-Guide-c9730914)
Tags Brian Caton (https://blogs.technet.microsoft.com/tip_of_the_day/tag/brian-caton/) DNS

(https://blogs.technet.microsoft.com/tip_of_the_day/tag/dns/) Windows Server 2016
(https://blogs.technet.microsoft.com/tip_of_the_day/tag/windows-server-2016/)
Comments (1)
Name *
Email *
Website
Post Comment
Peter
March 11, 2017 at 8:29 pm (https://blogs.technet.microsoft.com/tip_of_the_day/2017/03
/10/tip-of-the-day-understanding-and-using-dns-policy-configuration-objects
/#comment-9265)
How is this different from using AD sites? It seems like it produces the same result.
Reply (https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-the-
day-understanding-and-using-dns-policy-configuration-objects/?replytocom=9265#respond)
Privacy & Cookies (https://msdn.microsoft.com/dn529288)

(https://www.microsoft.com
Terms of Use (https://msdn.microsoft.com/cc300389) 2017 Microsoft
Trademarks (https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/EN-U
5 of 5 4/17/2017 9:20 PM

DPCO

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

DPCO

Transféré par

Droits d'auteur :

Formats disponibles

Tip of the Day: Understanding and using DNS Policy Configuration Obje... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-th...

Tip of the Day: Understanding and using

Windows Server 2016

for example, which can be used as evaluation criteria, and Servicing

First, A Practical Scenario RDS

Creating Client Subnets:

Add-DnsServerClientSubnet -Name AmericaSubnet -IPv4Subnet

Add-DnsServerClientSubnet -Name EuropeSubnet -IPv4Subnet

Creating Zone Scopes:

Add-DnsServerZoneScope -ZoneName woodgrove.com -Name

Add-DnsServerZoneScope -ZoneName woodgrove.com -Name EuropeZoneScope

Adding the Resource Records:

Add-DnsServerResourceRecord -ZoneName woodgrove.com -A -Name www

Add-DnsServerResourceRecord -ZoneName woodgrove.com -A -Name www

Creating the DNS Policies:

Add-DnsServerQueryResolutionPolicy -Name AmericaPolicy -Action ALLOW

Add-DnsServerQueryResolutionPolicy -Name EuropePolicy -Action ALLOW

Note the parameters used in the Add-DnsServerQueryResolutionPolicy command.

DNS Policy Scenario Guide for Windows Server 2016 (https://gallery.technet.microsoft.com/DNS-Policy-

Tags Brian Caton (https://blogs.technet.microsoft.com/tip_of_the_day/tag/brian-caton/) DNS

Privacy & Cookies (https://msdn.microsoft.com/dn529288)

Vous aimerez peut-être aussi