Académique Documents
Professionnel Documents
Culture Documents
| TechNet Search
(http://technet.microsoft.com/)
Sign in (https://blogs.technet.microsoft.com/wp-login.php?aadsso_action=login)
Follow Us
Popular Tags
Shannon Gowen (https://social.technet.microsoft.com/profile/Shannon+Gowen) March 10, 2017
totd
1 (https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-the- (https://blogs.technet.microsoft.com
day-understanding-and-using-dns-policy-configuration-objects/#comments) /tip_of_the_day/tag/totd/)
Share 4 11 7 Robert+Mitchell
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/robertmitchell/
Windows
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/windows/
Azure
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/azure/)
Shannon Gowen
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/shannon-
gowen/)
Bill Fiddes
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/bill-fiddes/
Windows 10
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/windows-10/
Tim Larson
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/tim-larson/
Josh Bender
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/josh-bender/
Brian Caton
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/brian-caton/
storage
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/storage/)
1 of 5 4/17/2017 9:20 PM
Tip of the Day: Understanding and using DNS Policy Configuration Obje... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-th...
Others parameters, such as different types of evaluation criteria and logical operators are added in the AAD
policy expression itself. (https://blogs.technet.microsoft.com
Todays tip looks closer at these policy building blocks, and demonstrates how they can be used. /tip_of_the_day/tag/aad/)
We will build the required policies as we go through the following content. Networking
(https://blogs.technet.microsoft.com
Query Evaluation Parameters /tip_of_the_day/tag/networking/
Criteria Shell
Criteria is used to evaluate incoming queries. DNS policy criteria can include any one or more of these (https://blogs.technet.microsoft.com
types. /tip_of_the_day/tag/shell/)
Archives
April 2017
(https://blogs.technet.microsoft.com
/tip_of_the_day
/2017/04/)(7)
March 2017
(https://blogs.technet.microsoft.com
/tip_of_the_day
/2017/03/)(23)
February 2017
(https://blogs.technet.microsoft.com
/tip_of_the_day
/2017/02/)(20)
January 2017
(https://blogs.technet.microsoft.com
/tip_of_the_day
/2017/01/)(27)
All of 2017
(https://msdnshared.blob.core.windows.net/media/2017/01/image591.png) (https://blogs.technet.microsoft.com
/tip_of_the_day
*This is contrary to some incorrect public documentation stating the value must be expressed in the GMT
/2017/)(77)
equivalent.
All of 2016
Operators (https://blogs.technet.microsoft.com
/tip_of_the_day
One of two operators, EQ (equal) or NE (not equal), is added to each policy criteria to set its evaluation
/2016/)(201)
logic.
All of 2015
(https://blogs.technet.microsoft.com
/tip_of_the_day
/2015/)(265)
All of 2014
(https://blogs.technet.microsoft.com
2 of 5 4/17/2017 9:20 PM
Tip of the Day: Understanding and using DNS Policy Configuration Obje... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-th...
(https://msdnshared.blob.core.windows.net/media/2017/01/image592.png) /tip_of_the_day
/2014/)(255)
Condition
All of 2013
An optional AND/OR condition can be added to specify how the policy treats multiple criteria. In the (https://blogs.technet.microsoft.com
absence of an -condition parameter, the default AND behavior is used, meaning that a query must match /tip_of_the_day
all criteria to trigger a policy. /2013/)(69)
(https://msdnshared.blob.core.windows.net/media/2017/01/image593.png)
Woodgrove.com Scenario
Geo-Location policies commonly use client subnets in its evaluation criteria. The first step in configuring a
policy of this sort is to identify the IP address range for the location/region you want to manage, and
create any required client subnet objects. In a real-life situation where you want to direct traffic
originating from an entire continent, you would need to use Geo-IP maps to determine the appropriate
address ranges. For our scenario however, we are just going to 192.168.1.0/24 and 192.168.2.0/24 to
represent North America and Europe respectively:
The following commands create an AmericaSubnet and EuropeSubnet with the values shown.
Note the absence of any reference to either and operator or condition mentioned above. These are added
later in the policy statement, as can any of the other criteria types you may want to use.
Policy Action
The action dictates the behavior of a policy and will vary depending on the purpose of the policy. For
example, some policies may be created to provide a customized name-response based on the criteria so
would use an allow action. Others might be designed to block queries for certain types of records, or
malicious FQDNs. These might use either a deny or ignore action.
(https://msdnshared.blob.core.windows.net/media/2017/01/image594.png)
Woodgrove.com Scenario
At this point, there is nothing to add to the woodgrove policy scenario, as the ALLOW action will be
added later when we create the policy statements.
Scopes
Scopes are the key to providing customized responses in a DNS query resolution policy.
3 of 5 4/17/2017 9:20 PM
Tip of the Day: Understanding and using DNS Policy Configuration Obje... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-th...
(https://msdnshared.blob.core.windows.net/media/2017/01/image595.png)
Woodgrove.com Scenario
In this scenario, the DNS server already hosts a woodgrove.com zone. However, we will need to create two
Zone Scopes: one to hold the records used to respond to North American clients, and the other for the
records used to respond to European clients.
The following commands creates two zone scope, AmericaZoneScope and EuropeZoneScope, within
the woodgrove.com zone.
We must also populate the scopes with resource records to be returned in the event of a policy match. For
our example, we will use the IP 10.0.0.1 as IP for the web server in Seattle, and 10.2.0.1 for the web server
in Dublin.
Note that the addition of the -ZoneScope parameter. This is the only difference between using PowerShell
to create a zone scope record, versus creating a regular DNS zone record.
With the ground work laid, we can now create the policies. Two will be required, one to manage North
American traffic and another to manage European traffic.
The -name parameter is used to create a descriptive name for the policy.
Both policies include an ALLOW action, meaning queries matching the address space referenced in
the -ClientSubnet criteria will receive an answer derived from the scope indicated in the -ZoneScope
4 of 5 4/17/2017 9:20 PM
Tip of the Day: Understanding and using DNS Policy Configuration Obje... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-th...
parameter.
Note the use of the EQ operator in the -ClientSubnet parameter. Using the NE operator here would
reverse the policy logic, causing any query but those originating from the America Subnet to match
and trigger the policy.
Note the numerical value ,1 after the scope name in each policy. The value is meaningless in this
scenario, but in a case where you wanted to load-balance using the records from multiple scopes,
you can adjust this number to reflect the desired ratio. Here is an example, splitting the load
between two datacenters at a 4:1 ratio: -ZoneScope AmericaZoneScope,4;EuropeZoneScope,1
We neednt specify and AND/OR condition as there is only one evaluation criteria. Had there been
multiple criteria, then consideration would have been given to which was most appropriate.
If youve gotten this far, thanks for hanging with this unusually long tip. There is so much more to tell
including the very important topics; how to control policy processing order through precedence, and how
to use PowerShell and other tools to review and troubleshoot policy implementations. Perhaps in another
tip. for now however, you can see more information on DNS policies and DNS policy scenarios here:
Comments (1)
Name *
Email *
Website
Post Comment
Peter
March 11, 2017 at 8:29 pm (https://blogs.technet.microsoft.com/tip_of_the_day/2017/03
/10/tip-of-the-day-understanding-and-using-dns-policy-configuration-objects
/#comment-9265)
How is this different from using AD sites? It seems like it produces the same result.
Reply (https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/10/tip-of-the-
day-understanding-and-using-dns-policy-configuration-objects/?replytocom=9265#respond)
5 of 5 4/17/2017 9:20 PM