0

I am using dns policy with windows dns server. In my scenario I want to allow recursive queries in local subnet (192.168.1.0/24) and deny for others.

It works great until querying for a domain (example.com) from local subnet. After resolving from local it starts to resolve for all ips. I think it looks first cache and answers immidiately without looking the policies.

How can I deny recursive queries in cache for outside ips?

Here is my policy details.

Add-DnsServerClientSubnet -Name ServersSubnet -IPv4Subnet 192.168.1.0/24
Add-DnsServerClientSubnet -Name LoopBackSubnet -IPv4Subnet 127.0.0.0/8 -IPv6Subnet ::1/128
Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True -Forwarder 208.26.222.222, 208.67.220.220
Add-DnsServerQueryResolutionPolicy -Name "SplitBrainRecursionPolicy" -Action ALLOW -ApplyOnRecursion -RecursionScope "InternalClients" -ClientSubnet "eq,ServersSubnet,LoopBackSubnet"
briantist
  • 2,535
  • 18
  • 34
Baran
  • 149
  • 2
  • 7

1 Answers1

2

The question is do you want to block resolution of example.com for external clients? The recursion policies, control whether DNS server will recurse for external clients or not. With the policies you created above, it will not recurse. But it will still continue to respond from cache. If you want to block name resolution for external clients, do this Add-DnsServerQueryResolutionPolicy -Name "SplitBrainDenyPolicy" -Action DENY- -ClientSubnet "ne,ServersSubnet,LoopBackSubnet"

Note i use "ne" here. You can also use -ServerInterface criteria to differentiate between internal and external clients.

Ashu [I designed DNS policies]

~

Ashu
  • 41
  • 1