Server 2016: Use DNS Policies to Allow Queries to Specific Domain from Specific Subnet

1

1

On a public DNS server, I would like to create a rule using DNS Policies to allow traffic to a specific domain only from specified subnets.

For example, say we have a domain contoso.com, but only want to allow a specific subnet to query this (note that there are other publically-queryable domains on this server). Using DNS policies, I can easily block a specific subnet from querying a specific domain, but I cannot figure out how to allow a specific subnet to query a specific domain.

The following works to block:

Add-DnsServerQueryResolutionPolicy -Name "Disallow_Contoso" -Action IGNORE -ClientSubnet "EQ,LocalSubnet10.x" –FQDN "EQ,*.contoso.com" -PassThru

But the following does not work to allow:

Add-DnsServerQueryResolutionPolicy -Name "Allow_Contoso" -Action ALLOW -ClientSubnet "EQ,LocalSubnet10.x" –FQDN "EQ,*.contoso.com" -PassThru

The error returned from Powershell on the second command is:

Add-DnsServerQueryResolutionPolicy : Failed to create policy Allow_Contoso on DNS server DNS1. Please see internal exception for details.
At line:1 char:1
+ Add-DnsServerQueryResolutionPolicy -Name "Allow_Contoso" -Action ALLOW  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (Allow_Contoso:root/Microsoft/...esolutionPolicy) [Add-DnsServerQueryResolutionPolicy], CimException
+ FullyQualifiedErrorId : WIN32 87,Add-DnsServerQueryResolutionPolicy

It seems that the -Action ALLOW is not allowed in this context, but I cannot confirm that based on the cryptic error message.

Beems

Posted 2018-07-23T21:48:23.557

Reputation: 1 067

I'm also wondering if you cannot just remove the –FQDN "EQ,*.contoso.com" from the allow rule as well. So maybe Add-DnsServerQueryResolutionPolicy -Name "Allow_Contoso" -Action ALLOW -ClientSubnet "EQ,LocalSubnet10.x" -PassThru but you may need to add [-ZoneScope <String>] and/or [-ZoneName] <String>... with quick look over, that may or may not help you but that's my idea of some things to consider and test. – Pimp Juice IT – 2018-07-23T22:15:51.777

Answers

0

After much trial and error, the following is working:

Add-DnsServerClientSubnet -Name "Subnet192.x" -IPv4Subnet 192.168.0.0/24
Add-DnsServerZoneScope -ZoneName "contoso.com" -Name "SpecialSubnet" -PassThru
Add-DnsServerResourceRecord -ZoneName "contoso.com" -A -Name "test" -IPv4Address "10.10.0.1" -ZoneScope "SpecialSubnet" -PassThru
Add-DnsServerQueryResolutionPolicy -Name "SpecialPolicy" -Action ALLOW -ClientSubnet "eq,Subnet192.x" -ZoneScope "SpecialSubnet,1" -ZoneName "contoso.com" -PassThru

So if the querying device is outside of the 192.168.0.0/24 subnet, the native DNS zone will respond with an "A" record for test.contoso.com (assuming it has been manually created). If the querying device is within the 192.168.0.0/24 subnet, the policy created here will respond with 10.10.0.1 to a query for test.contoso.com.

Beems

Posted 2018-07-23T21:48:23.557

Reputation: 1 067

Asked: 2018-07-23T21:48:23.557

Viewed: 341 times

Active: 2018-07-26T21:12:59.737