1
1
On a public DNS server, I would like to create a rule using DNS Policies to allow traffic to a specific domain only from specified subnets.
For example, say we have a domain contoso.com
, but only want to allow a specific subnet to query this (note that there are other publically-queryable domains on this server). Using DNS policies, I can easily block a specific subnet from querying a specific domain, but I cannot figure out how to allow a specific subnet to query a specific domain.
The following works to block:
Add-DnsServerQueryResolutionPolicy -Name "Disallow_Contoso" -Action IGNORE -ClientSubnet "EQ,LocalSubnet10.x" –FQDN "EQ,*.contoso.com" -PassThru
But the following does not work to allow:
Add-DnsServerQueryResolutionPolicy -Name "Allow_Contoso" -Action ALLOW -ClientSubnet "EQ,LocalSubnet10.x" –FQDN "EQ,*.contoso.com" -PassThru
The error returned from Powershell on the second command is:
Add-DnsServerQueryResolutionPolicy : Failed to create policy Allow_Contoso on DNS server DNS1. Please see internal exception for details.
At line:1 char:1
+ Add-DnsServerQueryResolutionPolicy -Name "Allow_Contoso" -Action ALLOW ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Allow_Contoso:root/Microsoft/...esolutionPolicy) [Add-DnsServerQueryResolutionPolicy], CimException
+ FullyQualifiedErrorId : WIN32 87,Add-DnsServerQueryResolutionPolicy
It seems that the -Action ALLOW
is not allowed in this context, but I cannot confirm that based on the cryptic error message.
I'm also wondering if you cannot just remove the
–FQDN "EQ,*.contoso.com"
from the allow rule as well. So maybeAdd-DnsServerQueryResolutionPolicy -Name "Allow_Contoso" -Action ALLOW -ClientSubnet "EQ,LocalSubnet10.x" -PassThru
but you may need to add[-ZoneScope <String>]
and/or[-ZoneName] <String>
... with quick look over, that may or may not help you but that's my idea of some things to consider and test. – Pimp Juice IT – 2018-07-23T22:15:51.777