Applying Filters on DNS Queries using Windows DNS Server Policies

DNS policies is a new feature in the DNS server role of Windows Server 2016 Technical Preview – not to be confused with group policies of the AD fame. You can create DNS policies on the DNS server to control how a DNS Server handles queries based on different parameters. In the previous blogs, we discussed how to achieve traffic management and deploying split-brain DNS using DNS policies. Here we are going to discuss another important scenario where DNS policies can be used to create query filters based on certain criteria. One of the example of such filters are DNS black holes for known malicious domains. Another example is to create a whitelist to allow only a specific set of clients to resolve certain names. The filters can be created with any logical combination (AND/OR/NOT) of the following criteria.

Name

Description

Client Subnet

Name of a predefined client subnet. Used to verify the subnet from which the query was sent.

Transport Protocol

Transport protocol used in the query. Possible entries are UDP and TCP.

Internet Protocol

Network protocol used in the query. Possible entries are IPv4 and IPv6.

Server Interface IP address

IP address of the network interface of the DNS server which received the DNS request

FQDN

FQDN of record in the query, with the possibility of using a wild card.

Query Type

Type of record being queried (A, SRV, TXT etc.)

Time of Day

Time of day the query is received.

 

Following are some examples on how policies can be used to create filters. First we will see how to block certain queries using DNS policies

Block queries for a domain

One of the widespread requirements from the DNS administrators is the ability to block name resolution for certain domains identified to be malicious or domains that do not comply with the usage guidelines of the organization. This can be achieved using Policies.

The following cmdlet will disallow any queries with domain suffix contosomalicious.com. 

Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicy" -Action IGNORE -FQDN "EQ,*.contosomalicious.com" -PassThru  

 Explore Add-DnsServerQueryResolutionPolicy

Note that this policy has not been created on any zone. Such policies are the Server Level Policies and are first to be matched when a query is incident on the DNS server.

Block queries from a subnet

Another scenario is when a certain subnet has been found to be infected by some malware and is trying to contact malicious sites using DNS server. Using DNS policies now the administrators can block such subnets from using DNS server for any name resolution.

 

Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.33.0/24 -PassThru

Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyMalicious06" -Action IGNORE -ClientSubnet  "EQ,MaliciousSubnet06" -PassThru

 Explore Add-DnsServerQueryResolutionPolicy

 

The subnet criteria can be used with the FQDN criteria in the first example to block  queries for certain malicious domains from infected subnets

Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyMalicious06" -Action IGNORE -ClientSubnet  "EQ,MaliciousSubnet06" –FQDN “EQ,*.contosomalicious.com” -PassThru

 

Block a type of query

The DNS administrators may need to block name resolution for certain type of queries on their servers. One such example is the ‘ANY’ query which has been many times abused to created amplification attacks.

 
Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyQType" 
-Action IGNORE -QType "EQ,ANY" -PassThru

  Explore Add-DnsServerQueryResolutionPolicy

 

Just the way DNS policies can be used to block queries based on certain criteria, they can also be used to white list certain domains or subnets. In case of white lists, the DNS server will process only those queries and ignore everything else

 

Allow queries only for a domain

For example if only certain domain name resolution are allowed to query a DNS server.

Add-DnsServerQueryResolutionPolicy -Name "WhitelistPolicy" -Action IGNORE -FQDN "NE,*.contoso.com" -PassThru

 Explore Add-DnsServerQueryResolutionPolicy

Note the use of “NE” in the FQDN parameter. It means that all queries NOT EQUAL TO *.contoso.com will be ignored by the DNS server.

 

Allow queries only from a subnet

Similarly white lists can be created on the IP subnets, such that all queries not originating from these subnets are ignored

 

Add-DnsServerClientSubnet -Name "AllowedSubnet06" -IPv4Subnet 172.0.33.0/24 -PassThru

Add-DnsServerQueryResolutionPolicy -Name "WhitelistAllowedSubnet” -Action IGNORE -ClientSubnet  "NE, AllowedSubnet06" -PassThru

 Explore Add-DnsServerQueryResolutionPolicy

 

Allow only certain QTypes

The white lists can also be applied to QTYPEs. Take a scenario where for external customers coming on server interface 164.8.1.1 only certain QTYPEs are allowed to be queried, while there are other QTYPEs like SRV or TXT records which are used by internal servers for name resolution or for monitoring purposes

 

Add-DnsServerQueryResolutionPolicy -Name "WhiteListQType" -Action IGNORE -QType "NE,A,AAAA,MX,NS,SOA" –ServerInterface “EQ,164.8.1.1” -PassThru

 Explore Add-DnsServerQueryResolutionPolicy

 

Call to Action:

Now that you have learnt about deploying DNS query filters using DNS policies in Windows DNS vNext, we request you to try the feature and let us know your feedback. Also tell us how you plan to use such filters in your environment. Use the comment box below or mail us at dns_microsoft@outlook.com

 

Also See

Geo-Location Based Traffic Management Using DNS Policies

Split-Brain DNS Deployment Using Windows DNS Server Policies