DNS Policy is a new feature for DNS in Windows Server® 2016 allowing you to control how a DNS Server handles queries based on different parameters. For example, you may create a DNS policy to respond to queries with different IP addresses for a web server based on the query origin, assuring the client is directed to the closest datacenter.
DNS Query Resolution Policies can be used in different scenarios, including:
- Application high availability: DNS clients are redirected to the healthiest endpoint for a given application.
- Traffic Management: DNS clients are redirected to the closest datacenter.
- Split Brain DNS: DNS records are split into different Zone Scopes, and DNS clients receive a response based on whether they are internal or external clients.
- Query Filtering: DNS queries from a list of malicious IP addresses or FQDNs are blocked.
- Forensics: Malicious DNS clients are redirected to a sink hole instead of the computer they are trying to reach.
- Time of day based redirection: DNS clients can be redirected to datacenters based on the time of the day.
Two other policy types include:
- Recursion Policies: Controls how the DNS server performs recursion for a queries reaching the recursion path. For example, whether or not recursion is performed and, if so, to which forwarder to send the query.
- Zone Transfer Policies: Controls whether a zone transfer is allowed from your DNS server.
To create a policy supporting one of the scenarios described above, it is necessary to identify the criteria against which incoming queries will be evaluated, an action to be applied in the event of a match, and (in the case of an allow action) a unique group of zone records from which to respond. Created using Windows PowerShell, DNS policy expressions provide the logic, combining these objects to achieve a specific behavior.
In tomorrow’s tip we will dive a little deeper.