Tip of the Day: How DNS Policies Work

  • Article

Today’s Tip…

Yesterday’s tip introduced Windows Server 2016 DNS Policies and the many ways they can be used to provide custom handling for name queries.  In today’s tip, we take a closer look at some of the logical components used to build a policy expression and see how they work together to provide a custom response based on client criteria.

DNS Policy Processing Flow

DNS policy statements include a set of one or more evaluation criteria, an action (allow, deny, or ignore), and (used with the allow action), one or more unique sets of zone records (contained in a Zone Scope).

More on these objects later, for now let’s consider an example of a client querying for the web resource, ‘www.woodgrove.com’, the zone for which has policies configured.

  1. An authoritative server receives the name query for ‘www.woodgrove.com’. In the event no policies had been configured for the Woodgrove zone, a query would be answered in the usual manner.
  2. With policies in place, the query is evaluated against the criteria of each policy (based on policy precedence) until a match is found.
  3. After a match, further evaluation stops and the name query is handled based on the parameters of the matching statements, the first of which is the action.
    1. In the case of a deny action, the server responds with a failure. 
    2. In the case of an ignore action, the query is silently dropped.
    3. In the case of an allow, the answer returned is dependent on the policies settings.
  4. If the action is allow, a query response is provided according to parameters specified by the -zonescope argument. Parameters can include one or more zone scopes and the ratio for which they are utilized.

Consider the following statement:

Add-DnsServerQueryResolutionPolicy -Name "AmericaPolicy" -Action ALLOW -ClientSubnet "eq,AmericaSubnet" -ZoneScope "AmericaZoneScope,4;EuropeZoneScope,1" -ZoneName "woodgrove.com"

In the example,

  1. A match occurs if a query is received and the source IP matches the address range specified by the AmericaSubnet object.
  2. Since the action is allow, a response will be returned to the client per the parameters defined in the -ZoneScope argument. In this example, responses are returned using records from both the AmericaZoneScope and the EuropeZoneScope.
  3. Take note of the numerical value immediately following the scope names; 4, and 1. These values determine the ratio for which each scope is used when responding to queries. In this example one answer will be returned from the EuropeZoneScope for every for queries answered using the AmericaZoneScope. In this way, load-balancing can be provided between two datacenters using a 4:1 ratio.

Sill confused?  Hang in there until tomorrows tip when we will deep dive into the various criteria types, policy actions, and unravel the mystery of partitioning a namespace into partitions known as Zone Scopes.