Configuring DNS Conditional Forwarding and DNS Policies on Windows Server | Ranjan.info

In this article, we will look at two ways to setup conditional name resolution in DNS Server on Windows Server 2016/2019/2022: dns conditional forwarding And dns policies, These technologies allow you to configure conditional DNS name resolution based on the requested name, IP address, client location, time of day, etc.

dns conditional forwarding Allows DNS requests about a particular domain to be forwarded to specific DNS servers. Typically, conditional forwarders are used when you want to configure fast name resolution between multiple private internal domains, or if you don’t want DNS requests from your server to be sent through the Internet. In this case, you can create a rule on your DNS server to forward DNS requests for a specific domain zone (ONLY!!!) to the specified DNS server.

How to configure DNS conditional forwarder on Windows Server?

Let’s try to configure DNS conditional forwarding for a specific domain zone on Windows Server 2019. For example, to make all DNS requests corp.woshub.com Zone should be forwarded to DNS server 10.1.10.11,

1. Open the DNS Management Console (dnsmgmt.msc,
2. Expand your DNS server, right-click conditional forwarderand choose new Conditional Forwarder;
3. Enter the FQDN of the domain for which you want to enable conditional forwarding dns domain Field;
4. Specify the IP address of the DNS server to which all requests for the specified namespace should be forwarded. IP address of master server Field;
5. If you want to store a conditional forwarding rule on more than just one DNS server, you can integrate it with AD. check option Store this conditional forwarder in Active Directory;
6. Configure conditional forwarding replication options (All DNS servers in this forest, All DNS servers in this domainOr All domain controllers in this domain,

Configure DNS Conditional Forwarding with PowerShell

You can create conditional forwarder rules for DNS zones using PowerShell. Use add-dns server conditional forwarder zone Cmdlet:

Add-DnsServerConditionalForwarderZone -Name dmz.woshub.com -MasterServers 192.168.1.11,192.168.101.11 -ReplicationScope Forest

Run the following PowerShell script to list the DNS conditional forwarders on a specific server:

$DNSServer = "DC01"
$Zones = Get-WMIObject -Computer $DNSServer -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"
$Zones | Select-Object Name,MasterServers,DsIntegrated,ZoneType | where {$_.ZoneType -eq "4"} | ft -AutoSize

Filter DNS queries with Windows Server DNS policies

Windows Server 2016 Connects dns policy For convenience DNS servers. DNS policies allow you to configure the DNS server to specify where you are located (based on the IP address or subnet from which the request was sent), the interface of the DNS server, the time of day, the type of record requested (A , CNAME, PTR, MX), etc. DNS policies in Windows Server allow you to implement DNS record return based on load balancing, DNS traffic filtering, geographic location (client IP address), and more complex. landscape.

You can create policy at the level of DNS servers or a specific domain zone. Configuration of DNS policies in Windows Server can only be done from the PowerShell command line.

Let’s try to create a simple policy that returns a different response to a DNS query based on the location of the client. Let’s say you want customers in each branch to use your local proxy server at the site.

You have created a GPO to configure proxy settings in the domain (proxy.vshub.com will be specified on all customers). However, clients in different offices need to resolve this FQDN differently in order to use their local proxy servers.

I have created 3 subnets for company branches:
Add-DnsServerClientSubnet -Name "BER_DNS_Subnet" -IPv4Subnet "192.168.1.0/24"
Add-DnsServerClientSubnet -Name "HH_DNS_Subnet" -IPv4Subnet "192.168.11.0/24"
Add-DnsServerClientSubnet -Name "MCH_DNS_Subnet" -IPv4Subnet "192.168.21.0/24"

You will need to run these commands on all the DCs on which you want to enable the Conditional DNS policy. These settings are not replicated across DNS and are stored locally in the DNS server’s registry. You can specify a server name using -ComputerName dc01 Option.

List all available IP subnets on the DNS server:

Get-DnsServerClientSubnet

Now you need to create a separate DNS zone for each office:

Add-DnsServerZoneScope -ZoneName "woshub.com" -Name "BERZoneScope"
Add-DnsServerZoneScope -ZoneName "woshub.com" -Name "HHZoneScope"
Add-DnsServerZoneScope -ZoneName "woshub.com" -Name "MCHZoneScope"

The following command will add 3 DNS records with the same name pointing to different IP addresses in different DNS zones:

Add-DnsServerResourceRecord -ZoneName "woshub.com" -A -Name proxy -IPv4Address "192.168.1.10" -ZoneScope "BERZoneScope"
Add-DnsServerResourceRecord -ZoneName "woshub.com" -A -Name proxy -IPv4Address "192.168.11.10" -ZoneScope "HHZoneScope"
Add-DnsServerResourceRecord -ZoneName "woshub.com" -A -Name proxy -IPv4Address "192.168.21.10" -ZoneScope "MCHZoneScope"

Then create DNS policies that bind IP subnets, DNS zones, and A records.

Add-DnsServerQueryResolutionPolicy -Name BERResolutionPolicy -Action ALLOW -ClientSubnet "eq,BER_DNS_Subnet" -ZoneScope "BERZoneScope,1" -ZoneName woshub.com –PassThru
Add-DnsServerQueryResolutionPolicy -Name HHResolutionPolicy -Action ALLOW -ClientSubnet "eq,HH_DNS_Subnet" -ZoneScope "HHZoneScope,1" -ZoneName woshub.com -PassThru
Add-DnsServerQueryResolutionPolicy -Name MCHResolutionPolicy -Action ALLOW -ClientSubnet "eq,MCH_DNS_Subnet" -ZoneScope "MCHZoneScope,1" -ZoneName woshub.com –PassThru

You can display a list of DNS policies for a DNS zone on a server:

Get-DnsServerQueryResolutionPolicy -ZoneName woshub.com

Now check that the DNS server returns different proxy IP addresses for the same request sent from devices in different offices:

nslookup proxy.woshub.com

You can prevent your DNS server from returning DNS addresses for a namespace (domain):

Add-DnsServerQueryResolutionPolicy -Name 'BlockDNSQuery' -Action IGNORE -FQDN "EQ,*.spamorg.org"