Configuring DNS Conditional Forwarding and DNS Policies on Windows Server |

In this article, we will look at two ways to setup conditional name resolution in DNS Server on Windows Server 2016/2019/2022: dns conditional forwarding And dns policies, These technologies allow you to configure conditional DNS name resolution based on the requested name, IP address, client location, time of day, etc.

dns conditional forwarding Allows DNS requests about a particular domain to be forwarded to specific DNS servers. Typically, conditional forwarders are used when you want to configure fast name resolution between multiple private internal domains, or if you don’t want DNS requests from your server to be sent through the Internet. In this case, you can create a rule on your DNS server to forward DNS requests for a specific domain zone (ONLY!!!) to the specified DNS server.

How to configure DNS conditional forwarder on Windows Server?

Let’s try to configure DNS conditional forwarding for a specific domain zone on Windows Server 2019. For example, to make all DNS requests Zone should be forwarded to DNS server,

  1. Open the DNS Management Console (dnsmgmt.msc,
  2. Expand your DNS server, right-click conditional forwarderand choose new Conditional Forwarder;
  3. Enter the FQDN of the domain for which you want to enable conditional forwarding dns domain Field;
  4. Specify the IP address of the DNS server to which all requests for the specified namespace should be forwarded. IP address of master server Field;Add a Conditional Forwarder to Windows Server DNS
  5. If you want to store a conditional forwarding rule on more than just one DNS server, you can integrate it with AD. check option Store this conditional forwarder in Active Directory;
  6. Configure conditional forwarding replication options (All DNS servers in this forest, All DNS servers in this domainOr All domain controllers in this domain, List conditional forwarding rules on DNS

Configure DNS Conditional Forwarding with PowerShell

You can create conditional forwarder rules for DNS zones using PowerShell. Use add-dns server conditional forwarder zone Cmdlet:

Add-DnsServerConditionalForwarderZone -Name -MasterServers, -ReplicationScope Forest

Run the following PowerShell script to list the DNS conditional forwarders on a specific server:

$DNSServer = "DC01"
$Zones = Get-WMIObject -Computer $DNSServer -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"
$Zones | Select-Object Name,MasterServers,DsIntegrated,ZoneType | where {$_.ZoneType -eq "4"} | ft -AutoSize

Configure Windows Server DNS Conditional Forwarder with PowerShell

Filter DNS queries with Windows Server DNS policies

Windows Server 2016 Connects dns policy For convenience DNS servers. DNS policies allow you to configure the DNS server to specify where you are located (based on the IP address or subnet from which the request was sent), the interface of the DNS server, the time of day, the type of record requested (A , CNAME, PTR, MX), etc. DNS policies in Windows Server allow you to implement DNS record return based on load balancing, DNS traffic filtering, geographic location (client IP address), and more complex. landscape.

You can create policy at the level of DNS servers or a specific domain zone. Configuration of DNS policies in Windows Server can only be done from the PowerShell command line.

Let’s try to create a simple policy that returns a different response to a DNS query based on the location of the client. Let’s say you want customers in each branch to use your local proxy server at the site.

You have created a GPO to configure proxy settings in the domain ( will be specified on all customers). However, clients in different offices need to resolve this FQDN differently in order to use their local proxy servers.

I have created 3 subnets for company branches:
Add-DnsServerClientSubnet -Name "BER_DNS_Subnet" -IPv4Subnet ""
Add-DnsServerClientSubnet -Name "HH_DNS_Subnet" -IPv4Subnet ""
Add-DnsServerClientSubnet -Name "MCH_DNS_Subnet" -IPv4Subnet ""

You will need to run these commands on all the DCs on which you want to enable the Conditional DNS policy. These settings are not replicated across DNS and are stored locally in the DNS server’s registry. You can specify a server name using -ComputerName dc01 Option.

List all available IP subnets on the DNS server:


Get-DnsServerClientSubnet - DNS resolution based on IP subnet on Windows Server

Now you need to create a separate DNS zone for each office:

Add-DnsServerZoneScope -ZoneName "" -Name "BERZoneScope"
Add-DnsServerZoneScope -ZoneName "" -Name "HHZoneScope"
Add-DnsServerZoneScope -ZoneName "" -Name "MCHZoneScope"

The following command will add 3 DNS records with the same name pointing to different IP addresses in different DNS zones:

Add-DnsServerResourceRecord -ZoneName "" -A -Name proxy -IPv4Address "" -ZoneScope "BERZoneScope"
Add-DnsServerResourceRecord -ZoneName "" -A -Name proxy -IPv4Address "" -ZoneScope "HHZoneScope"
Add-DnsServerResourceRecord -ZoneName "" -A -Name proxy -IPv4Address "" -ZoneScope "MCHZoneScope"

You can list all DNS resource records in a zone using the command below:

Get-DnsServerResourceRecord -ZoneName "" -ZoneScope BERZoneScope


Then create DNS policies that bind IP subnets, DNS zones, and A records.

Add-DnsServerQueryResolutionPolicy -Name BERResolutionPolicy -Action ALLOW -ClientSubnet "eq,BER_DNS_Subnet" -ZoneScope "BERZoneScope,1" -ZoneName –PassThru
Add-DnsServerQueryResolutionPolicy -Name HHResolutionPolicy -Action ALLOW -ClientSubnet "eq,HH_DNS_Subnet" -ZoneScope "HHZoneScope,1" -ZoneName -PassThru
Add-DnsServerQueryResolutionPolicy -Name MCHResolutionPolicy -Action ALLOW -ClientSubnet "eq,MCH_DNS_Subnet" -ZoneScope "MCHZoneScope,1" -ZoneName –PassThru

The following actions are available in DNS policies:

  • -Action ALLOW
  • -Action DENY
  • -Action IGNORE

You can use the following options in your DNS filters:

-InternetProtocol "EQ,IPv4,NE,IPv6"
-TransportProtocol "EQ,UDP,TCP"
-ServerInterfaceIP "EQ,"
-TimeOfDay "EQ,9:00-18:00"

You can display a list of DNS policies for a DNS zone on a server:

Get-DnsServerQueryResolutionPolicy -ZoneName

Get-DnsServerQueryResolutionPolicy - List DNS resolution policies

Now check that the DNS server returns different proxy IP addresses for the same request sent from devices in different offices:


You can prevent your DNS server from returning DNS addresses for a namespace (domain):

Add-DnsServerQueryResolutionPolicy -Name 'BlockDNSQuery' -Action IGNORE -FQDN "EQ,*"

Leave a Comment