Beruflich Dokumente
Kultur Dokumente
| TechNet Search
(http://technet.microsoft.com/)
Sign in (https://blogs.technet.microsoft.com/wp-login.php?aadsso_action=login)
Follow Us
Azure
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/azure/)
Shannon Gowen
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/shannon-
gowen/)
Bill Fiddes
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/bill-fiddes/
Windows 10
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/windows-10/
Tim Larson
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/tim-larson/
Josh Bender
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/josh-bender/
Brian Caton
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/brian-caton/
storage
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/storage/)
1 of 4 4/17/2017 9:19 PM
Tip of the Day: More Uses for Windows Server 2016 DNS Policies Sel... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-th...
The final tip of the last series introduced policy elements, and provided a configuration walkthrough for a AAD
basic Location Aware Response use-case scenario, whereby the originating network of the query was used (https://blogs.technet.microsoft.com
to trigger policies to provide a custom response. The outcome of that scenario was to direct clients to a /tip_of_the_day/tag/aad/)
resource closest to their own physical location. The closer the resource, the lower the RTT, the better the RDS
overall user experience! (https://blogs.technet.microsoft.com
Selective Query Filters /tip_of_the_day/tag/rds/)
Today, lets look at another handy and much sought after use for DNS policies, the Selective Query Filter. Shannon Gowen
Whereas the Location scenario was designed to return a response for a namespace for which the server (https://blogs.technet.microsoft.com
was authoritative (e.g. it hosts zone data for the domain in question), selective filtering combines any of /tip_of_the_day/tag/shannon-
the available criteria (see tip of 1/21 for a refresher) to provide filtering actions for all manner of gowen/)
non-authoritative queries. Some example includes:
Surface
Block queries for known malicious domains (https://blogs.technet.microsoft.com
Create DNS policy whitelists /tip_of_the_day/tag/surface/)
Block queries for specific record types
O365
Allow queries only for certain record types
(https://blogs.technet.microsoft.com
Block queries originating from a specific network(s)
/tip_of_the_day/tag/o365/)
Allow queries only from certain networks
2 of 4 4/17/2017 9:19 PM
Tip of the Day: More Uses for Windows Server 2016 DNS Policies Sel... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-th...
resolution of A, AAAA, MX, NS, & SOA records for queries received on server interface 172.17.2.1. /tip_of_the_day
/2014/)(255)
Add-DnsServerQueryResolutionPolicy -Name WhiteListQType -Action IGNORE
All of 2013
-QType ne,A,AAAA,MX,NS,SOA ServerInterfaceIP eq,172.17.2.1
(https://blogs.technet.microsoft.com
Allow Queries Only From Specific Subnets /tip_of_the_day
/2013/)(69)
Filter-policies can be used to create an allowed-list policies designed to ignore all queries but those
originating from a specific subnet(s). The following filter only allows queries originating from the subnet
identified by AllowedNetworks.
Note that this policy requires that a Client Subnet object be created to identify the list of networks. For an
enjoyable little exercise, consider how you might modify the logic in this expression to create a policy that
blocks queries for a specified list of networks.
Let me leave you with a final practical example. Consider a scenario where clients on a specific subnet
have been found to be infected by malware and are flooding DNS servers with queries of questionable
intent. In such an event, a DNS policy can be quickly created to block queries from the infected network,
thus relieving the load on the DNS server.
First, identify the network address on which the unfortunate clients reside and create the required subnet
object.
Now lets suppose that, as helpdesk engineers work tirelessly to clean the impacted systems, your crack
DNS administrative team determines that the queries are all for the same namespace,
contosomalicous.com. A very quick modification to the policy using the Set- version of the command
allows you to append the criteria, adding the FQDN parameter to ease the restriction so that legitimate
queries from the quarantined network are not blocked.
Comments (0)
Name *
Email *
Website
Post Comment
3 of 4 4/17/2017 9:19 PM
Tip of the Day: More Uses for Windows Server 2016 DNS Policies Sel... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-th...
4 of 4 4/17/2017 9:19 PM