Tip of the Day: More Uses for Windows Server 2016 DNS Policies Sel... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-th...

| TechNet Search
(http://technet.microsoft.com/)
Sign in (https://blogs.technet.microsoft.com/wp-login.php?aadsso_action=login)

Follow Us

Tip of the Day: More Uses for Windows

Server 2016 DNS Policies Selective (https://blogs.technet.microsoft.com
/tip_of_the_day/feed/)
Query Filtering
Popular Tags
Rate this article




totd
Shannon Gowen (https://social.technet.microsoft.com/profile/Shannon+Gowen) March 23, 2017 (https://blogs.technet.microsoft.com
/tip_of_the_day/tag/totd/)
0 (https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-the-
Robert+Mitchell
day-more-uses-for-windows-server-2016-dns-policies-selective-query-filtering (https://blogs.technet.microsoft.com
/#respond) /tip_of_the_day/tag/robertmitchell/
Share 1
0 2
Windows
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/windows/

Azure
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/azure/)

Shannon Gowen
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/shannon-
gowen/)

Bill Fiddes
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/bill-fiddes/

Windows 10
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/windows-10/

Tim Larson
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/tim-larson/

Josh Bender
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/josh-bender/

Brian Caton
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/brian-caton/

storage
(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/storage/)

Windows Server 2016

(https://blogs.technet.microsoft.com
/tip_of_the_day/tag/windows-
server-2016/)

1 of 4 4/17/2017 9:19 PM
Tip of the Day: More Uses for Windows Server 2016 DNS Policies Sel... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-th...

Configuring DNS Policies Servicing

(https://blogs.technet.microsoft.com
Because there is so much more to know, why not continue our exploration of this new, very exciting
/tip_of_the_day/tag/servicing/
capability?

The final tip of the last series introduced policy elements, and provided a configuration walkthrough for a AAD
basic Location Aware Response use-case scenario, whereby the originating network of the query was used (https://blogs.technet.microsoft.com
to trigger policies to provide a custom response. The outcome of that scenario was to direct clients to a /tip_of_the_day/tag/aad/)
resource closest to their own physical location. The closer the resource, the lower the RTT, the better the RDS
overall user experience! (https://blogs.technet.microsoft.com
Selective Query Filters /tip_of_the_day/tag/rds/)

Today, lets look at another handy and much sought after use for DNS policies, the Selective Query Filter. Shannon Gowen
Whereas the Location scenario was designed to return a response for a namespace for which the server (https://blogs.technet.microsoft.com
was authoritative (e.g. it hosts zone data for the domain in question), selective filtering combines any of /tip_of_the_day/tag/shannon-
the available criteria (see tip of 1/21 for a refresher) to provide filtering actions for all manner of gowen/)
non-authoritative queries. Some example includes:
Surface
Block queries for known malicious domains (https://blogs.technet.microsoft.com
Create DNS policy whitelists /tip_of_the_day/tag/surface/)
Block queries for specific record types
O365
Allow queries only for certain record types
(https://blogs.technet.microsoft.com
Block queries originating from a specific network(s)
/tip_of_the_day/tag/o365/)
Allow queries only from certain networks

Lets look at some brief examples: Networking

(https://blogs.technet.microsoft.com
Block Queries for a Malicious Domain /tip_of_the_day/tag/networking/
Filtering-policies can block name queries for domains that have been identified as malicious or otherwise Shell
do not comply with the usage guidelines of the organization. The following filter uses the -FQDN criteria (https://blogs.technet.microsoft.com
to block any queries with the domain suffix contosomalicious.com. /tip_of_the_day/tag/shell/)
Add-DnsServerQueryResolutionPolicy -Name FQDNBlockPolicy -Action IGNORE
-FQDN eq,*.contosomalicious.com Archives
The IGNORE action signifies that all queries will be silently dropped. April 2017
(https://blogs.technet.microsoft.com
Also, note the use of the wildcard * in the policy expression, making the policy effective for all
/tip_of_the_day
contosomalicous.com records and child domains.
/2017/04/)(7)
Configure a DNS FQDN Allowed List March 2017
(https://blogs.technet.microsoft.com
Filtering-policies can be used to create whitelists, limiting query responses to a specified domain(s). The
/tip_of_the_day
following filter only allows queries for resources in the contoso.com namespace. Again, the wildcard is
/2017/03/)(23)
used signify both top-level domain and child domain records.
February 2017
Add-DnsServerQueryResolutionPolicy -Name AllowedDomains -Action IGNORE (https://blogs.technet.microsoft.com
-FQDN ne,*.contoso.com /tip_of_the_day
/2017/02/)(20)
Note the use of the IGNORE action with the NE (not equal) operator to essentially reverse the logic of the
January 2017
previous example.
(https://blogs.technet.microsoft.com
I should also note that, if you wanted to use a filter of this sort on a zone for which the server was /tip_of_the_day
authoritative, you would not want to implement the expression exactly as written above due to subtleties /2017/01/)(27)
introduced by the policy evaluation process (which we will touch upon in an upcoming tip). All of 2017
(https://blogs.technet.microsoft.com
Block Specific Types of Queries
/tip_of_the_day
Filter-policies can be used to block specific types of queries, such as the ANY query, which can be used /2017/)(77)
by an evil-doer for nefarious purposes. The following filter blocks an ANY query type. All of 2016
(https://blogs.technet.microsoft.com
Add-DnsServerQueryResolutionPolicy -Name BlockedQType -Action IGNORE -QType
/tip_of_the_day
eq,ANY /2016/)(201)
You can substitute/add any of the other query types to this expression as needed. For example, All of 2015
eq,A,AAAA,SRV,MX (https://blogs.technet.microsoft.com
/tip_of_the_day
Allow Only Certain Query Types /2015/)(265)
All of 2014
By reversing the logic of the last example, a filter-policy can be created to whitelist a set of record types.
(https://blogs.technet.microsoft.com
The following filter combines the -QType criteria with the -ServerInterfaceIP criteria to only allows

2 of 4 4/17/2017 9:19 PM
Tip of the Day: More Uses for Windows Server 2016 DNS Policies Sel... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-th...

resolution of A, AAAA, MX, NS, & SOA records for queries received on server interface 172.17.2.1. /tip_of_the_day
/2014/)(255)
Add-DnsServerQueryResolutionPolicy -Name WhiteListQType -Action IGNORE
All of 2013
-QType ne,A,AAAA,MX,NS,SOA ServerInterfaceIP eq,172.17.2.1
(https://blogs.technet.microsoft.com
Allow Queries Only From Specific Subnets /tip_of_the_day
/2013/)(69)
Filter-policies can be used to create an allowed-list policies designed to ignore all queries but those
originating from a specific subnet(s). The following filter only allows queries originating from the subnet
identified by AllowedNetworks.

Add-DnsServerClientSubnet -Name AllowedNetworks -IPv4Subnet 172.0.34.0/24

Add-DnsServerQueryResolutionPolicy -Name AllowedListPolicy -Action IGNORE

-ClientSubnet ne, AllowedNetworks

Note that this policy requires that a Client Subnet object be created to identify the list of networks. For an
enjoyable little exercise, consider how you might modify the logic in this expression to create a policy that
blocks queries for a specified list of networks.

One Final Practical Example

Let me leave you with a final practical example. Consider a scenario where clients on a specific subnet
have been found to be infected by malware and are flooding DNS servers with queries of questionable
intent. In such an event, a DNS policy can be quickly created to block queries from the infected network,
thus relieving the load on the DNS server.

First, identify the network address on which the unfortunate clients reside and create the required subnet
object.

Add-DnsServerClientSubnet -Name InfectedClients -IPv4Subnet 172.0.33.0/24

Add-DnsServerQueryResolutionPolicy -Name BlackholeInfectedClients -Action

IGNORE -ClientSubnet EQ,InfectedClients

Now lets suppose that, as helpdesk engineers work tirelessly to clean the impacted systems, your crack
DNS administrative team determines that the queries are all for the same namespace,
contosomalicous.com. A very quick modification to the policy using the Set- version of the command
allows you to append the criteria, adding the FQDN parameter to ease the restriction so that legitimate
queries from the quarantined network are not blocked.

Set-DnsServerQueryResolutionPolicy -Name BlackholeInfectedClients FQDN

EQ,*.contosomalicious.com

Tags Brian Caton (https://blogs.technet.microsoft.com/tip_of_the_day/tag/brian-caton/) DNS

(https://blogs.technet.microsoft.com/tip_of_the_day/tag/dns/) Windows Server 2016
(https://blogs.technet.microsoft.com/tip_of_the_day/tag/windows-server-2016/)

Comments (0)

Name *

Email *

Website

Post Comment

3 of 4 4/17/2017 9:19 PM
Tip of the Day: More Uses for Windows Server 2016 DNS Policies Sel... https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/23/tip-of-th...

Privacy & Cookies (https://msdn.microsoft.com/dn529288)

(https://www.microsoft.com
Terms of Use (https://msdn.microsoft.com/cc300389) 2017 Microsoft
Trademarks (https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/EN-U

4 of 4 4/17/2017 9:19 PM