1

I think I have half of the answer, but need help with the final steps...

I'm trying to configure our Windows 2016 DNS servers to respond as recursive servers for clients on our internal subnets, but only respond to requests for our domain from clients on external subnets.

I got this mostly working with the following (network numbers changed)

Set-DnsServerRecursionScope -Name . -EnableRecursion $False

Add-DnsServerRecursionScope -Name "Internal" -EnableRecursion $true -Forwarder X.X.X.X,Y.Y.Y.Y

Add-DnsServerClientSubnet -Name "10.1" -IPv4Subnet 10.1.0.0/16 -PassThru 

Add-DnsServerClientSubnet -Name "172.20" -IPv4Subnet 172.20.0.0/16 -PassThru

Add-DnsServerClientSubnet -Name "172.21" -IPv4Subnet 172.21.0.0/16 –PassThru

Add-DnsServerClientSubnet -Name LoopBackSubnet -IPv4Subnet 127.0.0.0/8 -IPv6Subnet ::1/128

Add-DnsServerQueryResolutionPolicy -Name "Allow10.1" -Action ALLOW - ApplyOnRecursion -RecursionScope "Internal" -ClientSubnet "EQ,10.1" -PassThru

Add-DnsServerQueryResolutionPolicy -Name "Allow172.20" -Action ALLOW -ApplyOnRecursion -RecursionScope "Internal" -ClientSubnet "EQ,172.20" -PassThru

Add-DnsServerQueryResolutionPolicy -Name "Allow172.21" -Action ALLOW -ApplyOnRecursion -RecursionScope "Internal" -ClientSubnet "EQ,172.21" –PassThru

Add-DnsServerQueryResolutionPolicy -Name "AllowLocal" -Action ALLOW -ApplyOnRecursion -RecursionScope "Internal" -ClientSubnet "EQ,LoopBackSubnet" –PassThru

This has the desired effect of not performing recursive lookups if the client isn't on one of the defined subnets, however the server will still respond to recursive lookups if the answer is in the cache.

I tried a different approach (removing the above policies first and re-enabling recusrsive lookups on the default scope):

Set-DnsServerRecursionScope -Name . -EnableRecursion $true -Forwarder X.X.X.X,Y.Y.Y.Y

Add-DnsServerQueryResolutionPolicy -Name "DenyRecursion" -Action DENY -ClientSubnet "NE,10.1,172.20,172.21,LoopBackSubnet" -PassThru –FQDN “NE,*.TESTDOMAIN.COM”

This didn't do what I expected as neither internal nor external subnets are provided with a recursive answer.

Is there a way to disable using the cache with the first setup or can someone point out what I've missed in my second attempt so my internal subnets can use the DNS server as a 'full' (recursive) server but external clients can only query for hosts in my zone (and not see any cached answers)?

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
PPA
  • 11
  • 1

0 Answers0