Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2019 / Configuring DNS Conditional Forwarding and DNS Policies on Windows Server

April 17, 2023

Configuring DNS Conditional Forwarding and DNS Policies on Windows Server

In this article, we will look at two ways to organize conditional name resolution in a DNS server on Windows Server 2016/2019/2022: DNS Conditional Forwarding and DNS Policies. These technologies allow you to configure conditional DNS name resolution based on the requested name, IP address, client location, time of day, etc.

Contents:
  • How to Configure DNS Conditional Forwarder on Windows Server?
  • Configure DNS Conditional Forwarding with PowerShell
  • Filter DNS Queries with the Windows Server DNS Policies

DNS Conditional Forwarding allows to forward DNS requests about a particular domain to specific DNS servers. Usually, Conditional Forwarders are used when you want to configure fast name resolution between multiple private internal domains, or if you do not want DNS requests from your server to be sent through the Internet. In this case, you can create a rule on your DNS server to forward DNS requests for a particular domain zone (only!!!) to a specified DNS server.

How to Configure DNS Conditional Forwarder on Windows Server?

Let’s try to configure DNS conditional forwarding for a specific domain zone on Windows Server 2019. For example, all DNS requests to corp.woshub.com zone should be forwarded to the DNS server 10.1.10.11.

  1. Open the DNS management console (dnsmgmt.msc);
  2. Expand your DNS server, right-click Conditional Forwarders, and select New Conditional Forwarder;
  3. Enter the FQDN of the domain for which you want to enable conditional forwarding in the DNS domain field;
  4. Specify the IP address of the DNS server to which all requests for the specified namespace should be forwarded in the IP addresses of the master servers field;Add a Conditional Forwarder in Windows Server DNS
  5. If you want to store a conditional forwarding rule on more than just this one DNS server, you can integrate it with AD. Check the option Store this conditional forwarder in Active Directory;
  6. Configure the conditional forwarding replication option (All DNS servers in this forest, All DNS servers in this domain, or All domain controllers in this domain). list conditional forwarding rules on DNS

Configure DNS Conditional Forwarding with PowerShell

You can create a Conditional Forwarder rule for a DNS zone using PowerShell. Use the Add-DnsServerConditionalForwarderZone cmdlet:

Add-DnsServerConditionalForwarderZone -Name dmz.woshub.com -MasterServers 192.168.1.11,192.168.101.11 -ReplicationScope Forest

Learn more about managing DNS servers using PowerShell.

Run the following PowerShell script to list DNS conditional forwarders on a specific server:

$DNSServer = "DC01"
$Zones = Get-WMIObject -Computer $DNSServer -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"
$Zones | Select-Object Name,MasterServers,DsIntegrated,ZoneType | where {$_.ZoneType -eq "4"} | ft -AutoSize

Configure Windows Server DNS Conditional Forwarder with PowerShell

Filter DNS Queries with the Windows Server DNS Policies

Windows Server 2016 adds a DNS policy feature to the DNS server. DNS Policies allow you to configure the DNS server to return different responses to DNS queries depending on where you’re located (depending on the IP address or subnet from which the request was sent), the interface of the DNS server, the time of day, the type of record requested (A, CNAME, PTR, MX), etc. DNS policies in Windows Server allow you to implement load balancing, DNS traffic filtering, DNS record return based on geographic location (client IP address), and other complex scenarios.

You can create a policy at the level of a DNS server or a specific domain zone. The configuration of DNS policies in Windows Server can only be done from the PowerShell command line.

Let’s try to create a simple policy that returns a different response to a DNS query depending on the location of a client. Suppose you want clients in each branch to use their local proxy server on a site.

You have created a GPO to configure proxy settings in the domain (proxy.woshub.com will be specified on all clients). However, in order to use their local proxy server, clients from different offices need to resolve this FQDN differently.

I have created 3 subnets for company branches:
Add-DnsServerClientSubnet -Name "BER_DNS_Subnet" -IPv4Subnet "192.168.1.0/24"
Add-DnsServerClientSubnet -Name "HH_DNS_Subnet" -IPv4Subnet "192.168.11.0/24"
Add-DnsServerClientSubnet -Name "MCH_DNS_Subnet" -IPv4Subnet "192.168.21.0/24"

You must run these commands on all DCs that you want to enable the conditional DNS policy on. These settings are not replicated in DNS and are stored locally in the DNS server’s registry. You can specify a server name using the -ComputerName dc01 option.

List all available IP subnets on the DNS server:

Get-DnsServerClientSubnet

Get-DnsServerClientSubnet - DNS Resolution Based On IP Subnet on Windows Server

Now you need to create a separate DNS zone for each office:

Add-DnsServerZoneScope -ZoneName "woshub.com" -Name "BERZoneScope"
Add-DnsServerZoneScope -ZoneName "woshub.com" -Name "HHZoneScope"
Add-DnsServerZoneScope -ZoneName "woshub.com" -Name "MCHZoneScope"

The following commands will add 3 DNS records with the same name pointing to different IP addresses in different DNS zones:

Add-DnsServerResourceRecord -ZoneName "woshub.com" -A -Name proxy -IPv4Address "192.168.1.10" -ZoneScope "BERZoneScope"
Add-DnsServerResourceRecord -ZoneName "woshub.com" -A -Name proxy -IPv4Address "192.168.11.10" -ZoneScope "HHZoneScope"
Add-DnsServerResourceRecord -ZoneName "woshub.com" -A -Name proxy -IPv4Address "192.168.21.10" -ZoneScope "MCHZoneScope"

You can list all the DNS resource records in a zone using the command below:

Get-DnsServerResourceRecord -ZoneName "woshub.com" -ZoneScope BERZoneScope

Get-DnsServerResourceRecord

Then create DNS policies that bind IP subnets, DNS zones, and A records.

Add-DnsServerQueryResolutionPolicy -Name BERResolutionPolicy -Action ALLOW -ClientSubnet "eq,BER_DNS_Subnet" -ZoneScope "BERZoneScope,1" -ZoneName woshub.com –PassThru
Add-DnsServerQueryResolutionPolicy -Name HHResolutionPolicy -Action ALLOW -ClientSubnet "eq,HH_DNS_Subnet" -ZoneScope "HHZoneScope,1" -ZoneName woshub.com -PassThru
Add-DnsServerQueryResolutionPolicy -Name MCHResolutionPolicy -Action ALLOW -ClientSubnet "eq,MCH_DNS_Subnet" -ZoneScope "MCHZoneScope,1" -ZoneName woshub.com –PassThru

The following actions are available in the DNS policies:

  • -Action ALLOW
  • -Action DENY
  • -Action IGNORE

You can use the following options in your DNS filters:

-InternetProtocol "EQ,IPv4,NE,IPv6"
-TransportProtocol "EQ,UDP,TCP"
-ServerInterfaceIP "EQ,192.168.1.21"
-QType "EQ,A,AAAA,NE,PTR"
-TimeOfDay "EQ,9:00-18:00"

You can display a list of DNS policies for a DNS zone on the server:

Get-DnsServerQueryResolutionPolicy -ZoneName woshub.com

Get-DnsServerQueryResolutionPolicy - list DNS resolution policies

Now check that the DNS server returns different proxy IP addresses for the same request sent from devices in different offices:

nslookup proxy.woshub.com

You can prevent your DNS server from returning DNS addresses for a namespace (domain):

Add-DnsServerQueryResolutionPolicy -Name 'BlockDNSQuery' -Action IGNORE -FQDN "EQ,*.spamorg.org"

3 comments
8
Facebook Twitter Google + Pinterest
PowerShellWindows Server 2016Windows Server 2019
previous post
Running Simple HTTP Web Server Using PowerShell
next post
How to Integrate Security Updates into Windows Image (ISO/WIM)

Related Reading

How to Repair EFI/GPT Bootloader on Windows 10...

March 16, 2024

How to Restore Deleted EFI System Partition in...

March 11, 2024

How to Run Program without Admin Privileges and...

June 8, 2023

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

How to Install Remote Server Administration Tools (RSAT)...

March 17, 2024

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

March 17, 2024

3 comments

mdx December 21, 2023 - 2:17 am

Hi!
Thank for article, it’s so helpful.
DNS Policy looks cool. But I notice one “undocumented feature”😃: if there are exist any DNS-records in Default Zone scope of woshub.com DNS-zone, client under resolution policy (for example clients from BER_DNS_Subnet which under policy BERResolutionPolicy) can’t resolve record from Default Zone scope of woshub.com DNS-zone. Did you face with it?

Reply
mdx April 17, 2024 - 5:17 pm

Adding this option (-Fqdn “eq,proxy.woshub.com”) fixed my problem.
Add-DnsServerQueryResolutionPolicy -Name BERResolutionPolicy -Action ALLOW -ClientSubnet “eq,BER_DNS_Subnet” -ZoneScope “BERZoneScope,1” -ZoneName woshub.com –PassThru -Fqdn “eq,proxy.woshub.com”
Add-DnsServerQueryResolutionPolicy -Name HHResolutionPolicy -Action ALLOW -ClientSubnet “eq,HH_DNS_Subnet” -ZoneScope “HHZoneScope,1” -ZoneName woshub.com -PassThru -Fqdn “eq,proxy.woshub.com”
Add-DnsServerQueryResolutionPolicy -Name MCHResolutionPolicy -Action ALLOW -ClientSubnet “eq,MCH_DNS_Subnet” -ZoneScope “MCHZoneScope,1” -ZoneName woshub.com –PassThru -Fqdn “eq,proxy.woshub.com”

Reply
Andreas July 1, 2024 - 1:19 pm

Thanks MDX!
I has the same issue.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)
  • How to Delete Old User Profiles in Windows
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Configuring Port Forwarding in Windows
  • How to Install Remote Server Administration Tools (RSAT) on Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Adding Drivers into VMWare ESXi Installation Image
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top