DNS resolution based on IP subnet using Get-DnsServerQueryResolutionPolicy

In this tutorial we are going to use Get-DnsServerQueryResolutionPolicy to have DNS resolution based on IP subnet so that clients in one IP subnet get the DNS reply from your DNS Server that you intend them to.

Issue

Users in one Active Directory Site of contoso.local need to resolve to an on site proxy server for Internet access, however, users in another Active Directory Site of contoso.local need to resolve to a different on site proxy server with a differing IP address.

All users need to be able to point their browsers and devices to proxy.contoso.local and be able to use the proxy at whichever site they are currently working from.

Solution

The solution to this issue is a 4 stage approach as below

  1. Add DNS client subnets
  2. Add DNS server zone scopes to existing zone
  3. Add Zone scope resource A records to point to the relevant IP address of the proxy at that site
  4. Add a Query Resolution Policy to have the DNS server to reply to clients in given IP subnets with the desired record.

Check domain health

First, before we go any further we need to check that our Domain Controllers are happy and ticking over nicely. This can be done by copy/pasting the below script into notepad and saving as a .cmd file, running the script as Administrator and examining the contents for any failure or errors. If you find any, you’ll need to correct these before moving on.

@echo off
echo.
echo Gathering Report for DCLIST = %1
echo.
Echo Report for DCLIST = %1 > replreport.txt
echo. >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering Verbose Replication and Connections
echo Verbose Replication and Connections >> %~dp0\replreport.txt echo. >> %~dp0\replreport.txt
repadmin /showrepl %1 /all >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering Bridgeheads
echo Bridgeheads >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
repadmin /bridgeheads %1 /verbose >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering ISTG
echo ISTG >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
repadmin /istg %1 >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering DRS Calls
echo Outbound DRS Calls >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
repadmin /showoutcalls %1 >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering Queue
echo Queue >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
repadmin /queue %1 >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering KCC Failures
echo KCC Failures >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
repadmin /failcache %1 >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering Trusts
echo Trusts >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
repadmin /showtrust %1 >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Gathering Replication Flags
echo Replication Flags >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
repadmin /bind %1 >> %~dp0\replreport.txt
echo. >> %~dp0\replreport.txt
echo Done.

Add DNS client subnets

Prior to this you need to get a list of your IP subnets that each site is assigned and note them down ready to input. Once you have them continue below.

For me the two IP subnets and sites are –

  • 10.111.62.0/21 – Pontefract
  • 10.117.95.0/21 – Normanton

The commands I am going to run in a PowerShell Admin console are –

  • Add-DnsServerClientSubnet -Name “PontefractSubnet” -IPv4Subnet “10.111.62.0/21”
  • Add-DnsServerClientSubnet -Name “NormantonSubnet” -IPv4Subnet “10.117.95.0/21”

You will need to run these commands on all your DNS servers in contoso.local as they are specific to the DNS server and do not replicate.

To verify this has worked I can run the below command to get a list of all IP subnets.

  • Get-DnsServerClientSubnet

Add DNS server zone scopes to existing zone

Now I need to add a Zone scope to my existing DNS Zone contoso.local

The commands I am going to run in a PowerShell Admin console are –

  • Add-DnsServerZoneScope -ZoneName “contoso.local” -Name “PontefractZoneScope”
  • Add-DnsServerZoneScope -ZoneName “contoso.local” -Name “NormantonZoneScope”

To verify this has worked I can run the below command to get a list of all zone scopes in contoso.local

  • Get-DnsServerZoneScope -ZoneName contoso.local
2020 07 10 16 59 57 TRUST TRUST DC 01 TeamViewer 1

Add Zone Scope resource A records

Now we have our IP subnets and Zone Scopes we can add our DNS Resource records to the Zone Scopes for clients in the Pontefract IP subnet to resolve proxy.contoso.local to 10.111.62.20 and clients in the Normanton IP subnet to resolve proxy.contoso.local to 10.117.95.20.

The commands I am going to run in a PowerShell Admin console are –

  • Add-DnsServerResourceRecord -ZoneName “contoso.local” -A -Name “proxy” -IPv4Address “10.111.62.20” -ZoneScope “PontefractZoneScope”
  • Add-DnsServerResourceRecord -ZoneName “contoso.local” -A -Name “proxy” -IPv4Address “10.117.95.20” -ZoneScope “NormantonZoneScope”

To verify this has worked I can run the below commands to get a list of DNS Resource records for the Pontefract ZoneScope in the contoso.local Zone and all the records in the records for the Normanton ZoneScope in the contoso.local Zone. Yes, it gets complicated.

  • Get-DnsServerResourceRecord -ZoneName “contoso.local” -ZoneScope PontefractZoneScope
  • Get-DnsServerResourceRecord -ZoneName “contoso.local” -ZoneScope NormantonZoneScope
2020 07 10 16 58 06 TRUST TRUST DC 01 TeamViewer

Add a Query Resolution Policy

Nearly there, we now have our IP subnets, our zone scopes and our zone scope resource A records pointing to our two proxy servers.

Now we need to create two Query Resolution Policies for clients to hit when looking up proxy.contoso.local from their respective Active Directory Sites.

  • Add-DnsServerQueryResolutionPolicy -Name “PontefractResolutionPolicy” -Action ALLOW -ClientSubnet “eq,PontefractSubnet” -ZoneScope “PontefractZoneScope,1” -ZoneName “contoso.local” -PassThru
  • Add-DnsServerQueryResolutionPolicy -Name “NormantonResolutionPolicy” -Action ALLOW -ClientSubnet “eq,NormantonSubnet” -ZoneScope “NormantonZoneScope,1” -ZoneName “contoso.local” -PassThru

To verify this has worked I can run the below commands to

  • Get-DnsServerQueryResolutionPolicy -ZoneName contoso.local
2020 07 10 17 02 18 TRUST TRUST DC 01 TeamViewer

Check its worked from a client machine

From a client machine in the Pontefract IP subnet launch up cmd and run the below commands

nslookup proxy.contoso.local

You should get a DNS reply for proxy.contoso.local as 10.111.62.20, doing the same from the Normanton IP subnet the reply should be 10.117.95.20

If you found this article helpful, would you consider buying me a Coffee?