The following example command allows only computers and devices in the and child domains to query the DNS server.Īdd-DnsServerQueryResolutionPolicy -Name "AllowListPolicyDomain" -Action IGNORE -FQDN "NE,*." -PassThru Allow queries only from a subnet When you configure Allow Lists, the DNS server only processes queries from allowed domains, while blocking all other queries from other domains. You can not only use DNS policy to block queries, you can use them to automatically approve queries from specific domains or subnets. For example, you can block the 'ANY' query, which can be used maliciously to create amplification attacks.Īdd-DnsServerQueryResolutionPolicy -Name "BlockListPolicyQType" -Action IGNORE -QType "EQ,ANY" -PassThru Allow queries only from a domain You might need to block name resolution for certain types of queries on your servers. The following example demonstrates how you can use the subnet criteria in combination with the FQDN criteria to block queries for certain malicious domains from infected subnets.Īdd-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE -ClientSubnet "EQ,MaliciousSubnet06" –FQDN “EQ,*.” -PassThru Block a type of query With this example, you can block queries from a subnet if it is found to be infected by some malware and is trying to contact malicious sites using your DNS server.Īdd-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.33.0/24 -PassThruĪdd-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE -ClientSubnet "EQ,MaliciousSubnet06" -PassThru This causes the DNS client in the malicious domain to time out. When you configure the Action parameter with the value IGNORE, the DNS server is configured to drop queries with no response at all. The following example command configures a Server Level Policy to block any queries with the domain suffix .Īdd-DnsServerQueryResolutionPolicy -Name "BlockListPolicy" -Action IGNORE -FQDN "EQ,*." -PassThru Server Level Policies are the first to be evaluated and thus first to be matched when a query is received by the DNS server. The policy that you configure in this example is not created on any particular zone – instead you create a Server Level Policy that is applied to all zones configured on the DNS server. You can accomplish blocking queries for domains by using DNS policy. In some circumstances you might want to block DNS name resolution for domains that you have identified as malicious, or for domains that do not comply with the usage guidelines of your organization. For more information, see Add-DnsServerQueryResolutionPolicy. The example commands in this topic use the Windows PowerShell command Add-DnsServerQueryResolutionPolicy. The following examples show you how to create filters for DNS policy that either block or allow DNS name resolution queries. Type of record being queried (A, SRV, TXT, etc.). IP address of the network interface of the DNS server that received the DNS request.įully Qualified Domain Name of record in the query, with the possibility of using a wild card. Used to verify the subnet from which the query was sent. You can create query filters with any logical combination (AND/OR/NOT) of the following criteria. Because no response is sent from the DNS server, the malicious domain member's DNS query times out.Īnother example is to create a query filter Allow List that allows only a specific set of clients to resolve certain names. Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query.įor example, you can configure DNS policy with query filter Block List that blocks DNS queries from known malicious domains, which prevents DNS from responding to queries from these domains. You can use this topic to learn how to configure DNS policy in Windows Server® 2016 to create query filters that are based on criteria that you supply. Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |