Windows Server

Windows Server 2016: Apply Filters on DNS Queries

security-red-hero-img

In today’s Ask the Admin, I’ll show you how to use DNS Policy in Windows Server 2016 to apply filters to DNS queries.

DNS Policies are a new feature in Windows Server 2016 that allow administrators to determine how DNS servers respond to client queries, based on several factors, including the client’s location, the time of day, transport protocol, etc. In Network Traffic Management Using DNS Policies in Windows Server 2016 on the Petri IT Knowledgebase, I introduced the concept of DNS Policy and how to use policies to manage network traffic.

 

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

 

In this article, I’ll show you how to create a DNS Policy that applies filters to DNS queries, creating blackholes for malicious domains, or whitelists that restrict clients to resolving a predefined list of domain names.

Server and Zone-Level Filters

Before we start, it’s worth mentioning that policies can be set at the DNS server or zone level. For the purposes of this article, I’ll set all the policies at server level, but if you need more granular control, you can modify the command lines below to apply zone-level filters. Just add the -ZoneName parameter to specify the DNS zone name to which the policy should apply.

Create a Policy to Block a Malicious DNS Zone

Log in to Windows Server 2016 with an account that has DNS administrator permissions and open a PowerShell prompt. The policy below will create a filter that blocks resolution of the malware.com domain. Note the use of IGNORE for the -Action parameter, and EQ is a logical operator that means equals.

Other operators, such as NE (Not Equals) and OR, can also be used with Add-DnsServerQueryResolutionPolicy, but each parameter has different rules about which logical operators can be used. To get more information, run Get-Help Add-DnsServerQueryResolutionPolicy -Full.

Add-DnsServerQueryResolutionPolicy -Name 'BlockListPolicy' -Action IGNORE -FQDN "EQ,*.malware.com"

Create a DNS Policy Filter in Windows Server 2016 (Image Credit: Russell Smith)
Create a DNS Policy Filter in Windows Server 2016 (Image Credit: Russell Smith)

Once the command has run, DNS clients will no longer be able to resolve domain names in the malware.com domain and its subdomains. Don’t forget that if your DNS clients have cached previous queries for malware.com, you’ll need to run ipconfig /flushdns to clear the local cache.

Test a DNS filter (Image Credit: Russell Smith)
Test a DNS filter (Image Credit: Russell Smith)

To get information about a policy, use the Get-DnsServerQueryResolutionPolicy cmdlet, as shown below:

Get-DnsServerQueryResolutionPolicy -Name 'BlockListPolicy' | Format-List *

Get information about an existing policy (Image Credit: Russell Smith)
Get information about an existing policy (Image Credit: Russell Smith)

Similarly, the Remove-DnsServerQueryResolutionPolicy cmdlet can be used to delete a policy completely:

Remove-DnsServerQueryResolutionPolicy -Name 'BlockListPolicy'

It’s also possible to create allow policies, that permit name resolution for one or more domains but block all others. To create an allow filter, just change the -Action parameter to ALLOW.

Now let’s create a more complex policy that blocks queries for malware.com from clients located in the contoso subnet. This requires two commands. The first, Add-DnsServerClientSubnet, defines a subnet on the DNS server. Then we use the Add-DnsServerQueryResolutionPolicy cmdlet as before, but add the -ClientSubnet parameter to specify that we’d like to block queries from a specific subnet.

Add-DnsServerClientSubnet -Name 'Contoso' -IPv4Subnet 192.168.2.0/24
Add-DnsServerQueryResolutionPolicy -Name ‘BlockListPolicyContoso’ -Action IGNORE -ClientSubnet "EQ,Contoso" –FQDN "EQ,*.malware.com"

Block queries from a client subnet (Image Credit: Russell Smith)
Block queries from a client subnet (Image Credit: Russell Smith)

In this article, I showed you how to apply filters to control name queries to DNS servers using DNS Policies in Windows Server 2016.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Windows Server 2016: Apply Filters on DNS Queries”

  1. <p>Thank you for the Article.</p><p><br></p><p>What if, say, we have 10/20 or more websites/destination to which we need to block DNS queries to? Can we create a list/csv file etc. to pass to this command.</p>

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: