Add-DnsServerQueryResolutionPolicy
Add-DnsServerQueryResolutionPolicy
Adds a policy for query resolution to a DNS server.
構文
Parameter Set: InputObject
Add-DnsServerQueryResolutionPolicy [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-PassThru] [-ThrottleLimit <Int32> ] [-ZoneName <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]
Parameter Set: Server
Add-DnsServerQueryResolutionPolicy [-Name] <String> [[-Action] <String> {ALLOW | DENY | IGNORE} ] [[-Condition] <String> {AND | OR} ] [-ApplyOnRecursion] [-CimSession <CimSession[]> ] [-ClientSubnet <String> ] [-ComputerName <String> ] [-Disable] [-Fqdn <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-InternetProtocol <String> ] [-PassThru] [-ProcessingOrder <UInt32> ] [-QType <String> ] [-RecursionScope <String> ] [-ServerInterfaceIP <String> ] [-ThrottleLimit <Int32> ] [-TimeOfDay <String> ] [-TransportProtocol <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]
Parameter Set: Zone
Add-DnsServerQueryResolutionPolicy [-Name] <String> [-ZoneName] <String> [[-Action] <String> {ALLOW | DENY | IGNORE} ] [[-Condition] <String> {AND | OR} ] [-CimSession <CimSession[]> ] [-ClientSubnet <String> ] [-ComputerName <String> ] [-Disable] [-Fqdn <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-InternetProtocol <String> ] [-PassThru] [-ProcessingOrder <UInt32> ] [-QType <String> ] [-ServerInterfaceIP <String> ] [-ThrottleLimit <Int32> ] [-TimeOfDay <String> ] [-TransportProtocol <String> ] [-ZoneScope <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]
詳細説明
The Add-DnsServerQueryResolutionPolicy cmdlet adds a policy for query resolution to a Domain Name System (DNS) server. A policy determines the resolution of queries based on criteria that you specify in the policy.
A policy consists of criteria, action, and scopes.
The criteria are a logical combination of client subnet, server interface IP address, fully qualified domain name (FQDN), Internet Protocol (IPv4/IPv6), transport protocol (UDP/TCP), time of day, and query type.
Specify criteria in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.
The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd).
This cmdlet combines multiple criteria by using the value of the Condition parameter as the logical operator. This parameter takes one of the following values:
-- OR. The policy evaluates criteria as multiple assertions which are logically combined (OR'd).
-- AND. The policy evaluates criteria as multiple assertions which are logically differenced (AND'd).
If a query meets the criteria of a policy, the action is the response that the policy requires. You can specify ALLOW, DENY, or IGNORE.
If you specify an action of ALLOW in a policy for a server that is authoritative for a query, the policy determines which zone scopes to use to respond to the query and in what ratio. If the answer for the query is cached, the policy determines which cache scopes to use and in what ratio. Otherwise, the policy determines which recursion scope to use.
You can create policies for query resolution at either the server level or the zone level. Server level policies apply on every query that comes to the DNS server. Zone level policies apply only on the queries that can be resolved from a zone hosted on the DNS server. Server level policies apply either on the incoming queries or on the recursive outgoing queries. On the incoming queries, server level policies can only DENY or IGNORE. The most common use for server level policies is to implement blocked or safe lists.
Recursion policies are a special class of server level policies. Recursion policies control how the DNS server performs recursion for a query. Recursion policies apply only when query processing reaches the recursion path. You can chose a value of DENY or IGNORE for recursion for a set of queries. Alternatively, you can choose a set of forwarders for a set of queries. To configure this behavior, specify a recursion scope in the recursion policies. You can use recursion policies to implement a Split-brain DNS configuration. In this configuration, the DNS server performs recursion for a set of clients for a query, while the DNS server does not perform recursion for other clients for that query.
Zone level policies apply to the zone in which you create them. Zone level policies apply only when that zone is found during the query lookup. You cannot create a zone level policy without a zone. If you remove a zone, that removal deletes the associated zone level policies. In a zone level policy, you can specify a value of DENY or IGNORE for a set of queries for records in a zone. Alternatively, if the action is Allow, zone level policies can decide which zone scopes to use to answer queries and in what ratio. One use of such zone level policies is application load balancing by means of DNS.
The DNS server applies server level policies first, except for recursion policies. Then, the DNS server applies zone level policies, and then recursion policies. Each policy has a precedence value. You can specify the precedence by using the ProcessingOrder parameter. The DNS server evaluates queries against policies in the order of precedence for each type of policy.
If the criteria of a server level policy match a query, and if the action is DENY, the DNS server returns SERV_FAIL. If the action is IGNORE, the DNS server drops the query. If the query does not match any server level policy, and if the server is authoritative for the zone for the query, the server evaluates the query with regard to the zone level policies.
If the criteria of a zone level policy in that zone match a query, and if the action is DENY, the server returns SERV_FAIL. If the action is IGNORE, the server drops the query. If the action is ALLOW, the DNS server responds to the query from one of the zone scopes specified in the policy. You can chose to distribute the responses from multiple zone scopes in a particular ratio.
For policy processing, the cache is treated as a zone. The DNS server repeats the process for zone level policies for the cache.
If the server is not authoritative for the zone for which the query has been received, and the response is not found in the cache or the specified cache scope, the DNS server matches the query against the server level recursion policies in order of their precedence. If the criteria of a recursion policy match a query and the action is DENY, the DNS server returns SERV_FAIL. If the action is IGNORE, the DNS server drops the query. If the action is ALLOW, the DNS server gets settings from the configured recursion scope. Based on those settings, the DNS server gets the response for the query by using recursion.
パラメーター
-Action<String>
Specifies the action to take if a query matches this policy. このパラメーターに指定できる値は、次のとおりです。
-- ALLOW.
-- DENY. Respond with SERV_FAIL.
-- IGNORE. Do not respond.
Aliases |
none |
必須/オプション |
false |
位置 |
4 |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-ApplyOnRecursion
Indicates that this policy is a server level recursion policy.
Recursion policies are special class of server level policies that control how the DNS server performs recursion for a query. Recursion policies apply only when query processing reaches the recursion path.
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-CimSession<CimSession[]>
リモート セッションまたはリモート コンピューターでコマンドレットを実行します。コンピューター名またはセッション オブジェクト (New-CimSession コマンドレットや Get-CimSession コマンドレットの出力など) を入力します。既定値は、ローカル コンピューター上の現在のセッションです。
Aliases |
Session |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
-ClientSubnet<String>
Specifies the client subnet criterion. This is a client subnet from which the query was sent. For more information, see Add-DnsServerClientSubnet. Specify a criterion in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.
The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the subnet of the request matches one of the EQ values and does not match any of the NE values.
Example criterion: "EQ,NorthAmerica,Asia,NE,Europe"
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-ComputerName<String>
Specifies a remote DNS server. You can specify an IP address or any value that resolves to an IP address, such as an FQDN, host name, or NETBIOS name.
Aliases |
Cn |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
-Condition<String>
Specifies how the policy treats multiple criteria. このパラメーターに指定できる値は、次のとおりです。
-- OR. The policy evaluates criteria as multiple assertions which are logically combined (OR'd).
-- AND. The policy evaluates criteria as multiple assertions which are logically differenced (AND'd).
The default value is AND.
Aliases |
none |
必須/オプション |
false |
位置 |
5 |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-Disable
Indicates that this cmdlet disables the policy. If you do not specify this parameter, the cmdlet creates the policy and enables it.
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-Fqdn<String>
Specifies the FQDN criterion. This is the FQDN of record in the query. Specify a criterion in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator a criterion.
The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the FQDN of the request matches one of the EQ values and does not match any of the NE values. You can include the asterisk (*) as the wildcard character. For example, EQ,*.contoso.com,NE,*.fabricam.com.
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-InformationAction<System.Management.Automation.ActionPreference>
Specifies how this cmdlet responds to an information event. このパラメーターに指定できる値は、次のとおりです。
-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend
Aliases |
infa |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
-InformationVariable<System.String>
Specifies a variable in which to store an information event message.
Aliases |
iv |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
-InternetProtocol<String>
Specifies the Internet Protocol criterion. This is the IP version of the query. Valid values are: IPv4 and IPv6. Specify a criterion in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.
The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the IP address of the request matches one of the EQ values and does not match any of the NE values.
Example criteria: "EQ,IPv4" and "EQ,IPv6"
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-Name<String>
Specifies a name for the new policy.
Aliases |
none |
必須/オプション |
true |
位置 |
2 |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-PassThru
作業中の項目を表すオブジェクトを返します。既定では、このコマンドレットから出力は生成されません。
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
-ProcessingOrder<UInt32>
Specifies the precedence of the policy. Higher integer values have lower precedence. By default, this cmdlet adds a new policy as the lowest precedence.
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-QType<String>
Specifies the query type criterion. This is the type of record that is being queried. Specify a criterion in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.
The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the type of query of the request matches one of the EQ values and does not match any of the NE values.
Example criterion: "EQ,TXT,SRV,NE,MX"
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-RecursionScope<String>
Specifies the scope of recursion. If the policy is a recursion policy, and if a query matches it, the DNS server uses settings from this scope to perform recursion for the query.
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-ServerInterfaceIP<String>
Specifies the IP address of the server interface on which the DNS server listens. Specify a criterion in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator in the criterion.
The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the IP address of the interface matches one of the EQ values and does not match any of the NE values.
Example criteria: "EQ,10.0.0.1" and "NE,192.168.1.1"
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-ThrottleLimit<Int32>
コマンドレットを実行する際に確立できる同時実行操作の最大数を指定します。このパラメーターを省略するか、値 0 を入力した場合、コンピューター上で実行されている CIM コマンドレットの数に基づいて、コマンドレットに最適なスロットル制限が Windows PowerShell® によって計算されます。スロットル制限は、セッションやコンピューターではなく、現在のコマンドレットにのみ適用されます。
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
-TimeOfDay<String>
Specifies the time of day criterion. This is when the server receives the query. Specify a criterion in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator in the criterion.
The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the time of day of the request matches one of the EQ values and does not match any of the NE values.
Example criterion: "EQ,10:00-12:00,22:00-23:00"
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-TransportProtocol<String>
Specifies the transport protocol criterion. This is the transport protocol of the query. Valid values are: TCP and UDP. Specify a criterion in the following format:
operator, value01, value02, . . . , operator, value03, value04, . . .
The operator is either EQ or NE. You can specify no more than one of each operator in the string.
The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the transport protocol of the request matches one of the EQ values and does not match any of the NE values.
Example criteria: "EQ,TCP" and "NE,UDP"
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-ZoneName<String>
Specifies the name of a DNS zone on which this cmdlet creates a zone level policy. The zone must exist on the DNS server.
Aliases |
none |
必須/オプション |
true |
位置 |
3 |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-ZoneScope<String>
Specifies a list of scopes and weights for the zone. Specify the value as a string in this format:
Scope01, Weight01; Scope02, Weight02;
Aliases |
none |
必須/オプション |
false |
位置 |
named |
既定値 |
none |
パイプライン入力の受け入れ |
true(ByPropertyName) |
ワイルドカード文字の受け入れ |
false |
-Confirm
コマンドレットを実行する前に確認メッセージを表示します。
必須/オプション |
false |
位置 |
named |
既定値 |
false |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
-WhatIf
コマンドレットが実行された場合に何が起きるのかを示します。コマンドレットは実行されません。
必須/オプション |
false |
位置 |
named |
既定値 |
false |
パイプライン入力の受け入れ |
false |
ワイルドカード文字の受け入れ |
false |
<CommonParameters>
このコマンドレットは共通のパラメーターをサポートしています(-Verbose、-Debug、-ErrorAction、-ErrorVariable、-OutBuffer、および -OutVariable)。詳細については、TechNet の「 「about_CommonParameters」 (https://go.microsoft.com/fwlink/p/?LinkID=113216) を参照してください。
<WorkflowParameters>
入力
入力型は、コマンドレットにパイプできるオブジェクトの型です。
出力
出力型は、コマンドレットが出力するオブジェクトの型です。
- Microsoft.Management.Infrastructure.CimInstance#DnsServerPolicy
使用例
Example 1: Create traffic management policies
This example shows how to create traffic management policies to direct the customers from a certain subnet to a North American datacenter and from another subnet to a European datacenter.
The first two commands create client subnets by using the Add-DnsServerClientSubnet cmdlet. The client subnets are for clients in North America and clients in Europe.
PS C:\> Add-DnsServerClientSubnet -Name "NorthAmericaSubnet" -IPv4Subnet "172.21.33.0/24" -PassThru
PS C:\> Add-DnsServerClientSubnet -Name "EuropeSubnet" -IPv4Subnet "172.17.44.0/24" -PassThru
The next two commands create zone scopes for North America and for Europe by using the Add-DnsServerZoneScope cmdlet.
PS C:\> Add-DnsServerZoneScope -ZoneName "Contoso.com" -Name "NorthAmericaZoneScope" -PassThru
PS C:\> Add-DnsServerZoneScope -ZoneName "Contoso.com" -Name "EuropeZoneScope" -PassThru
The next two commands add resource records for the zone Contoso.com by using the Add-DnsServerResourceRecord cmdlet. The name for both records is the same, career, but the two records point to different addresses. The records also have different scopes.
PS C:\> Add-DnsServerResourceRecord -ZoneName "Contoso.com" -A -Name "career" -IPv4Address "172.17.97.97" -ZoneScope "EuropeZoneScope -PassThru
PS C:\> Add-DnsServerResourceRecord -ZoneName "Contoso.com" -A -Name "career" -IPv4Address "172.21.21.21" -ZoneScope "NorthAmericaZoneScope" -PassThru
The final two commands create two policies. The policies allow queries for members of different subnets. The policies differ in scope, so that some clients receive one response to a query, while other clients receive a different response to the same query.
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "NorthAmericaPolicy" -Action ALLOW -ClientSubnet "eq,NorthAmericaSubnet" -ZoneScope "NorthAmericaZoneScope,1" -ZoneName "Contoso.com" -PassThru
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "EuropePolicy" -Action ALLOW -ClientSubnet "eq,EuropeSubnet" -ZoneScope "EuropeZoneScope,1" -ZoneName contoso.com -PassThru
Example 2: Allow queries for a zone
This command creates a policy named LBPolicy to allow queries for the contoso.com zone. The policy includes two weighted zone scopes.
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "LBPolicy" -ZoneName "contoso.com" -Action ALLOW -FQDN "EQ,career.contoso.com" -ZoneScope "NorthAmericaZoneScope,7;EuropeZoneScope,3" -PassThru
Example 3: Add policies from one server to another
The first command gets all the server level policies on the DNS server named Server01, and then stores the properties in the $Policies variable.
The second command adds the policies stored in $Policies to a different DNS server. This command specifies a value of one (1) for the ThrottleLimit parameter. This value maintains the order of processing policies in the pipeline.
PS C:\> $Policies = Get-DnsServerQueryResolutionPolicy -ComputerName "Server01"
PS C:\> $Policies | Add-DnsServerQueryResolutionPolicy -ComputerName "Server07" –ThrottleLimit 1
Example 4: Block queries for a domain
This command creates a policy that blocks queries from a particular domain. The command uses the Format-List cmdlet to control the appearance of the output. For more information, type Get-Help Format-List.
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicy" -Action IGNORE -FQDN "EQ,*.contoso.com" -PassThru | Format-List *
Example 5: Block queries from a subnet
The first command creates a client subnet named MaliciousSubnet06.
The second command creates a policy to block queries from the subnet named MaliciousSubnet06. The policy takes an action of IGNORE, which drops those queries.
PS C:\> Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.33.0/24 -PassThru
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyMalicious06" -Action IGNORE -ClientSubnet "EQ,MaliciousSubnet06" -PassThru | Format-List *
Example 6: Block a type of query
This command creates a policy to block queries for a particular query type. The policy drops ANY query.
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyQType" -Action IGNORE -QType "EQ,ANY" -PassThru | Format-List *
Example 7: Allow recursion for internal clients
The first command creates a recursion scope called InternalClients. Recursion is enabled for this scope.
The second command modifies the default recursion scope by using the Set-DnsServerRecursionScope cmdlet. The default scope, identified by a dot (.), has recursion disabled.
The final command creates a policy that uses the InternalClients scope. For that scope, on the specified server interface address, the policy allows recursion.
PS C:\> Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True
PS C:\> Set-DnsServerRecursionScope -Name . -EnableRecursion $False
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "SplitBrainPolicy" -Action ALLOW -ApplyOnRecursion -RecursionScope "InternalClients" -ServerInterfaceIP "EQ,10.0.0.34" -PassThru
関連項目
Get-DnsServerQueryResolutionPolicy
Remove-DnsServerQueryResolutionPolicy