Add-DnsServerQueryResolutionPolicy

Windows Server 2016 and Windows 10

업데이트 날짜: 2015년 9월

Add-DnsServerQueryResolutionPolicy

Adds a policy for query resolution to a DNS server.

구문

Parameter Set: InputObject
Add-DnsServerQueryResolutionPolicy [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-PassThru] [-ThrottleLimit <Int32> ] [-ZoneName <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: Server
Add-DnsServerQueryResolutionPolicy [-Name] <String> [[-Action] <String> {ALLOW | DENY | IGNORE} ] [[-Condition] <String> {AND | OR} ] [-ApplyOnRecursion] [-CimSession <CimSession[]> ] [-ClientSubnet <String> ] [-ComputerName <String> ] [-Disable] [-Fqdn <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-InternetProtocol <String> ] [-PassThru] [-ProcessingOrder <UInt32> ] [-QType <String> ] [-RecursionScope <String> ] [-ServerInterfaceIP <String> ] [-ThrottleLimit <Int32> ] [-TimeOfDay <String> ] [-TransportProtocol <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: Zone
Add-DnsServerQueryResolutionPolicy [-Name] <String> [-ZoneName] <String> [[-Action] <String> {ALLOW | DENY | IGNORE} ] [[-Condition] <String> {AND | OR} ] [-CimSession <CimSession[]> ] [-ClientSubnet <String> ] [-ComputerName <String> ] [-Disable] [-Fqdn <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-InternetProtocol <String> ] [-PassThru] [-ProcessingOrder <UInt32> ] [-QType <String> ] [-ServerInterfaceIP <String> ] [-ThrottleLimit <Int32> ] [-TimeOfDay <String> ] [-TransportProtocol <String> ] [-ZoneScope <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]




자세한 설명

The Add-DnsServerQueryResolutionPolicy cmdlet adds a policy for query resolution to a Domain Name System (DNS) server. A policy determines the resolution of queries based on criteria that you specify in the policy.

A policy consists of criteria, action, and scopes.

The criteria are a logical combination of client subnet, server interface IP address, fully qualified domain name (FQDN), Internet Protocol (IPv4/IPv6), transport protocol (UDP/TCP), time of day, and query type.

Specify criteria in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.

The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd).

This cmdlet combines multiple criteria by using the value of the Condition parameter as the logical operator. This parameter takes one of the following values:

-- OR. The policy evaluates criteria as multiple assertions which are logically combined (OR'd).
-- AND. The policy evaluates criteria as multiple assertions which are logically differenced (AND'd).

If a query meets the criteria of a policy, the action is the response that the policy requires. You can specify ALLOW, DENY, or IGNORE.

If you specify an action of ALLOW in a policy for a server that is authoritative for a query, the policy determines which zone scopes to use to respond to the query and in what ratio. If the answer for the query is cached, the policy determines which cache scopes to use and in what ratio. Otherwise, the policy determines which recursion scope to use.

You can create policies for query resolution at either the server level or the zone level. Server level policies apply on every query that comes to the DNS server. Zone level policies apply only on the queries that can be resolved from a zone hosted on the DNS server. Server level policies apply either on the incoming queries or on the recursive outgoing queries. On the incoming queries, server level policies can only DENY or IGNORE. The most common use for server level policies is to implement blocked or safe lists.

Recursion policies are a special class of server level policies. Recursion policies control how the DNS server performs recursion for a query. Recursion policies apply only when query processing reaches the recursion path. You can chose a value of DENY or IGNORE for recursion for a set of queries. Alternatively, you can choose a set of forwarders for a set of queries. To configure this behavior, specify a recursion scope in the recursion policies. You can use recursion policies to implement a Split-brain DNS configuration. In this configuration, the DNS server performs recursion for a set of clients for a query, while the DNS server does not perform recursion for other clients for that query.

Zone level policies apply to the zone in which you create them. Zone level policies apply only when that zone is found during the query lookup. You cannot create a zone level policy without a zone. If you remove a zone, that removal deletes the associated zone level policies. In a zone level policy, you can specify a value of DENY or IGNORE for a set of queries for records in a zone. Alternatively, if the action is Allow, zone level policies can decide which zone scopes to use to answer queries and in what ratio. One use of such zone level policies is application load balancing by means of DNS.

The DNS server applies server level policies first, except for recursion policies. Then, the DNS server applies zone level policies, and then recursion policies. Each policy has a precedence value. You can specify the precedence by using the ProcessingOrder parameter. The DNS server evaluates queries against policies in the order of precedence for each type of policy.

If the criteria of a server level policy match a query, and if the action is DENY, the DNS server returns SERV_FAIL. If the action is IGNORE, the DNS server drops the query. If the query does not match any server level policy, and if the server is authoritative for the zone for the query, the server evaluates the query with regard to the zone level policies.

If the criteria of a zone level policy in that zone match a query, and if the action is DENY, the server returns SERV_FAIL. If the action is IGNORE, the server drops the query. If the action is ALLOW, the DNS server responds to the query from one of the zone scopes specified in the policy. You can chose to distribute the responses from multiple zone scopes in a particular ratio.

For policy processing, the cache is treated as a zone. The DNS server repeats the process for zone level policies for the cache.

If the server is not authoritative for the zone for which the query has been received, and the response is not found in the cache or the specified cache scope, the DNS server matches the query against the server level recursion policies in order of their precedence. If the criteria of a recursion policy match a query and the action is DENY, the DNS server returns SERV_FAIL. If the action is IGNORE, the DNS server drops the query. If the action is ALLOW, the DNS server gets settings from the configured recursion scope. Based on those settings, the DNS server gets the response for the query by using recursion.

매개 변수

-Action<String>

Specifies the action to take if a query matches this policy. 이 매개 변수에 허용되는 값은 다음과 같습니다.

-- ALLOW.
-- DENY. Respond with SERV_FAIL.
-- IGNORE. Do not respond.


별칭

none

필수 여부

false

위치

4

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-ApplyOnRecursion

Indicates that this policy is a server level recursion policy.

Recursion policies are special class of server level policies that control how the DNS server performs recursion for a query. Recursion policies apply only when query processing reaches the recursion path.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-CimSession<CimSession[]>

원격 세션이나 원격 컴퓨터에서 cmdlet을 실행합니다. 컴퓨터 이름이나 New-CimSession 또는 Get-CimSession cmdlet의 출력과 같은 세션 개체를 입력하세요. 기본값은 로컬 컴퓨터 상의 현재 세션입니다.


별칭

Session

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-ClientSubnet<String>

Specifies the client subnet criterion. This is a client subnet from which the query was sent. For more information, see Add-DnsServerClientSubnet. Specify a criterion in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.

The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the subnet of the request matches one of the EQ values and does not match any of the NE values.

Example criterion: "EQ,NorthAmerica,Asia,NE,Europe"


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-ComputerName<String>

Specifies a remote DNS server. You can specify an IP address or any value that resolves to an IP address, such as an FQDN, host name, or NETBIOS name.


별칭

Cn

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-Condition<String>

Specifies how the policy treats multiple criteria. 이 매개 변수에 허용되는 값은 다음과 같습니다.

-- OR. The policy evaluates criteria as multiple assertions which are logically combined (OR'd).
-- AND. The policy evaluates criteria as multiple assertions which are logically differenced (AND'd).

The default value is AND.


별칭

none

필수 여부

false

위치

5

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-Disable

Indicates that this cmdlet disables the policy. If you do not specify this parameter, the cmdlet creates the policy and enables it.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-Fqdn<String>

Specifies the FQDN criterion. This is the FQDN of record in the query. Specify a criterion in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator a criterion.

The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the FQDN of the request matches one of the EQ values and does not match any of the NE values. You can include the asterisk (*) as the wildcard character. For example, EQ,*.contoso.com,NE,*.fabricam.com.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-InformationAction<System.Management.Automation.ActionPreference>

Specifies how this cmdlet responds to an information event. 이 매개 변수에 허용되는 값은 다음과 같습니다.

-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend


별칭

infa

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-InformationVariable<System.String>

Specifies a variable in which to store an information event message.


별칭

iv

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-InternetProtocol<String>

Specifies the Internet Protocol criterion. This is the IP version of the query. Valid values are: IPv4 and IPv6. Specify a criterion in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.

The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the IP address of the request matches one of the EQ values and does not match any of the NE values.

Example criteria: "EQ,IPv4" and "EQ,IPv6"


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-Name<String>

Specifies a name for the new policy.


별칭

none

필수 여부

true

위치

2

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-PassThru

작업 중인 항목을 나타내는 개체를 반환합니다. 기본적으로 이 cmdlet은 출력을 생성하지 않습니다.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-ProcessingOrder<UInt32>

Specifies the precedence of the policy. Higher integer values have lower precedence. By default, this cmdlet adds a new policy as the lowest precedence.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-QType<String>

Specifies the query type criterion. This is the type of record that is being queried. Specify a criterion in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.

The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the type of query of the request matches one of the EQ values and does not match any of the NE values.

Example criterion: "EQ,TXT,SRV,NE,MX"


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-RecursionScope<String>

Specifies the scope of recursion. If the policy is a recursion policy, and if a query matches it, the DNS server uses settings from this scope to perform recursion for the query.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-ServerInterfaceIP<String>

Specifies the IP address of the server interface on which the DNS server listens. Specify a criterion in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator in the criterion.

The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the IP address of the interface matches one of the EQ values and does not match any of the NE values.

Example criteria: "EQ,10.0.0.1" and "NE,192.168.1.1"


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-ThrottleLimit<Int32>

Cmdlet을 실행하도록 설정할 수 있는 동시 작업의 최대 수를 지정합니다. 이 매개 변수를 생략하거나 값으로 0 을 입력하면 Windows PowerShell®은 컴퓨터에서 실행 중인 CIM cmdlet의 수에 따라 cmdlet에 대한 최적의 스로틀 제한을 계산합니다. 스로틀 제한은 현재 cmdlet에만 적용되고, 세션이나 컴퓨터에는 적용되지 않습니다.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-TimeOfDay<String>

Specifies the time of day criterion. This is when the server receives the query. Specify a criterion in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator in the criterion.

The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the time of day of the request matches one of the EQ values and does not match any of the NE values.

Example criterion: "EQ,10:00-12:00,22:00-23:00"


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-TransportProtocol<String>

Specifies the transport protocol criterion. This is the transport protocol of the query. Valid values are: TCP and UDP. Specify a criterion in the following format:

operator, value01, value02, . . . , operator, value03, value04, . . .

The operator is either EQ or NE. You can specify no more than one of each operator in the string.

The policy treats values the follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd). The criterion is satisfied if the transport protocol of the request matches one of the EQ values and does not match any of the NE values.

Example criteria: "EQ,TCP" and "NE,UDP"


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-ZoneName<String>

Specifies the name of a DNS zone on which this cmdlet creates a zone level policy. The zone must exist on the DNS server.


별칭

none

필수 여부

true

위치

3

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-ZoneScope<String>

Specifies a list of scopes and weights for the zone. Specify the value as a string in this format:

Scope01, Weight01; Scope02, Weight02;


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

true(ByPropertyName)

와일드카드 문자 허용 여부

false

-Confirm

cmdlet을 실행하기 전에 확인 메시지를 표시합니다.


필수 여부

false

위치

named

기본값

false

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-WhatIf

cmdlet이 실행되는 경우 발생할 결과를 보여 줍니다. cmdlet은 실행되지 않습니다.


필수 여부

false

위치

named

기본값

false

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

<CommonParameters>

이 cmdlet은 -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, -OutVariable 등의 일반 매개 변수를 지원합니다. 자세한 내용은 TechNet의 about_CommonParameters(http://go.microsoft.com/fwlink/p/?LinkID=113216)

<WorkflowParameters>

입력

입력 형식은 cmdlet으로 파이프할 수 있는 개체의 형식입니다.

출력

출력 형식은 cmdlet 실행 시 출력되는 개체의 형식입니다.

  • Microsoft.Management.Infrastructure.CimInstance#DnsServerPolicy

Example 1: Create traffic management policies

This example shows how to create traffic management policies to direct the customers from a certain subnet to a North American datacenter and from another subnet to a European datacenter.


 

The first two commands create client subnets by using the Add-DnsServerClientSubnet cmdlet. The client subnets are for clients in North America and clients in Europe.


PS C:\> Add-DnsServerClientSubnet -Name "NorthAmericaSubnet" -IPv4Subnet "172.21.33.0/24" -PassThru
PS C:\> Add-DnsServerClientSubnet -Name "EuropeSubnet" -IPv4Subnet "172.17.44.0/24" -PassThru

 

The next two commands create zone scopes for North America and for Europe by using the Add-DnsServerZoneScope cmdlet.


PS C:\> Add-DnsServerZoneScope -ZoneName "Contoso.com" -Name "NorthAmericaZoneScope" -PassThru
PS C:\> Add-DnsServerZoneScope -ZoneName "Contoso.com" -Name "EuropeZoneScope" -PassThru

 

The next two commands add resource records for the zone Contoso.com by using the Add-DnsServerResourceRecord cmdlet. The name for both records is the same, career, but the two records point to different addresses. The records also have different scopes.


PS C:\> Add-DnsServerResourceRecord -ZoneName "Contoso.com" -A -Name "career" -IPv4Address "172.17.97.97" -ZoneScope "EuropeZoneScope -PassThru
PS C:\> Add-DnsServerResourceRecord -ZoneName "Contoso.com" -A -Name "career" -IPv4Address "172.21.21.21" -ZoneScope "NorthAmericaZoneScope" -PassThru

 

The final two commands create two policies. The policies allow queries for members of different subnets. The policies differ in scope, so that some clients receive one response to a query, while other clients receive a different response to the same query.


PS C:\> Add-DnsServerQueryResolutionPolicy -Name "NorthAmericaPolicy" -Action ALLOW -ClientSubnet "eq,NorthAmericaSubnet" -ZoneScope "NorthAmericaZoneScope,1" -ZoneName "Contoso.com" -PassThru
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "EuropePolicy" -Action ALLOW -ClientSubnet "eq,EuropeSubnet" -ZoneScope "EuropeZoneScope,1" -ZoneName contoso.com -PassThru

Example 2: Allow queries for a zone

This command creates a policy named LBPolicy to allow queries for the contoso.com zone. The policy includes two weighted zone scopes.


PS C:\> Add-DnsServerQueryResolutionPolicy -Name "LBPolicy" -ZoneName "contoso.com" -Action ALLOW -FQDN "EQ,career.contoso.com" -ZoneScope "NorthAmericaZoneScope,7;EuropeZoneScope,3" -PassThru

Example 3: Add policies from one server to another

The first command gets all the server level policies on the DNS server named Server01, and then stores the properties in the $Policies variable.

The second command adds the policies stored in $Policies to a different DNS server. This command specifies a value of one (1) for the ThrottleLimit parameter. This value maintains the order of processing policies in the pipeline.


PS C:\> $Policies = Get-DnsServerQueryResolutionPolicy -ComputerName "Server01"
PS C:\> $Policies | Add-DnsServerQueryResolutionPolicy -ComputerName "Server07" –ThrottleLimit 1

Example 4: Block queries for a domain

This command creates a policy that blocks queries from a particular domain. The command uses the Format-List cmdlet to control the appearance of the output. For more information, type Get-Help Format-List.


PS C:\> Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicy" -Action IGNORE -FQDN "EQ,*.contoso.com" -PassThru | Format-List *

Example 5: Block queries from a subnet

The first command creates a client subnet named MaliciousSubnet06.

The second command creates a policy to block queries from the subnet named MaliciousSubnet06. The policy takes an action of IGNORE, which drops those queries.


PS C:\> Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.33.0/24 -PassThru
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyMalicious06" -Action IGNORE -ClientSubnet  "EQ,MaliciousSubnet06" -PassThru | Format-List *

Example 6: Block a type of query

This command creates a policy to block queries for a particular query type. The policy drops ANY query.


PS C:\> Add-DnsServerQueryResolutionPolicy -Name "BlackholePolicyQType" -Action IGNORE -QType "EQ,ANY" -PassThru | Format-List *

Example 7: Allow recursion for internal clients

The first command creates a recursion scope called InternalClients. Recursion is enabled for this scope.

The second command modifies the default recursion scope by using the Set-DnsServerRecursionScope cmdlet. The default scope, identified by a dot (.), has recursion disabled.

The final command creates a policy that uses the InternalClients scope. For that scope, on the specified server interface address, the policy allows recursion.


PS C:\> Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True
PS C:\> Set-DnsServerRecursionScope -Name . -EnableRecursion $False 
PS C:\> Add-DnsServerQueryResolutionPolicy -Name "SplitBrainPolicy" -Action ALLOW -ApplyOnRecursion -RecursionScope "InternalClients" -ServerInterfaceIP  "EQ,10.0.0.34" -PassThru 

관련 항목

커뮤니티 추가 항목

추가
표시: