{
	"id": "895ae52e-5085-404b-ad88-f0c170f03ce8",
	"created_at": "2026-04-06T00:22:34.167704Z",
	"updated_at": "2026-04-10T13:12:07.929617Z",
	"deleted_at": null,
	"sha1_hash": "ed0c856fe81c575a257bf4b7745e36a7cb576055",
	"title": "DNS Policies Overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 182416,
	"plain_text": "DNS Policies Overview\r\nBy robinharwood\r\nArchived: 2026-04-05 17:17:34 UTC\r\nYou can use this topic to learn about DNS Policy, which is new in Windows Server 2016. You can use DNS Policy\r\nfor Geo-Location based traffic management, intelligent DNS responses based on the time of day, to manage a\r\nsingle DNS server configured for split-brain deployment, applying filters on DNS queries, and more. The\r\nfollowing items provide more detail about these capabilities.\r\nApplication Load Balancing. When you have deployed multiple instances of an application at different\r\nlocations, you can use DNS policy to balance the traffic load between the different application instances,\r\ndynamically allocating the traffic load for the application.\r\nGeo-Location Based Traffic Management. You can use DNS Policy to allow primary and secondary\r\nDNS servers to respond to DNS client queries based on the geographical location of both the client and the\r\nresource to which the client is attempting to connect, providing the client with the IP address of the closest\r\nresource.\r\nSplit Brain DNS. With split-brain DNS, DNS records are split into different Zone Scopes on the same\r\nDNS server, and DNS clients receive a response based on whether the clients are internal or external\r\nclients. You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone\r\nDNS servers.\r\nFiltering. You can configure DNS policy to create query filters that are based on criteria that you supply.\r\nQuery filters in DNS policy allow you to configure the DNS server to respond in a custom manner based\r\non the DNS query and DNS client that sends the DNS query.\r\nForensics. You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead\r\nof directing them to the computer they are trying to reach.\r\nTime of day based redirection. You can use DNS policy to distribute application traffic across different\r\ngeographically distributed instances of an application by using DNS policies that are based on the time of\r\nday.\r\nNew Concepts\r\nIn order to create policies to support the scenarios listed above, it is necessary to be able to identify groups of\r\nrecords in a zone, groups of clients on a network, among other elements. These elements are represented by the\r\nfollowing new DNS objects:\r\nClient subnet: a client subnet object represents an IPv4 or IPv6 subnet from which queries are submitted\r\nto a DNS server. You can create subnets to later define policies to be applied based on what subnet the\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 1 of 10\n\nrequests come from. For instance, in a split brain DNS scenario, the request for resolution for a name such\r\nas www.microsoft.com can be answered with an internal IP address to clients from internal subnets, and a\r\ndifferent IP address to clients in external subnets.\r\nRecursion scope: recursion scopes are unique instances of a group of settings that control recursion on a\r\nDNS server. A recursion scope contains a list of forwarders and specifies whether recursion is enabled. A\r\nDNS server can have many recursion scopes. DNS server recursion policies allow you to choose a\r\nrecursion scope for a set of queries. If the DNS server is not authoritative for certain queries, DNS server\r\nrecursion policies allow you to control how to resolve those queries. You can specify which forwarders to\r\nuse and whether to use recursion.\r\nZone scopes: a DNS zone can have multiple zone scopes, with each zone scope containing their own set of\r\nDNS records. The same record can be present in multiple scopes, with different IP addresses. Also, zone\r\ntransfers are done at the zone scope level. That means that records from a zone scope in a primary zone\r\nwill be transferred to the same zone scope in a secondary zone.\r\nTypes of Policy\r\nDNS Policies are divided by level and type. You can use Query Resolution Policies to define how queries are\r\nprocessed, and Zone Transfer Policies to define how zone transfers occur. You can apply Each policy type at the\r\nserver level or the zone level.\r\nQuery Resolution Policies\r\nYou can use DNS Query Resolution Policies to specify how incoming resolution queries are handled by a DNS\r\nserver. Every DNS Query Resolution Policy contains the following elements:\r\nField Description Possible values\r\nName Policy name\r\n- Up to 256 characters\r\n- Can contain any\r\ncharacter valid for a\r\nfile name\r\nState Policy state\r\n- Enable (default)\r\n- Disabled\r\nLevel Policy level\r\n- Server\r\n- Zone\r\nProcessing\r\norder\r\nOnce a query is classified by level and applies on, the server finds\r\nthe first policy for which the query matches the criteria and applies\r\nit to query\r\n- Numeric value\r\n- Unique value per\r\npolicy containing the\r\nsame level and applies\r\non value\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 2 of 10\n\nField Description Possible values\r\nAction Action to be performed by DNS server\r\n- Allow (default for\r\nzone level)\r\n- Deny (default on\r\nserver level)\r\n- Ignore\r\nCriteria\r\nPolicy condition (AND/OR) and list of criterion to be met for\r\npolicy to be applied\r\n- Condition operator\r\n(AND/OR)\r\n- List of criteria (see\r\nthe criterion table\r\nbelow)\r\nScope\r\nList of zone scopes and weighted values per scope. Weighted\r\nvalues are used for load balancing distribution. For instance, if this\r\nlist includes datacenter1 with a weight of 3 and datacenter2 with a\r\nweight of 5 the server will respond with a record from datacentre1\r\nthree times out of eight requests\r\n- List of zone scopes\r\n(by name) and weights\r\nNote\r\nServer level policies can only have the values Deny or Ignore as an action.\r\nThe DNS policy criteria field is composed of two elements:\r\nName Description Sample values\r\nClient Subnet\r\nName of a predefined client\r\nsubnet. Used to verify the\r\nsubnet from which the query\r\nwas sent.\r\n- EQ,Spain,France - resolves to true if the subnet is\r\nidentified as either Spain or France\r\n- NE,Canada,Mexico - resolves to true if the client\r\nsubnet is any subnet other than Canada and Mexico\r\nTransport\r\nProtocol\r\nTransport protocol used in the\r\nquery. Possible entries are\r\nUDP and TCP\r\n- EQ,TCP\r\n- EQ,UDP\r\nInternet\r\nProtocol\r\nNetwork protocol used in the\r\nquery. Possible entries are\r\nIPv4 and IPv6\r\n- EQ,IPv4\r\n- EQ,IPv6\r\nServer\r\nInterface IP\r\naddress\r\nIP address for the incoming\r\nDNS server network interface\r\n- EQ,10.0.0.1\r\n- EQ,192.168.1.1\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 3 of 10\n\nName Description Sample values\r\nFQDN\r\nFQDN of record in the query,\r\nwith the possibility of using a\r\nwild card\r\n- EQ,www.contoso.com - resolves to true only the if the\r\nquery is trying to resolve the www.contoso.com FQDN\r\n- EQ,*.contoso.com,*.woodgrove.com - resolves to true\r\nif the query is for any record ending in\r\ncontoso.comORwoodgrove.com\r\nQuery Type\r\nType of record being queried\r\n(A, SRV, TXT)\r\n- EQ,TXT,SRV - resolves to true if the query is\r\nrequesting a TXT OR SRV record\r\n- EQ,MX - resolves to true if the query is requesting an\r\nMX record\r\nTime of Day\r\nTime of day the query is\r\nreceived\r\n- EQ,10:00-12:00,22:00-23:00 - resolves to true if the\r\nquery is received between 10 AM and noon, OR between\r\n10PM and 11PM\r\nUsing the table above as a starting point, the table below could be used to define a criterion that is used to match\r\nqueries for any type of records but SRV records in the contoso.com domain coming from a client in the\r\n10.0.0.0/24 subnet via TCP between 8 and 10 PM through interface 10.0.0.3:\r\nName Value\r\nClient Subnet EQ,10.0.0.0/24\r\nTransport Protocol EQ,TCP\r\nServer Interface IP address EQ,10.0.0.3\r\nFQDN EQ,*.contoso.com\r\nQuery Type NE,SRV\r\nTime of Day EQ,20:00-22:00\r\nYou can create multiple query resolution policies of the same level, as long as they have a different value for the\r\nprocessing order. When multiple policies are available, the DNS server processes incoming queries in the\r\nfollowing manner:\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 4 of 10\n\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 5 of 10\n\nRecursion Policies\r\nRecursion policies are a special type of server level policies. Recursion policies control how the DNS server\r\nperforms recursion for a query. Recursion policies apply only when query processing reaches the recursion path.\r\nYou can choose a value of DENY or IGNORE for recursion for a set of queries. Alternatively, you can choose a\r\nset of forwarders for a set of queries.\r\nYou can use recursion policies to implement a Split-brain DNS configuration. In this configuration, the DNS\r\nserver performs recursion for a set of clients for a query, while the DNS server does not perform recursion for\r\nother clients for that query.\r\nRecursion policies contains the same elements a regular DNS query resolution policy contains, along with the\r\nelements in the table below:\r\nName Description\r\nApply on recursion Specifies that this policy should only be used for recursion.\r\nRecursion Scope Name of the recursion scope.\r\nNote\r\nRecursion policies can only be created at the server level.\r\nZone Transfer Policies\r\nZone transfer policies control whether a zone transfer is allowed or not by your DNS server. You can create\r\npolicies for zone transfer at either the server level or the zone level. Server level policies apply on every zone\r\ntransfer query that occurs on the DNS server. Zone level policies apply only on the queries on a zone hosted on\r\nthe DNS server. The most common use for zone level policies is to implement blocked or safe lists.\r\nNote\r\nZone transfer policies can only use DENY or IGNORE as actions.\r\nYou can use the server level zone transfer policy below to deny a zone transfer for the contoso.com domain from a\r\ngiven subnet:\r\nAdd-DnsServerZoneTransferPolicy -Name DenyTransferOfContosoToFabrikam -Zone contoso.com -Action DENY -ClientSub\r\nYou can create multiple zone transfer policies of the same level, as long as they have a different value for the\r\nprocessing order. When multiple policies are available, the DNS server processes incoming queries in the\r\nfollowing manner:\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 6 of 10\n\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 7 of 10\n\nManaging DNS Policies\r\nYou can create and manage DNS Policies by using PowerShell. The examples below go through different sample\r\nscenarios that you can configure through DNS Policies:\r\nTraffic Management\r\nYou can direct traffic based on an FQDN to different servers depending on the location of the DNS client. The\r\nexample below shows how to create traffic management policies to direct the customers from a certain subnet to a\r\nNorth American datacenter and from another subnet to a European datacenter.\r\nAdd-DnsServerClientSubnet -Name \"NorthAmericaSubnet\" -IPv4Subnet \"172.21.33.0/24\"\r\nAdd-DnsServerClientSubnet -Name \"EuropeSubnet\" -IPv4Subnet \"172.17.44.0/24\"\r\nAdd-DnsServerZoneScope -ZoneName \"Contoso.com\" -Name \"NorthAmericaZoneScope\"\r\nAdd-DnsServerZoneScope -ZoneName \"Contoso.com\" -Name \"EuropeZoneScope\"\r\nAdd-DnsServerResourceRecord -ZoneName \"Contoso.com\" -A -Name \"www\" -IPv4Address \"172.17.97.97\" -ZoneScope \"Europ\r\nAdd-DnsServerResourceRecord -ZoneName \"Contoso.com\" -A -Name \"www\" -IPv4Address \"172.21.21.21\" -ZoneScope \"North\r\nAdd-DnsServerQueryResolutionPolicy -Name \"NorthAmericaPolicy\" -Action ALLOW -ClientSubnet \"eq,NorthAmericaSubnet\r\nAdd-DnsServerQueryResolutionPolicy -Name \"EuropePolicy\" -Action ALLOW -ClientSubnet \"eq,EuropeSubnet\" -ZoneScope\r\nThe first two lines of the script create client subnet objects for North America and Europe. The two lines after that\r\ncreate a zone scope within the contoso.com domain, one for each region. The two lines after that create a record in\r\neach zone that associates www.contoso.com to different IP address, one for Europe, another one for North\r\nAmerica. Finally, the last lines of the script create two DNS Query Resolution Policies, one to be applied to the\r\nNorth America subnet, another to the Europe subnet.\r\nBlock queries for a domain\r\nYou can use a DNS Query Resolution Policy to block queries to a domain. The example below blocks all queries\r\nto treyresearch.net:\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 8 of 10\n\nAdd-DnsServerQueryResolutionPolicy -Name \"BlackholePolicy\" -Action IGNORE -FQDN \"EQ,*.treyresearch.com\"\r\nBlock queries from a subnet\r\nYou can also block queries coming from a specific subnet. The script below creates a subnet for 172.0.33.0/24 and\r\nthen creates a policy to ignore all queries coming from that subnet:\r\nAdd-DnsServerClientSubnet -Name \"MaliciousSubnet06\" -IPv4Subnet 172.0.33.0/24\r\nAdd-DnsServerQueryResolutionPolicy -Name \"BlackholePolicyMalicious06\" -Action IGNORE -ClientSubnet \"EQ,Maliciou\r\nAllow recursion for internal clients\r\nYou can control recursion by using a DNS Query Resolution Policy. The sample below can be used to enable\r\nrecursion for internal clients, while disabling it for external clients in a split brain scenario.\r\nSet-DnsServerRecursionScope -Name . -EnableRecursion $False\r\nAdd-DnsServerRecursionScope -Name \"InternalClients\" -EnableRecursion $True\r\nAdd-DnsServerQueryResolutionPolicy -Name \"SplitBrainPolicy\" -Action ALLOW -ApplyOnRecursion -RecursionScope \"Int\r\nThe first line in the script changes the default recursion scope, simply named as \".\" (dot) to disable recursion. The\r\nsecond line creates a recursion scope named InternalClients with recursion enabled. And the third line creates a\r\npolicy to apply the newly create recursion scope to any queries coming in through a server interface that has\r\n10.0.0.34 as an IP address.\r\nCreate a server level zone transfer policy\r\nYou can control zone transfer in a more granular form by using DNS Zone Transfer policies. The sample script\r\nbelow can be used to allow zone transfers for any server on a given subnet:\r\nAdd-DnsServerClientSubnet -Name \"AllowedSubnet\" -IPv4Subnet 172.21.33.0/24\r\nAdd-DnsServerZoneTransferPolicy -Name \"NorthAmericaPolicy\" -Action IGNORE -ClientSubnet \"ne,AllowedSubnet\"\r\nThe first line in the script creates a subnet object named AllowedSubnet with the IP block 172.21.33.0/24. The\r\nsecond line creates a zone transfer policy to allow zone transfers to any DNS server on the subnet previously\r\ncreated.\r\nCreate a zone level zone transfer policy\r\nYou can also create zone level zone transfer policies. The example below ignores any request for a zone transfer\r\nfor contoso.com coming in from a server interface that has an IP address of 10.0.0.33:\r\nAdd-DnsServerZoneTransferPolicy -Name \"InternalTransfers\" -Action IGNORE -ServerInterfaceIP \"eq,10.0.0.33\" -Pas\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 9 of 10\n\nDNS Policy Scenarios\r\nFor information on how to use DNS policy for specific scenarios, see the following topics in this guide.\r\nUse DNS Policy for Geo-Location Based Traffic Management with Primary Servers\r\nUse DNS Policy for Geo-Location Based Traffic Management with Primary-Secondary Deployments\r\nUse DNS Policy for Intelligent DNS Responses Based on the Time of Day\r\nDNS Responses Based on Time of Day with an Azure Cloud App Server\r\nUse DNS Policy for Split-Brain DNS Deployment\r\nUse DNS Policy for Split-Brain DNS in Active Directory\r\nUse DNS Policy for Applying Filters on DNS Queries\r\nUse DNS Policy for Application Load Balancing\r\nUse DNS Policy for Application Load Balancing With Geo-Location Awareness\r\nUsing DNS Policy on Read-Only Domain Controllers\r\nDNS Policy is compatible with Read-Only Domain Controllers. Do note that a restart of the DNS Server service is\r\nrequired for new DNS Policies to be loaded on Read-Only Domain Controllers. This is not necessary on writable\r\ndomain controllers.\r\nSource: https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nhttps://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview"
	],
	"report_names": [
		"dns-policies-overview"
	],
	"threat_actors": [],
	"ts_created_at": 1775434954,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed0c856fe81c575a257bf4b7745e36a7cb576055.pdf",
		"text": "https://archive.orkl.eu/ed0c856fe81c575a257bf4b7745e36a7cb576055.txt",
		"img": "https://archive.orkl.eu/ed0c856fe81c575a257bf4b7745e36a7cb576055.jpg"
	}
}