DnsPolQueryResolutionPolicy: New resource proposal #303
Description
Resource proposal
You can use DNS Query Resolution Policies to specify how incoming resolution queries are handled by a DNS server.
To find more details about DNS Policies resources proposal in general see Dns Policies: New resources proposal
You can create multiple query resolution policies of the same level, as long as they have a different value for the processing order. When multiple policies are available, the DNS server processes incoming queries in the following manner:
Expand to see large scheme image
Special consideration - Criteria.
The criteria are a logical combination of client subnet, server interface IP address, fully qualified domain name (FQDN), Internet Protocol (IPv4/IPv6), transport protocol (UDP/TCP), time of day, and query type.
Specify criteria in the following format:
"operator, value01, value02, . . . ; operator, value03, value04, . . ."
The operator is either EQ or NE. You can specify no more than one of each operator in a criterion.
The policy treats values that follow the EQ operator as multiple assertions which are logically combined (OR'd). The policy treats values that follow the NE operator as multiple assertions which are logically differenced (AND'd).
Proposed properties
Criteria* parameters details
All Criteria* optional parameters consists of criteria condition operator AND/OR and a list of criteria e.g. EQ,*.contoso.com,*.woodgrove.com, EQ,TXT,SRV, etc.
Zone parameter details
Zone parameter represents list of zone scopes (by name) and weights e.g. "SeattleZoneScope,2; ChicagoZoneScope,1; TexasZoneScope,1" (See Usage example.
All oficial documentation refers this parameter as Zone, but to set this parameter using Add-DnsServerQueryResolutionPolicy we need to use parameter -ZoneScope.
Table of parameters for DnsPolQueryResolutionPolicy resource
| Property | Type qualifier | Data type | Description | Default value | Allowed values |
|---|---|---|---|---|---|
| Name | DscProperty(Key) | System.String | Policy name | None | Up to 256 characters, can contain any character valid for a file name |
| State | DscProperty() | System.String | Policy state | Enable | Enable, Disabled |
| Level | DscProperty() | System.String | Policy level | None | Server, Zone |
| ProcessingOrder | DscProperty(Key) | Nullable[System.UInt32] | Once a query is classified by level and applies on, the server finds the first policy for which the query matches the criteria and applies it to query | None | Numeric value |
| Action | DscProperty() | System.String | Action to be performed by DNS server | Allow (default for zone level), Deny (default on server level) | Allow, Deny, Ignore |
| Condition | DscProperty() | System.String | Specifies how the policy treats multiple criteria. | AND | OR - The policy evaluates criteria as multiple assertions which are logically combined (OR'd). AND - The policy evaluates criteria as multiple assertions which are logically differenced (AND'd). |
| CriteriaClientSubnet | DscProperty() | System.String | Name of a predefined client subnet. Used to verify the subnet from which the query was sent. | None | Condition operator (AND/OR) and List of criteria e.g "EQ,Spain,France" - resolves to true if the subnet is identified as either Spain or France, "NE,Canada,Mexico" - resolves to true if the client subnet is any subnet other than Canada and Mexico |
| CriteriaTransportProtocol | DscProperty() | System.String | Transport protocol used in the query. Possible entries are UDP and TCP | None | Condition operator (AND/OR) and List of criteria. EQ,TCP , EQ,UDP |
| CriteriaInternetProtocol | DscProperty() | System.String | Network protocol used in the query. Possible entries are IPv4 and IPv6 | None | Condition operator (AND/OR) and List of criteria. EQ,IPv4, EQ,IPv6 |
| CriteriaServerInterfaceIpAddress | DscProperty() | System.String | IP address for the incoming DNS server network interface | None | Condition operator (AND/OR) and List of criteria. EQ,10.0.0.1, EQ,192.168.1.1 |
| CriteriaFQDN | DscProperty() | System.String | FQDN of record in the query, with the possibility of using a wild card | None | Condition operator (AND/OR) and List of criteria. EQ,www.contoso.com - resolves to true only the if the query is trying to resolve the www.contoso.com FQDN. EQ,*.contoso.com,*.woodgrove.com - resolves to true if the query is for any record ending in contoso.com OR woodgrove.com |
| CriteriaQueryType | DscProperty() | System.String | Type of record being queried (A, SRV, TXT) | None | Condition operator (AND/OR) and List of criteria. EQ,TXT,SRV - resolves to true if the query is requesting a TXT OR SRV record. EQ,MX - resolves to true if the query is requesting an MX record. |
| CriteriaTimeOfDay | DscProperty() | System.String | Time of day the query is received | None | Condition operator (AND/OR) and List of criteria. EQ,10:00-12:00,22:00-23:00 - resolves to true if the query is received between 10 AM and noon, OR between 10PM and 11PM |
| Scope | DscProperty() | System.String | List of zone scopes and weighted values per scope. Weighted values are used for load balancing distribution. For instance, if this list includes datacenter1 with a weight of 3 and datacenter2 with a weight of 5 the server will respond with a record from datacentre1 three times out of eight requests | None | List of zone scopes (by name) and weights e.g. "SeattleZoneScope,2; ChicagoZoneScope,1; TexasZoneScope,1" (See Usage example |
| Reasons | DscProperty (NotConfigurable) | DnsServerReason[] | Returns the reason a property is not in desired state. | None | None |
Special considerations or limitations
The Criteria parameter could be a nested parameter, although I'm not yet sure how to implement it in code.
For example, in a DSC v3 configuration, the criteria might be expressed as:
Name: Test Query Resolution Policy
State: Enable
Level: Zone
ProcessingOrder: 1
Action: Allow
Criteria:
Condition: AND
CriteriaList:
ClientSubnet: EQ,Spain,France
InternetProtocol: EQ,IPv4
FQDN: EQ,*.contoso.com,*.woodgrove.com
Scope: SeattleZoneScope,2; ChicagoZoneScope,1; TexasZoneScope,1