With the continuous development of information technology, people's requirements for IT infrastructure are also higher, beginning to require the provision of rapid delivery, batch deployment, data analysis, network virtualization and other new needs, the major manufacturers also for their products to continue to improve, DNS began in Windows Server above just provide the simplest domain name resolution, caching, forwarding and other functions, and later more and more perfect, to the 2008 era of new DNSSEC, single-domain, name protection, and so on, to make DNS more secure normalization, Windows Server 2016 above, DNS has added a very good feature in the author's view, DNS policy, recently tested many of the new features inside, it is very surprising, the author even think that this feature to the Windows Server above the DNS elevated to " Basic intelligence " degree, decided to share it with everyone
In the next few articles, Lao Wang will build the environment, the actual operation of the way, for everyone to import DNS new functions of DNS policy usage, the use of scenes, I hope to give you a shot.
At the beginning of the first chapter, the author will introduce the DNS policy in the location-based quarantine traffic access, I will design a scenario, assume that Contoso is a book company, respectively, in Dalian and Weihai with branch offices, the company has an office site, Dalian and Weihai employees need to visit, In the past through DNS polling to achieve load balancing, sometimes Dalian people often access to the server in Weihai, resulting in an access delay, in Windows Server 2016 will be through the DNS geo-isolation technology, to check to the client from Dalian to divert to the server in Dalian, Weihai's client access is diverted to the server in Weihai, it is amazing there is no, the previous Windows Server DNS to implement such a function is very difficult, now itself can be achieved
Introduction to the experimental environment
16DNS: Assume DNS server, set up at corporate headquarters IP address: 100.0.0.2 gw:100.0.0.1
Web01: Assume the Web server in Dalian, and also assume the router connecting the Headquarters DNS, Weihai client, Dalian Client
IP address 1:80.0.0.1
IP address 2:90.0.0.1
IP address 3:100.0.0.1 DNS 100.0.0.2
Web02: Assume Weihai's Web server, assuming in Weihai Dc,ip address: 90.0.0.2 gw:90.0.0.1
Dalian: Imitation Dalian client IP address: 80.0.0.100 gw:80.0.0.1 dns:100.0.0.2
Weihai: Imitation Weihai client IP address: 90.0.0.100 gw:90.0.0.1 dns:100.0.0.2
Lao Wang has done a Web page, respectively, on WEB01 and Web02, access to different servers can see different web content
Note: Although the WEB01 has three IP addresses, the author has already bound 80.0.0.1 on IIS, that is, only the input 80.0.0.1 can access the site content of WEB01
Before we start, let's take a look at some important new concepts
-
Dnsserverclientsubnet
-
Dnsserverzonescope
These two commands are not previously, and are the key to implementing DNS logical geo-range isolation
To achieve geo-isolation, first create a dnsserverclientsubnet
That is, you have to tell the DNS, the subnet is a client of Dalian, the subnet is a client of Weihai, you told the DNS, he only know how to judge the forward request
Subnet created, we also need to create dnsserverzonescope, here is the core of the core, we need to create a DNS zone in a number of logical geographical regions, we must understand this concept, for example, Now there is a DNS main zone called Eip.com,ok, we will be in the eip.com area of the logical geographical scope, such as the need to create a Dalian region, a Weihai region, after doing so, the implementation of the same DNS main area below, including a number of geographical regions.
The logical geographic area we created in the previous step, which was used primarily to contain host records, was used for policy judgment, for example, we created the logical geographic region Dalian, and then we needed to create a host record of the Dalian Web server, in the process of creating the host record, The most important step is to specify-zonescope, the host record created after the specified parameter is bound to this geographic region, and then the policy is created, only the clients within the specified subnet range in the policy can access the corresponding "host records including the geographic region"
The seasoning is ready, the next main course, the most critical three steps are ready, we need to create a policy, to wrap up the three things, then define and forward the condition, tell the DNS, those clients come, they belong to which geographical region, This geographic area should be serviced by that server.
OK, after the idea has been arranged, we will proceed directly.
First, go to 16dns, open PowerShell, execute commands, create a subnet range
Add-dnsserverclientsubnet-name "Daliansubnet"-ipv4subnet "80.0.0.0/24"
Add-dnsserverclientsubnet-name "Weihaisubnet"-ipv4subnet "90.0.0.0/24"
Detailed command parameters can refer to TechNet, if there are many subnets in the same geographic location, you can separate the input with commas in the ipv4subnet
Create a logical geographic region after creating a subnet range, execute commands
Add-dnsserverzonescope-zonename "eip.com"-name "Dalian"
Add-dnsserverzonescope-zonename "eip.com"-name "Weihai"
As you can see, the above subnet command is defined at the dnsserver level, where the logical geographic division is defined in the existing DNS zone
The next key step, add the host record, play a decisive role is the new Zonescope parameter, if not add this parameter and before we add a new DNS record in the interface no difference, added a good after random polling, added this parameter, you can according to the logical geographical region of the definition of traffic isolation
Add-dnsserverresourcerecord-zonename "eip.com"-a-name "www"-ipv4address "80.0.0.1"-zonescope "Dalian"
Add-dnsserverresourcerecord-zonename "eip.com"-a-name "www"-ipv4address "90.0.0.2"-zonescope "Weihai"
Finally, we create a DNS query return policy, is also the top priority, where we specify the client subnet range, EQ represents the meaning of equal, once the client subnet equals the defined range, that is, there is a response to the host record in the corresponding region, the zone scope parameter is followed by a 1, This post in the article we will use many times, in this scenario we are a complete diversion scenario, if not completely diverted, such as Dalian users 70 access to the Dalian server, 30 access to the Weihai server, here can be defined, DALIAN,7;WEIHAI3, we write 1, On behalf of the Dalian Client Access 100% is the host record of the Dalian region to give a response
Add-dnsserverqueryresolutionpolicy-name "Dalianpolicy"-action allow-clientsubnet "eq,daliansubnet"-ZoneScope " dalian,1 "-zonename" eip.com "
Add-dnsserverqueryresolutionpolicy-name "Dalianpolicy"-action allow-clientsubnet "eq,weihaisubnet"-ZoneScope " weihai,1 "-zonename" eip.com "
Log on to the Dalian client, open access www.eip.com , you can see the contents of the server in Dalian
Run Nslookup, found only to see the web host in Dalian response, if before 2016, we have created many of the same DNS host records, will see all the polling host, here only to see the Dalian web host, stating that our defined logical geographic region is in effect.
Log on to the Weihai client, open access www.eip.com , you can see the contents of the server in Weihai
Run Nslookup, found only to see the web host in Weihai response
Here believe that we have read this function, the author believes that this is a very useful function, and some industry friends chatting also feel is a good technology, the development of testing environment isolation, cross-regional traffic diversion, or even the network virtualization scenarios under the tenant isolation, if the use of this new feature, Does not have to build so many DNS server.
In the process of using Lao Wang to find this feature is very convenient, there is no prerequisite, you only need a server with a DNS role on it, can be a workgroup or domain environment, there is no limit to the client version, at least the current discovery 2003,win7 client is OK.
In the process of use, Lao Wang found three notable places
-
The host record created with the command does not appear in the DNS console, if you do not see it in the console after issuing the command to create the host record, do not worry, as long as the command input is correct, this hope that Microsoft can improve the next
-
Lao Wang actual test Chinese version of the server in the deletion of the policy will be a bug, has been created a good DNS policy will not be deleted, this hope is my operation error, you can try
-
Although we implemented a geographical region-based host record isolation, Dalian Client access to the Dalian server, Weihai Client access to Weihai server, but! Lao Wang himself test, once in accordance with the method of the text, in addition to the Dalian subnet client and the Wei Hai network client, other subnet range clients will not be able to access the two host records, because it has been tied dead
Assuming that you want to implement not only the isolation of clients from different geographical regions, but also the host records can be accessed on other network segments, you need to execute the following command, the records created by this command appear in the DNS Management console.
Add-dnsserverresourcerecord-zonename "eip.com"-a-name "www"-ipv4address "80.0.0.1"
Add-dnsserverresourcerecord-zonename "eip.com"-a-name "www"-ipv4address "90.0.0.2"
When this is done, other clients that are not in the scope of the Dalian subnet and the scope of the network, will use the polling method to access the servers in Dalian and Weihai respectively .
before you perform these two commands, at the headquarters DNS, the network segment 100.0.0.0/24 nslookup hint cannot be resolved www.eip.com
After executing the cleanup under DNS cache 16dns again execution nslookup, Discovery has started polling
The first article here is also near the end, due to the environment is limited, another scenario I did not demonstrate, if your environment is large enough can be achieved, the headquarters of a 16dns, Dalian and Weihai also deployed a DNS to do zone transfer, so that can reduce the burden on the DNS server, to help local clients faster intelligent positioning , the actual use of the need to note that the DNS servers in Dalian and Weihai, the need to replicate using the command Replication Headquarters DNS client terminal network range, host records, logical scope, policy and other data
Follow-up Lao Wang will continue the serial DNS policy series, including sub-brain, application load balancing, time-based intelligent DNS location, etc.
This article is from "a Stubborn island" blog, please be sure to keep this source http://wzde2012.blog.51cto.com/6474289/1920559
Windows Server DNS Policy geo-location 1