Speaking of intelligent DNS, as an IT staff is not unfamiliar, but is generally provided by third parties, rarely can be implemented locally, today we say can be implemented locally to configure the smart DNS solution, that is, Windows Server 2016 by configuring DNS Policy enables intelligent DNS resolution, and we have to reiterate that only DNS is supported under Windows Server 2016 Oh, Windows Server 2016 has been published for a long time, so today we have Windows DNS supported features on server We do a functional demonstration, first of all, the DNS policy geo-location, the implication is that through the DNS policy inside can be based on the location of the traffic access, for this function we have been applied to the production environment, First of all, our daily environmental needs, our company's WWW site, there is a server in China, the United States has a server, two server data synchronization, in the initial DNS has two records at the same time point to different regional servers, formerly the authority of the DNS polling mechanism to achieve load and jump, Sometimes Chinese users will access to the U.S. server, so there is a slow access, the U.S. user access to the Chinese server, the above issues to the user experience a lot of trouble, but in Windows Server 2016 outside can be configured by DNS Policy implementation of Chinese users to visit the Chinese server, the United States user access to the United States server, the final result is not very magical, for this magical function, outside today through the following implementation of the present to everyone, if there is a summary of the wrong place to welcome everyone to exchange.
Note: It is important to note that DNS policy is local and cannot be synchronized in the global environment. So we need to configure policy on the server that is responsible for DNS resolution.
Environment Introduction:
Hostname:DC.ixmsoft.com
ROLES:DC, DNS
ip:192.168.5.20
Hostname:Web1.ixmsoft.com
Roles:web Server
ip:192.168.6.198
Location:china
Hostname:Web2.ixmsoft.com
Roles:web Server
ip:192.168.7.198
Location:us
We will first confirm the contents of the two Web server access:
The first is the Chinese server
Then visit the US server:
After the servers in the two zones are ready, we can configure DNS policy, we configure the configuration using PowerShell, and to achieve geo-isolation, first create the Dnsserverclientsubnet
That is, you have to tell the DNS, the subnet is a client of Beijing, which is the client of the United States, you told the DNS before he knew how to judge the forwarding request
We started creating subnets in Beijing and the United States.
Add-DnsServerClientSubnet -Name "beijingsubnet" -IPv4Subnet "192.168.6.0/24"Add-DnsServerClientSubnet -Name "ussubnet" -IPv4Subnet "192.168.7.0/24"
After the creation is complete, we can query
Get-DnsServerClientSubnet
Subnet created, we also need to create dnsserverzonescope, here is the core of the core, we need to create a DNS zone in a number of logical geographical regions, we must understand this concept, for example, Now that there's a DNS main zone called ixmsoft.com, we're going to split the logical geographic range in the ixmsoft.com area, for example, to create a Beijing area, a US region, and then implement the same DNS main zone, including multiple geographic regions.
Add-DnsServerZoneScope -ZoneName "ixmsoft.com" -Name "beijing" Add-DnsServerZoneScope -ZoneName "ixmsoft.com" -Name "us"
After the creation is complete, we can also query
Get-DnsServerZoneScope -ZoneName "ixmsoft.com"
Create complete logical geographic region, mainly used to contain host records, string up for policy judgment use, for example, we created a logical geographical region of Beijing, then we need to create a Beijing Web server host records, in the process of creating host records, the most important step is to specify-zonescope, The host record created after this parameter is specified is bound to the geographic region, and then the policy is created, and only the clients within the subnet range specified in the policy can access the corresponding "host records that include the geographic region"
Add-DnsServerResourceRecord -ZoneName "ixmsoft.com" -A -Name "web" -IPv4Address "192.168.6.198" -ZoneScope "beijing"Add-DnsServerResourceRecord -ZoneName "ixmsoft.com" -A -Name "web" -IPv4Address "192.168.7.198" -ZoneScope "us"
We also need to note here: The-a-name name we define is called the Web, so our users end up with web.ixmsoft.com to access the server.
After the creation is complete, we can query the record
Get-DnsServerResourceRecord -ZoneName "ixmsoft.com"
What we created above is a parsing record based on the Zonescope region, but we need to be aware that if there is no record in the Zonescope zone, there are no records except for the custom subnet user, there will be no resolution to the zonescope. So we also need to add parsing records to the Zonescope.
Add-DnsServerResourceRecord -ZoneName "ixmsoft.com" -A -Name "web" -IPv4Address "192.168.6.198"Add-DnsServerResourceRecord -ZoneName "ixmsoft.com" -A -Name "web" -IPv4Address "192.168.7.198"
After execution, we will see the two added above in DNS.
When the above conditions are configured, it is important that we next create a DNS query return policy.
Here we specify the client subnet range, EQ represents equals meaning, once the client subnet equals the defined range, that is, there is a response to the host record in the corresponding region, there is a 1 after the zone scope parameter, which we will use many times in the subsequent article, In this scenario we are a complete diversion scenario, if not fully diverted, such as Dalian users 70 access to the Beijing server, 30 access to the U.S. server, we write 1, on behalf of the Dalian Client Access 100% is the host record of the Beijing region to give a response
Add-DnsServerQueryResolutionPolicy -Name "beijingPolicy" -Action ALLOW -ClientSubnet "eq,beijingsubnet" -ZoneScope "beijing,1" -ZoneName "ixmsoft.com"
After creating the policy, we can query the
Get-DnsServerQueryResolutionPolicy -ZoneName "ixmsoft.com"
And then we can test it.
We simulated Beijing's subnet address and then visited the server in Beijing
We simulate the U.S. subnet address and then access the servers in the United States
In this our basic configuration has been completed, we continue the next section on the Windows Server DNS related articles.
Windows Server 2016 Smart DNS (i)