DNS Resolution Based on Client IP Address with Windows Server

In this tutorial I will explain how to make sure that the DNS resolution with Windows Server is done according to the IP address of the client.

There are two solutions that we will see in this article.

The first solution to enable network mask sorting is available from Windows 2003 Server. The option is normally enabled by default.

The second solution has been implemented with Windows Server 2016 which is geolocation resolution.

DNS resolution by sorting network masks

The goal will be to have users access the rddns.lab.intra site in their IP segment as shown in the illustration below.

DNS by Network Mask

From the DNS Manager console, right-click on server 1 then click Properties 2 .

DNS Console

Go to Advanced tab 1 and check that the Enable Round Robin 2 and Enable network mask sort 3 checkboxes are checked. Otherwise, check them and apply the changes.

Server configuration

Create the A records pointing to each server.

A record

Test the name resolution with clients in each of the networks. On the catches below, we can see that the answer corresponds to the customer network.

If the IP address does not match any of the networks, Round Robin will be used.

DNS resolution by geolocation

Geolocation-based resolution requires at least Windows Server 2016 and like PowerShell, there is no GUI for configuration.

The advantage of using Geolocation is to be able to respond to undeclared DNS registration networks. If we take the previous example and add a third network 10.0.2.0/24, it is possible to define which record should be returned.

In order to avoid touching the Active Directory zone, I created a new dns-lab.intra DNS zone. Below the objective:

DNS Geo

All the commands are to be executed in a PowerShell window.

Creating subnets

Add-DnsServerClientSubnet -Name "SiteA" -IPv4Subnet "10.0.0.0/24"
Add-DnsServerClientSubnet -Name "SiteB" -IPv4Subnet "10.0.1.0/24"
Add-DnsServerClientSubnet -Name "SiteC" -IPv4Subnet "10.0.2.0/24"

Creating zone extents

A zone scope is a single instance in the DNS zone that contains its own records.

In our example, you need to create two scopes that correspond to the network where a web server is installed.

Add-DnsServerZoneScope -ZoneName "dns-lab.intra" -Name "SiteAZone"
Add-DnsServerZoneScope -ZoneName "dns-lab.intra" -Name "SiteBZone"

Creating DNS records

We now have to add to thezone  extents the DNS record www.

Add-DnsServerResourceRecord -ZoneName "dns-lab.intra" -A -Name "www" -IPv4Address "10.0.0.200" -ZoneScope "SiteAZone"
Add-DnsServerResourceRecord -ZoneName "dns-lab.intra" -A -Name "www" -IPv4Address "10.0.1.200" -ZoneScope "SiteBZone"

Creating policies

The strategies used to link the network to an extent.

So you have to create 3 policies.

Add-DnsServerQueryResolutionPolicy -Name "SiteAPolicy" -Action ALLOW -ClientSubnet "eq,SiteA" -ZoneScope "SiteAZone,1" -ZoneName "dns-lab.intra"
Add-DnsServerQueryResolutionPolicy -Name "SiteCPolicy" -Action ALLOW -ClientSubnet "eq,SiteC" -ZoneScope "SiteAZone,1" -ZoneName "dns-lab.intra"
Add-DnsServerQueryResolutionPolicy -Name "SiteBPolicy" -Action ALLOW -ClientSubnet "eq,SiteB" -ZoneScope "SiteBZone,1" -ZoneName "dns-lab.intra"

The DNS server can now respond to the client based on their network.

To go forward

If we look at the zone on the DNS server no record is visible in the console.

DNS Zone

If you want the server to respond to unknown networks add the DNS records normally or powershell.

Add-DnsServerResourceRecord -ZoneName "dns-lab.intra" -A -Name "www" -IPv4Address "10.0.0.200"
Add-DnsServerResourceRecord -ZoneName "dns-lab.intra" -A -Name "www" -IPv4Address "10.0.1.200"

This time the DNS records are visible in the box.

DNS records

List of cmdlets available : https://docs.microsoft.com/en-us/powershell/module/dnsserver/?view=win10-ps 




Leave a Comment