Shulou(Shulou.com)06/02 Report--

This section provides additional information about the new and changed features of the Domain name system (DNS) server in Windows Server 2016, as follows:

New features or improvements describe DNS policies add you can configure DNS policies, to specify how the DNS server responds to DNS queries. Client IP address (location), which can be based on DNS response time days, as well as some other parameters. The DNS policy enables location-aware DNS, traffic management, load balancing, cracked DNS, and other situations. Response rate limit (RRL) added you can enable response rate limit on the DNS server. By doing this, you avoid maliciously starting a system that denies service on the DNS client through the following DNS server. Authentication based on DNS named entities (DANE) adds that you can use TLSA (Transport layer Security Authentication) records to provide information to DNS clients, indicating which CA they are likely to certify from your domain name. This prevents someone from corrupting the DNS cache here to point to their own website and provide blocking of different CA certificates issued by them. Unknown records support adding you can add records to Windows DNS servers that explicitly do not support the use of unknown records. IPv6 root prompt added you can use the original IPV6 root prompt to support the implementation of Internet name resolution using the IPV6 root server. Windows PowerShell supports improvements that the new Windows PowerShell cmdlet is suitable for DNS servers.

DNS strategy

You can use DNS policies for location-based traffic management, intelligent DNS responses based on time of day, management of a single DNS server configured for split brain configuration, filters for applying DNS queries, and so on. The following items provide more details on these features.

Application load balancing: when multiple instances of an application are deployed in different locations, DNS policies can be used to balance the traffic load between different application instances, thus dynamically distributing the traffic load of the application.

Geolocation-based resource management: you can use the DNS policy to allow the primary and secondary DNS servers to respond to DNS client queries based on the geographic location of the resource the client is trying to connect to, thereby providing the client with the IP address of the most recent resource.

Brain fissure DNS: split the brain fissure DNS,DNS records into different regions on the same DNS server, and the DNS client receives the response according to whether the client is an internal client or an external client. You can configure brain fissure DNS for Active Directory integrated areas or areas on stand-alone DNS servers.

Filtering: you can configure DNS policies to create query filters based on the criteria you provide. The query filter in the DNS policy allows you to configure the DNS server to respond in a custom manner based on DNS queries and DNS clients that send DNS queries.

Forensics: you can use DNS policies to redirect malicious DNS clients to non-existent IP addresses instead of directing them to the computer they are trying to access.

Time-based redirection: you can use the DNS policy to distribute application traffic between different geographically distributed instances of the application by using a time-based DNS policy.

You can also use DNS policies for Active Directory integrated DNS areas.

Response rate limit

You can configure RRL settings to control how the server responds to requests to the DNS client when it receives multiple requests for the same client. By doing this, you can prevent someone from using your DNS server to send a denial of service (Dos) *. For example, a botnet can send a request to a DNS server using the IP address of a third computer as the requestor. Without RRL, your DNS server may respond to all requests and flood the third computer. When using RRL, you can configure the following settings:

Reply every second. This is the maximum number of times the same response can be provided to the client in one second.

Error per second. This is the maximum number of times an error response is sent to the same client in one second.

Window. This is the number of seconds that the response to the client will be paused when too many requests are made.

Leakage rate. This is how often the DNS server responds to the query during the response pause. For example, if the server pauses the response to the client for 10 seconds and the leak rate is 5, the server will still respond to one query for every five queries sent. Even if the DNS server applies a response rate limit on its subnet or FQDN, this allows legitimate clients to get a response.

TC rate. This is used to tell the client to try to connect to the TCP when pausing its response to the client. For example, if the TC rate is 3 and the server pauses response to a given client, the server will issue an TCP connection request for every 3 queries received. Ensure that the value of the TC rate is lower than the leakage rate so that the client connects through the TCP before the leak response.

Maximum response. This is the maximum number of responses that the server will send to the client when the response is paused.

Whitelist domain name. This is a list of domains to exclude from the RRL settings.

White name single subnet. This is the list of subnets to exclude from the RRL settings.

Whitelist server interface. This is a list of DNS server interfaces to exclude from the RRL settings.

DANE support

You can use DANE support (RFC 6394 and 6698) to specify to DNS clients which CA they should publish for domain names hosted in the DNS server. This prevents some form of middleman who can break the DNS cache and point the DNS name to their own IP address.

Unknown record support

An unknown record is a RR whose RDATA format is not known to the RR server. The new support for unknown record types (RFC 3597) means that you can add unsupported record types to the Windows DNS server zone in binary online format. The Windows cache parser already has the ability to handle unknown record types. The Windows DNS server does not perform any record-specific processing on unknown records, but sends back a response if a query is received.

IPv6 root hint

The IPV6 root prompt published by IANA has been added to the Windows DNS server. Internet name queries can now perform name resolution using the IPv6 root server.

Windows PowerShell support

The following new Windows PowerShell cmdlet and parameters are introduced in Windows Server 2016.

Add-DnsServerRecursionScope . This cmdlet creates a new recursive scope on the DNS server. The DNS policy uses a recursive scope to specify the list of forwarders to use in the DNS query.

Remove-DnsServerRecursionScope . This cmdlet deletes the existing recursive scope.

Set-DnsServerRecursionScope . This cmdlet changes the settings of an existing recursive scope.

Get-DnsServerRecursionScope . This cmdlet retrieves information about existing recursive ranges.

Add-DnsServerClientSubnet . This cmdlet creates a new DNS client subnet. The DNS policy uses subnets to identify the location of DNS clients.

Remove-DnsServerClientSubnet . This cmdlet deletes the existing DNS client subnet.

Set-DnsServerClientSubnet . This cmdlet changes the settings of the existing DNS client subnet.

Get-DnsServerClientSubnet . This cmdlet retrieves information about existing DNS client subnets.

Add-DnsServerQueryResolutionPolicy . This cmdlet creates a new DNS query resolution policy. The DNS query resolution strategy is used to specify how the query responds or responds according to different criteria.

Remove-DnsServerQueryResolutionPolicy . This cmdlet deletes the existing DNS policy.

Set-DnsServerQueryResolutionPolicy . This cmdlet changes the settings of an existing DNS policy.

Get-DnsServerQueryResolutionPolicy . This cmdlet retrieves information about existing DNS policies.

Enable-DnsServerPolicy . This cmdlet enables an existing DNS policy.

Disable-DnsServerPolicy . This cmdlet disables the existing DNS policy.

Add-DnsServerZoneTransferPolicy . This cmdlet creates a new DNS server zone transport policy. The DNS zone transfer policy specifies whether zone transmission is denied or ignored based on different conditions.

Remove-DnsServerZoneTransferPolicy . This cmdlet removes the existing DNS server zone transport policy.

Set-DnsServerZoneTransferPolicy . This cmdlet changes the settings of the existing DNS server zone transport policy.

Get-DnsServerResponseRateLimiting . This cmdlet retrieves RRL settings.

Set-DnsServerResponseRateLimiting . This cmdlet changes the RRL settigns.

Add-DnsServerResponseRateLimitingExceptionlist . This cmdlet creates a RRL exception list on the DNS server.

Get-DnsServerResponseRateLimitingExceptionlist . This cmdlet retrieves the RRL exclusion list.

Remove-DnsServerResponseRateLimitingExceptionlist . This cmdlet removes the existing RRL exception list.

Set-DnsServerResponseRateLimitingExceptionlist . This cmdlet changes the RRL exception list.

Add-DnsServerResourceRecord . This cmdlet has been updated to support unknown record types.

Get-DnsServerResourceRecord . This cmdlet has been updated to support unknown record types.

Remove-DnsServerResourceRecord . This cmdlet has been updated to support unknown record types.

Set-DnsServerResourceRecord . This cmdlet has been updated to support unknown record types

Welcome to the official account of Wechat: Xiao Wen study Society.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.