[DNSfirewalls] something new in dns firewalls: microsoft dns policy filtering

Robert Edmonds edmonds at mycre.ws
Wed May 20 01:15:05 UTC 2015

Paul Vixie wrote:
> http://blogs.technet.com/b/networking/archive/2015/05/18/applying-filters-on-dns-queries-using-windows-dns-server-policies.aspx

Interestingly, they allow dropping queries based on the qtype:

    Allow only certain QTypes

    The white lists can also be applied to QTYPEs. Take a scenario where
    for external customers coming on server interface only
    certain QTYPEs are allowed to be queried, while there are other
    QTYPEs like SRV or TXT records which are used by internal servers
    for name resolution or for monitoring purposes

        Add-DnsServerQueryResolutionPolicy -Name "WhiteListQType"
        -Action IGNORE -QType "NE,A,AAAA,MX,NS,SOA" –ServerInterface
        “EQ,” -PassThru

which I thought was considered a very bad thing to do, e.g.:

    note that there may be other ways to achieve the "kaminsky effect"
    that do not involve misdirection. [...] or if an ADNS
    deterministically never answers some kinds of questions (like
    undefined qtypes) [...]


Robert Edmonds

More information about the DNSfirewalls mailing list