Share via

3.1.8.2 DNS Policy Criteria

  • Article

A DNS Policy Criteria contains properties that are matched for DNS operations. Appropriate action is applied to a DNS operation based on the result, expressed as a NULL-terminated Unicode string as describe in DNS_RPC_CRITERIA (section 2.2.15.2.4).

The Unicode string identifiers EQ and NE stand for Equals and Not Equals respectively. A pCriteria Unicode string can contain EQ or NE identifiers with values, or both can be present in a single criterion. For example,  pCriteria = "EQ,a,b,c" indicates that the DNS policy matches the criteria type for a value a, b, or c. Similarly,  pCriteria = "NE,a,b,c," indicates that a DNS policy matches the criteria type for a value not equal to a, b, and c.

The following table describes the DNS Policy Criteria:

Policy Criteria

Definition

Fully Qualified Domain Name

Specifies that the criteria for match of a DNS Policy in a DNS operation, as described in DNS_RPC_CRITERIA (section 2.2.15.2.4), is based on the query name in the question ([RFC1034] section 3.7) of a DNS query. For example, a DNS_RPC_POLICY (section 2.2.15.2.5) with type=DnsPolicyCriteriaFqdn and pCriteria = "EQ,a.contoso.com" will match a Query with QName= "a.contoso.com". Criteria also support wild cards. For example, a criteria "EQ,*.contoso.com" means the DNS policy will match for a query with QName anything in contoso.com, including the QName contoso.com. If the criteria is invalid, the DNS server returns DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN (9994).

Client Subnet Record

Contains the IPv4 and IPv6 subnets, which are matched against the address of the source device from which the DNS operation message is initiated. For example, if an administrator creates a client subnet record "southasia" as explained in Client Subnet Record (section 3.1.8.1) and a DNS Operation originates from a source having subnet 201.37.23.0/24, then this is a match for the DNS Policy. If the criteria is invalid, the DNS server returns DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET (9990).

Server Interface

Contains the IPv4 or IPv6 interface address on the DNS server. A DNS Operation message can be matched on the basis of the interface on which the message is received. This criteria is identified as described in DNS_RPC_CRITERIA_ENUM (section 2.2.15.1.1.6). For example, if the DNS server has interfaces with addresses 10.172.1.1 and 192.168.1.1 and there is a DNS Policy with criteria type=DnsPolicyCriteriaInterface and pCriteria= "EQ,10.172.1.1" then a DNS query of a DNS operation that is received on the interface with address "192.168.1.1" will not be a match for the DNS policy. If the criteria is invalid, the DNS server returns DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE (9993).

Question Type

Contains the QType of an incoming message in a DNS operation. For example, if the criteria is "EQ,AAAA,CNAME" then the DNS policy is a match if the incoming query of the DNS Operation has a QTYPE, as defined in [RFC1035] section 3.2.3, of AAAA or CNAME. If the criteria is invalid, the DNS server returns DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE (9995).

Network Protocol

Specifies that the criteria for match of a DNS Policy is based on the Internet Protocol used (IPv4 or IPv6) to send a DNS Query to the DNS server during a DNS Operation. For example, if there is a criteria with type=DnsPolicyCriteriaNetworkProtocol and pCriteria="EQ,IPv4" and the DNS server receives a query for a DNS operation on its IP v4 address then the DNS policy corresponding to this criteria is a match. Possible values that can be used in this criteria are "IPv4" and "IPv6". If the criteria is invalid, the DNS server returns DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL (9992).

Transport Protocol

Specifies that the criteria for match of a DNS Policy is based on the Transport Layer Protocol (TCP or UDP) used to send a DNS Query to the DNS server during a DNS operation. For example, if there is a criteria with type=DnsPolicyCriteriaTransportProtocol and pCriteria="EQ,TCP" and the DNS server receives a query for a DNS operation using transport protocol TCP then the DNS policy corresponding to this criteria is a match. Possible values that can be used in this criteria are "TCP" and "UDP". If the criteria is invalid, the DNS server returns DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL (9991).

Time of Day

Specifies that the criteria for match of a DNS Policy is based on the time of day in minutes when the DNS server receives a DNS query during a DNS operation.For example, if there is a criteria with type=DnsPolicyCriteriaTimeOfDay and pCriteria="EQ,16:00-18:00" and DNS policy action is "DNSPolicyIgnore" and the DNS server receives a query for a DNS operation at a time between 16:00 and 18:00 local time of the DNS server, then the DNS policy corresponding to this criteria is a match and since the action is DNSPolicyIgnore, the query will be dropped. For example, this can give the DNS server a short load time. Possible values that can be used in this criteria include any time span within the 24 hours of a day. If the criteria is invalid, the DNS server returns DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY (9996).