0%

0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 3hr 41min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 54min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete

Configuring DNS Filtering

Instructions

Q&A (0)

Notes (0)

Resources (0)

Saving Progress...

Resources

There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

At some point you may need to block or filter out a Domain that’s been proven to be infected with a virus, or a domain that doesn’t meet the security requirements of your organization.

Policy Rules

• Most Policies can be set at the server or the zone level. If you need more control at the zone level, you can modify the Add-DNSServerQueryResolutionPolicy command by adding the parameter -zonename to identify the DNS Zone that applies to this policy. The example in this lecture will be applied at the server level.

Identifying the Malicious Domain

  • Here’s an example – We have identified the Domain virus.com as being a malicious domain.
  • Use this PowerShell command
  • Add-DnsServerQueryResolutionPolicy –Name ‘BlockListPolicy’ –Action Ignore –FQDN “EQ,*.virus.com”

Now lets break this command down so you’ll understand what’s happening

Understanding the Command

The  Add-DnsServerQueryResolutionPolicy determines how DNS queries are handled by the criteria that you specify in the policy. Here are the parameters that we’ll use with the command. Parameters are always preceded by a minus sign –

  • -Name – gives the policy a name (BlockListPolicy)
  • -Action – Gives an action, in this case the action is to ignore any queries coming in or going out to the virus.com domain or its sub-domains.
  • FQDN – Designates the fully qualified domain name
  • EQ – Means equal to, in this case equal to virus.com, and the *. designates all subdomains of virus.com
  • After you have run this command DNS clients will no longer be able to resolve names in the virus.com domain and its subdomains.
  • If you have any clients that have been accessing the virus.com domain you will have to reboot their computer or run the ipconfig /flushdns command to clear the cache.

If you want to verify your policy information you can type the command. 

Get-DnsServerQueryResolutionPolicy -Name ‘BlocklistPolicy’ | Format-List * And I’ll explain this command once we get into PowerShell.

Let’s go ahead and see what these commands look like in PowerShell.

And there is our command to create the blocklist policy

Add-DnsServerQueryResolutionPolicy –Name ‘BlockListPolicy’ –Action Ignore –FQDN “EQ,*.virus.com”

Press return

  • Now let’s go ahead and get some information on our block list policy.
  • Here is the command

Get-DnsServerQueryResolutionPolicy -Name ‘BlocklistPolicy’ | Format-List *

There is the pipe operator.

  • So, what’s a pipe operator?
  • In PowerShell this symbol is called a Pipe operator. What this does,  it takes the output of the policy named blocklistpolicy and formats it in list form.
  • BTW – The pipe operator symbol is located on most keyboards, right above the enter key.

Ok let’s take a look at our list: 

  • Action – Ignore – all queries coming in or going out of virus.com or it’s sub-domains.  
  • AppliesOn – Any queries we have already defined
  • Is Enabled – Is set to True
  • Level – Server level, as opposed to zone level

Name – BlocklistPolicy

  • Let’s go ahead and remove the Policy we just created.

Remove-DnsServerQueryResolutionPolicy -Name ‘BlockListPolicy ,  And it says removing the server level policy

Click yes

Lets go back and see what information is left after we removed the policy.

Type the command

Get-DnsServerQueryResolutionPolicy -Name ‘BlocklistPolicy’ | Format-List * Error – Failed to get policy, The Policy does not exist.  

  • So that command was successful

One of the challenges that you may encounter is blocking a malicious zone or a zone that does not meet the security standards of your organization. You can use filters to successfully block these zones.

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Subscribe
Notify of
profile avatar
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

profile avatar
dustenm(@dustenm)
Member
2 years ago

There is a glitch at end of video with nearly a minute of no sound or visuals before sound cuts back in.

profile avatar
Ricardo P(@ricardop)
Admin
Reply to  dustenm
2 years ago

Hi profile avatar Dusten Maxwell

Thanks for reporting the issue. We will review with profile avatar Paul Hill.

Ricardo

profile avatar
mf(@mf)
Member
7 months ago

Question on this DNS filtering. I understand you can manually configure a blocklist for some maybe well known bad domains, however for efficiency would it be more economical to instead point a DNS forwarder to a service who already provides such a feature like Quad9 or OpenDNS?

profile avatar
Ricardo P(@ricardop)
Admin
Reply to  mf
7 months ago

Hi profile avatar M F

Right, that can be an option, since those services are great for filtering malicious domains and their lists are constantly updated.

I remember back in the old days entering those malicious hosts on the server local hosts file pointing them to localhost 127.0.0.1, 😅

Ricardo