I'm currently managing our internal DNS server and have successfully blocked the .CN top-level domain (TLD) using DNS filtering. I used a command like "Add-DnsServerQueryResolutionPolicy -Name 'Block_CN_TLD' -Action DENY -Fqdn 'EQ,*.cn' -PassThru" which works well. However, we've encountered a situation where we need to allow exceptions for CRL/OCSP requests to Digicert domains (like OCSP.DIGICERT.CN). I'm curious if anyone has experience with blocking a complete TLD while still allowing access to specific fully qualified domain names (FQDNs), whether through filter policies or alternative methods.
3 Answers
I've handled something similar with dnsdist. I configured specific spoof records for the TLD denial, with the DNS Admin domain set as a bypass pool. This way, dnsdist managed the DNS queries efficiently, though it might not be directly applicable with standard Microsoft tools.
Blocking TLDs like that is tricky; it might be easier to handle this at the firewall level. Have you considered using a Geo-IP filter instead?
Yeah, managing it from the firewall is usually much simpler. We switched to that and it helped a lot!
One method I've used is to create a blank zone for the TLD and then set up conditional forwarding for any specific subdomains you need.
That sounds reasonable! I was under the impression that using filtering policies was the way Microsoft recommended, but this seems like it might simplify things.
Definitely! Blocking at the firewall saves a lot of hassle with logs and stats management.