Blog
DNS Zone Scopes

DNS Zone Scopes

April 11, 2025·Ryan
Ryan

Microsoft DNS servers have a pretty cool feature called DNS zone scopes which was introduced back with Server 2016 and higher. I knew about this feature a while ago as I had to make it work with a project and it worked wonderful back in 2018. Recently it came up again on a different project that I’m working and although a different use case it also worked like it should. So here’s to zone scopes!

Sometimes things come up that put you in a situation where a requirement is needed to give a different IP address that client is resolving. That client resides in a different subnet or subnets, then the rest of your internal stuff. You can even hide a DNS namespaces from different subnets and have policies based on those subnets or the network interface it hits on the DNS server.

Configuring and maintaining DNS zone scopes is all done within powershell. If you loaded up the classic DNS MMC you would’nt know that DNS zone scopes are configured from looking at it. This is pro and con at the same time. You can definitely script it out, but if someone that wasn’t aware of the configured zone scopes they might be a little lost into why something is resolving differently than the rest of organization.

Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers

Above is good reference point to use from Microsoft. I’m going to give a quick example of how it works but any more information about how to use DNS zone scopes, go right to source!

Alright so we got a DNS server with two different networks, and with two different clients and pointing to our DNS server. I already have the DNS setup for acme.com and I have a hostname of website.acme.com. The goal is to provide a different IP address based on the subnet the client is in. So let’s get started.

  flowchart LR
    A["PC1"] <--> C(("R1"))
    B["PC2"]<--> C
    D["DNS Server"] <--> C

This is simple diagram, PC1 is in the 192.168.1.0/24 subnet and PC2 is in the 192.168.2.0/24 subnet. The DNS server is within the 192.168.0.0/24 subnet with an IP address of 192.168.0.10.

  • We want PC1 to use the default DNS name for website.acme.com which resolves to 192.168.5.10. This is already setup as PC1 and PC2 can resolve website.acme.com to 192.168.5.10.
  • We want PC2 to use a DNS zone scope for the DNS zone acme.com and resolve the website.acme.com to 192.168.10.5

Let’s setup the zone scope on the DNS server. Within powershell we would type the following to create a zone scope and the client subnet that matches for PC2.

Add-DnsServerZoneScope -ZoneName "acme.com" -Name "acmeZoneScope"
Add-DnsServerClientSubnet -Name "PC2Subnet" -IPv4Subnet "192.168.2.0/24"

We then want to create an A record for website.acme.com for the acmeZoneScope that we just created.

Add-DnsServerResourceRecord -ZoneName "acme.com" -A -Name "website" -IPv4Address "192.168.10.5" -ZoneScope "acmeZoneScope"

So now if we checked with PC2 and tried to resolve the name we would still see website.acme.com resolve to what is in the default DNS zone for acme.com. Which is 192.168.5.10. We have to create a policy on our DNS server to be able to tell anything from the PC2 subnet give records that are in the zone scope (acmeZoneScope) for acme.com by configuring the following DNS policy.

Add-DnsServerQueryResolutionPolicy -Name "acmepolicy" -Action ALLOW -ClientSubnet "eq,PC2Subnet" -ZoneScope "acmeZoneScope" -ZoneName "acme.com"

If we now look at PC2 and try to resolve the website.acme.com using a forward lookup like using ping, we can now see that the DNS name is resolvable to 192.168.10.5, instead of 192.168.5.10. While PC1 is still able to resolve website.acme.com to 192.168.5.10. - Magic! 🪄

#PC2
C:\Users\Ryan>ping website.acme.com

Pinging website.acme.com [192.168.10.5] with 32 bytes of data:
Request timed out.
Request timed out.

#PC1
C:\Users\Ryan>ping website.acme.com

Pinging website.acme.com [192.168.5.10] with 32 bytes of data:
Request timed out.
Request timed out.

You can also get a list of DNS records within a zone scope, for this example the following command below would give us DNS records for the zone acme.com under the acmeZoneScope.

Get-DnsServerResourceRecord -ZoneName "acme.com" -ZoneScope "acmeZoneScope"

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData
--------                  ---------- ----       ---------            ----------      ----------
@                         NS         2          0                    01:00:00        win-gonsfk100a6.
@                         SOA        6          0                    01:00:00        [2][win-gonsfk100a6.][hostmaster.]
website                   A          1          0                    01:00:00        192.168.10.5

That’s my simple setup with zone scopes you can do a lot more with this, like for example this can be scripted TTL can be changed, etc. So if you have a Microsoft environment and if for whatever reason you need to present a different IP address than what is on the default DNS zone, remember that zone scopes are available.

Tip

If you have feedback on this post, posting in the blog discussions I have setup within Github works. Blog Discussions

LAB: What is BGPShips in the Night