The visual operations console for Windows DNS policies. Build geo-location routing, split-brain DNS, load balancing, and blocklists through guided wizards — or manage every setting through a modern, type-safe interface.
Windows Server DNS policies enable geo-location routing, split-brain resolution, query filtering, load balancing, and more. But they're configured entirely through PowerShell — with complex parameter combinations, strict processing order dependencies, and zero visual feedback.
DNS Policy Manager gives you a visual operations console that wraps 98 DnsServer cmdlets with a modern, type-safe interface. Build policies through guided wizards, manage zone records, configure server settings, run best practices analysis — all without touching the command line.
Two-panel layout with zone list, settings editor, and full record CRUD. Type-sensitive forms for A, AAAA, CNAME, MX, SRV, TXT, NS, PTR. CSV import and export with pagination.
50+ record types13 inline-editable config panels: forwarders, recursion, cache, RRL, scavenging, diagnostics, statistics, root hints, EDNS, AD settings, global name zone, and DoH/DoT.
inline editing8 step-by-step wizards aligned to Microsoft DNS Policy docs. Typed execution with per-step progress, structured errors, and automatic credential handling.
typed executionCreate, list, toggle, delete, and reorder policies. Processing order editor with visual diff. Cross-server copy for query resolution and zone transfer policies.
drag reorderZone signing status overview, KSK/ZSK key management, trust anchors and trust points. Sign, unsign, and export public keys. Supports RSA and ECDSA algorithms.
key managementRun the Windows BPA model for DNS Server from the UI. Severity-coded findings with expandable problem descriptions, impact analysis, and resolution steps.
one-click auditManage multiple DNS servers with three credential modes: Kerberos/NTLM, DPAPI-encrypted saved credentials, and session-based auth. Test all servers at once.
3 auth modesQuick Block for single domains, Bulk Import from .txt files, Active Block Policies table with enable/disable, and Global Query Block List management — all from one tab.
bulk importView IP stack DNS per adapter (IPv4 and IPv6), configure forwarders, and visualize the resolver topology with a Mermaid diagram using color-coded edges.
topology diagramExport policies as JSON, restore from backups, export full server configuration (Get-DnsServer as JSON), and export DNS zones (single or all primary). AD-integrated backup guidance included.
json + zone exportLive nslookup and dig queries from a slide-over panel on any tab. Full dig options (+trace, +dnssec, +short, +all, +multiline), custom nameserver targeting, and console-style output with session history.
nslookup & digEvery operation generates the PowerShell command. Copy individual commands or the full history. Works offline as a pure command generator — no bridge needed.
offline mode31 read-only tools expose zones, records, policies, server config, DNSSEC, and more to AI agents via the Model Context Protocol. Works with Claude Code, Cursor, and VS Code. Includes offline PowerShell command generation.
stdio transportEach wizard generates the complete set of PowerShell commands — subnets, zone scopes, resource records, and policies — in the correct dependency order.
Route queries by client subnet to region-specific IPs
Different answers for internal vs. external clients
Weighted distribution with peak-hour cloud offload
Distribute queries across backends with weighted scopes
Block or drop queries for malicious domains
Block or allow by FQDN, subnet, QType, or interface
Per-region weighted datacenter distribution
Replicate geo setup to secondary DNS servers
The bridge binds to 127.0.0.1 only — never exposed to the network.
Concurrent request handling via runspace pool with CIM sessions for remote servers.
All cmdlet calls use splatted parameters to prevent command injection.
Credentials are stored via Windows DPAPI encryption — no plaintext, no cloud.
The MCP server connects AI agents (Claude Code, Cursor) to the same bridge — 31 read-only tools, no write access.
Nothing leaves your network. The bridge runs on localhost, credentials are encrypted with DPAPI, and the execute endpoint only allows DnsServer module cmdlets. No telemetry, no cloud services, no external API calls. Docker support is available for the frontend, but the bridge always runs on the Windows host.
Download the source and install frontend dependencies.
git clone && cd dns-manager && npm install
Run the PowerShell bridge on the machine with the DnsServer module.
powershell -File server\bridge.ps1
Start the Next.js dev server and open your browser.
npm run dev
Or use the one-command launcher: powershell -File Start-DNSPolicyManager.ps1
Requires: Node.js 18+, Windows Server with DNS Server role or RSAT DNS tools.
Connect Claude Code, Cursor, or any MCP-compatible AI tool to query your DNS servers. 31 read-only tools for zones, records, policies, DNSSEC, and more — plus offline PowerShell command generation.
cd mcp-server && npm install && npm run build