Deploy Name Resolution Policy to Client Computers
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Tip
This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.
In a DNSSEC deployment, validation of DNS queries by client computers is enabled through configuration of the following:
IP security (IPsec). IPsec connection security rules are used to authenticate communications between DNS servers and client computers. For more information about configuring connection security rules, see Deploy IPsec Policy to DNS Servers and Deploy IPsec Policy to Client Computers.
Name Resolution Policy Table (NRPT). The NRPT is a new feature available in Windows Server® 2008 R2 and Windows® 7 that contains policies and settings used by DNS clients when issuing DNS queries and receiving DNS responses. The NRPT enables a client to issue queries indicating the knowledge of DNSSEC and to check for validation in the response.
The following section provides information you can use to configure the NRPT.
You can use Group Policy to deploy DNSSEC settings to client computers if clients are domain members. If all client computers are not domain members, you can configure DNSSEC settings in the Windows Registry or use registry scripts. For more information about the NRPT, see Appendix B: The Name Resolution Policy Table (NRPT).
Note
Client computers are typically configured to use multiple DNS servers on a network interface. For consistent client behavior, all DNS servers that are configured in client network interface properties should be capable of performing DNSSEC authentication of DNS queries.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Deploying NRPT settings to DNS client computers
When you have identified all of the computers to which DNS client policy must be applied, add these computer accounts to a security group or organizational unit (OU) that you will use to apply Group Policy settings. For more information about Group Policy, see Designing a Group Policy Infrastructure.
When you have created the required OU or security group, use the following procedure to configure DNSSEC policy settings.
Configuring NRPT settings for DNSSEC
Use the following procedure to configure rules and add them to the NRPT. Rules that you define using the NRPT apply only to the names or namespaces that you specify.
To configure the NRPT
On a domain controller or member computer with the Group Policy Management feature installed, click Start, click Run, type gpme.msc and press ENTER.
If you configured a Group Policy object (GPO) for DNS client computers, click the name of the GPO and then click OK.
If you created an OU for DNS client computers, open the OU, click the Create New Group Policy Object icon, type a name for the new GPO, and then click OK.OK.
In the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
Enter the area of the namespace to which the policy applies. Typically, this will be the name of a signed zone. From the drop-down menu, select the appropriate setting and then type the namespace information. For example, you might choose Suffix and type secure.woodgrovebank.com. The following settings define how the rule will apply to a namespace:
FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain.
Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains.
Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here.
Subnet (IPv4): Select this if you are configuring a policy for reverse IPv4 lookup queries.
Subnet (IPv6): Select this if you are configuring a policy for reverse IPv6 lookup queries.
Verify that Certification Authority (optional) is blank. Certificate based authentication will be configured using connection security rules for IPsec.
On the DNSSEC tab, select the Enable DNSSEC in this rule check box.
Select the Require DNS clients to check that name and address data has been validated by the DNS server check box.
Select the Use IPsec in communication between the DNS client and DNS server check box, and then next to Encryption type choose No encryption (integrity only) from the drop-down menu.
To add this rule to the NRPT, click Create. The rule will now appear in the table under Name Resolution Policy Table.
Repeat these steps as needed to add rules for other areas of the namespace.
Note
To configure advanced settings, click Advanced Global Policy Settings. Of the advanced settings available in the NRPT, only the Query Failure setting applies to DNSSEC. If this option is cleared, by default the DNS client will fail over to other name resolution providers only if the name does not exist in DNS. You can modify this setting to allow DNS to fail over for all responses, but be aware that DNSSEC does not secure name resolution for the other name service providers. Advanced global policy settings apply to all names in the NRPT.
When you are finished creating rules, click Apply. The policy will be applied to all clients in the OU or security group when they update Group Policy settings.
Tip
Use the following commands to verify that the policy has been successfully applied on a client computer.
- To view the current NRPT settings, type netsh namespace show policy.
- To view the current Group Policy settings, type gpresult /r.
- To force a Group Policy refresh, type gpupdate /force.
- After adding a client computer to a security group, you must reboot the computer to active the group membership.
Configuring the NRPT for clients that are not domain members
Group Policy cannot be used for clients that are not members of an Active Directory domain. The following methods are available to configure non domain-joined clients:
You can configure the NRPT manually on each client using the Local Group Policy Editor. For more information, see To configure NRPT rules using the Local Group Policy Editor.
You can configure registry values manually. For more information, see Configure the NRPT using the Windows Registry.
You can export settings from a domain-joined client in the form of a .reg file that can be deployed on other computers. For more information, see the To export NRPT settings from the registry.
Configure NRPT rules using the Local Group Policy Editor
To configure NRPT rules using the Local Group Policy Editor
Click Start, click Run, and then type gpedit.msc. The Local Group Policy Editor opens.
Follow the steps in the previous procedure to create and apply NRPT rules. These rules will apply only to the computer where they are authored.
Configure the NRPT using the Windows Registry
You can also use the Windows Registry to configure NRPT rules. To configure the NRPT using the Windows Registry, create or modify values under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig
. If this key does not exist, you must create it.
The following table lists the available DNSSEC related registry settings.
Registry value Name | REG_DWORD | Description or permitted values |
---|---|---|
Version |
REG_DWORD |
1 |
ConfigOptions |
REG_MULTI_SZ |
2 = DNSSEC settings configured 4 = DirectAccess settings configured 6 = Both configured |
Name |
REG_DWORD |
The DNS namespace for the rule. Suffix: Single or multi-part string with leading period. Example: .corp.contoso.com FQDN: Multi-part string with no leading period. Example: nls.corp.contoso.com Subnet (IPv4): Suffix for IPv4 reverse namespace with leading period. Example: .17.168.192.in-addr.arpa Subnet (IPv6): Suffix for IPv6 reverse namespace with leading period. Example: .1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa Suffix: Single-part string with no leading period. Example: secsvr Any: A single period. Example: . |
DNSSECValidationRequired |
REG_DWORD |
Whether to check for DNSSEC validation in the response. 0 or 1 |
DNSSECQueryIPSECRequired |
REG_DWORD |
Whether DNSSEC connections require IPSEC. 0 or 1 |
DNSSECQueryIPSECEncryption |
REG_DWORD |
Whether DNSSEC exchanges over IPsec will use encryption. 0 = No encryption (integrity only) 1 = Low: 3DES, AES (128, 192, 256) 2 = Medium: AES (128, 192, 256) 3 = High: AES (192, 256) |
IPSECCARestriction |
REG_SZ |
The CA or list of CAs that issued the DNS server certificates for DNSSEC. For example: DC=com, DC=woodgrovebank, CN=woodgrovebank-SRV1-RootCA |
Export NRPT settings from the registry
To export NRPT settings from the registry
On a computer that has been configured with NRPT rule settings, click Start, click Run, and type regedit, and then press ENTER.
Open the following registry key: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig.
Right-click DnsPolicyConfig, and then click Export.
Type a name and path for the file, and then click Save.
See Also
Concepts
Checklist: Deploying DNSSEC and IPsec on the DNS client
Introduction to the NRPT
NRPT Example Script