Share via

Introduction to the NRPT

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

Introduction to the Name Resolution Policy Table

The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows Registry that determines the DNS client’s behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client will consult the NRPT to determine if any additional flags must be set in the query. Upon receiving the response, the client will again consult the NRPT to determine any special processing or policy requirements. In the absence of the NRPT, the client will operate in a normal fashion. The NRPT stores configurations and settings that are used to deploy DNS Security Extensions (DNSSEC), and also stores information related to DirectAccess, a remote access technology.

The NRPT can be configured using Group Policy or by using the Windows Registry. For more information about configuring the NRPT, see Deploy Name Resolution Policy to Client Computers.

The preferred method of configuring the NRPT is with the Group Policy Management Editor. See the following example.

The properties of an NRPT rule are described in the following table:


Rule Property

Binary (on or off)

DNS Over IPsec

Used to indicate whether IPsec must be used to protect DNS traffic for queries belonging to the namespace. Setting this value to true will cause the DNS client to set up an IPsec connection to the DNS server before issuing the DNS query.

Binary (on or off)

IPsec Encryption Level

Used to indicate whether DNS connections over IPsec will use encryption.

If DNSOverIPsec is off, this value is ignored.

  • Array:

  • 0 – Do not use encryption (only integrity is performed)

  • 1 – Low: 3DES, AES (all)

  • 2 – Medium: AES (all)

  • 3 – High: AES (192, 256)

IPsec CA

The CA (or list of CAs) that issued the DNS server certificates for DNS over IPsec connections. When using IPsec to allow the client to trust the DNS server, the DNS client checks for the server authorization based on the server certificates issued by this CA. If not set, all root CAs in the client computer’s stores are checked.

If DNSOverIPsec is off, this value is ignored.

String – The domain name of the CA that issued the DNS server certificate. If left blank, the authorization check is not required for this name.

This is checked along with the presence of a DNS EKU in the server certificate.

The following flowchart shows how the DNS client uses the NRPT when issuing queries.

See Also


Appendix A: Reviewing Key DNSSEC Concepts