Procedure: Verify Name Resolution Policy
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the following procedures to verify name resolution policy on a DNS server and a DNS client using Windows PowerShell. When you have completed the procedures in this topic, return to the parent checklist.
For information about configuring name resolution policy, see The NRPT.
Name resolution policy settings can only be applied to computers that are security-aware. For more information about security-aware computers, see Security-aware client.
See the following procedures:
Review NRPT configuration: Check settings in the Name Resolution Policy Table (NRPT).
Review effective name resolution policy: Verify whether or not DNSSEC validation is required for a given namespace.
Verify DNSSEC validation: If DNSSEC validation has been enabled or disabled recently, verify that name resolution works as expected.
Review NRPT configuration
Name resolution policy is configured in the NRPT, either in domain-based Group Policy, local Group Policy, or both. The NRPT can be configured to require or not require that DNSSEC validation be performed for DNS queries within a given namespace.
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To review NRPT configuration
Open an elevated Windows PowerShell prompt on a computer with the Group Policy Management feature installed.
To view a list of Group Policy Objects (GPOs) in the domain, use the Get-GPO cmdlet. See the following example.
PS C:\> Get-GPO -All -DomainName contoso.com | fl -Property DisplayName,GpoStatus DisplayName : Default Domain Policy GpoStatus : AllSettingsEnabled DisplayName : Default Domain Controllers Policy GpoStatus : AllSettingsEnabled DisplayName : NRPT_settings GpoStatus : AllSettingsEnabledIn the previous example, the Format-List (fl) parameter is used to display only the DisplayName and GpoStatus properties. The NRPT_settings GPO is a custom GPO that is created in this example to contain all name resolution policies for the domain. This GPO name is only an example. GPO names for your domain will be different. The example GPO is used in the following example.
To review name resolution policy settings in a GPO, use the Get-DnsClientNrptRule cmdlet. See the following example.
PS C:\> Get-DnsClientNrptRule -GpoName contoso.com\NRPT_settings Name : Rule1 Version : 1 Namespace : {.secure.contoso.com} IPsecCARestriction : DirectAccessDnsServers : DirectAccessEnabled : False DirectAccessProxyType : DirectAccessProxyName : DirectAccessQueryIPsecEncryption : DirectAccessQueryIPsecRequired : NameServers : DnsSecEnabled : True DnsSecQueryIPsecEncryption : DnsSecQueryIPsecRequired : False DnsSecValidationRequired : True NameEncoding : Disable DisplayName : Comment :In the previous example, the secure.contoso.com namespace displays True next to DnsSecValidationRequired, which means that all DNS clients that are security-aware and that have this GPO applied, will require that queries for the secure.contoso.com zone are validated.
Review effective name resolution policy
Although a GPO can be configured with NRPT settings, these settings will not affect a DNS client unless they are correctly applied. To verify that settings are applied, review the effective name resolution policy.
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To review effective name resolution policy
Open a Windows PowerShell prompt on a DNS client computer.
To review effective name resolution policy, use the Get-DnsClientNrptPolicy cmdlet. See the following example.
PS C:\> Get-DnsClientNrptPolicy -Effective Namespace : .secure.contoso.com QueryPolicy : QueryIPv6Only SecureNameQueryFallback : FallbackPrivate DirectAccessIPsecCARestriction : DirectAccessProxyName : DirectAccessDnsServers : DirectAccessEnabled : False DirectAccessProxyType : DirectAccessQueryIPsecEncryption : DirectAccessQueryIPsecRequired : NameServers : DnsSecIPsecCARestriction : DnsSecQueryIPsecEncryption : DnsSecQueryIPsecRequired : False DnsSecValidationRequired : True NameEncoding :In the previous example, True is displayed next to DnsSecValidationRequired for the secure.contoso.com namespace, which means that DNSSEC validation will be required for DNS queries in the secure.contoso.com zone. Output from the Get-DnsClientNrptPolicy cmdlet also includes any name resolution policy that might be configured in local Group Policy.
Verify DNSSEC validation
To use the Windows PowerShell examples that are provided, replace the server and zone names with the names of the servers and zones used in your environment.
To verify DNSSEC validation
Open a Windows PowerShell prompt on a DNS client computer.
To verify DNSSEC validation, use the Resolve-DnsName cmdlet. First, verify that name resolution is successful when querying an authoritative DNS server. See the following example.
PS C:\> Resolve-DnsName secure.contoso.com -Server dc2.contoso.com -dnssecok Name Type TTL Section PrimaryServer NameAdministrator SerialNumber ---- ---- --- ------- ------------- ----------------- ------------ secure.contoso.com SOA 3600 Authority dc2.contoso.com hostmaster.contoso.com 6 Name : secure.contoso.com QueryType : RRSIG TTL : 3600 Section : Authority TypeCovered : SOA Algorithm : 8 LabelCount : 3 OriginalTtl : 3600 Expiration : 1/26/2014 10:27:53 PM Signed : 1/16/2014 9:27:53 PM Signer : secure.contoso.com Signature : {56, 217, 3, 225...} Name : vfo5uo7g4u40gj25v1s0p3mh3pp7aai2.secure.contoso.com QueryType : NSEC3 TTL : 3600 Section : Authority Name : vfo5uo7g4u40gj25v1s0p3mh3pp7aai2.secure.contoso.com QueryType : RRSIG TTL : 3600 Section : Authority TypeCovered : NSEC3 Algorithm : 8 LabelCount : 4 OriginalTtl : 3600 Expiration : 1/26/2014 10:27:53 PM Signed : 1/16/2014 9:27:53 PM Signer : secure.contoso.com Signature : {97, 195, 245, 11...} Name : . QueryType : OPT TTL : 32768 Section : Additional Data : {} PS C:\> Get-DnsServerZone -Name corp.contoso.com ZoneName ZoneType IsAutoCreated IsDsIntegrated IsReverseLookupZone IsSigned -------- -------- ------------- -------------- ------------------- -------- corp.contoso.com Primary False False False TrueIn this example, the primary, authoritative DNS server dc2.contoso.com is queried. Since authoritative responses are always valid, the DNS query will succeed. DNSSEC-related resource records are displayed because the zone is signed. If a zone is not signed, such as the contoso.com zone in the following example, RRSIG records are not displayed in the output.
PS C:\> Resolve-DnsName contoso.com -Server dc2.contoso.com -dnssecok Name Type TTL Section IPAddress ---- ---- --- ------- --------- contoso.com A 600 Answer 192.168.0.2 contoso.com A 600 Answer 192.168.0.3 contoso.com A 600 Answer 192.168.0.1 Name : . QueryType : OPT TTL : 32768 Section : Additional Data : {}Next, use the Resolve-DnsName cmdlet to query a nonauthoritative, resolving DNS server with a valid trust anchor installed. See the following example.
PS C:\> Resolve-DnsName secure.contoso.com -Server 192.168.0.4 -dnssecok Name Type TTL Section PrimaryServer NameAdministrator SerialNumber ---- ---- --- ------- ------------- ----------------- ------------ secure.contoso.com SOA 830 Authority dc2.contoso.com hostmaster.contoso.com 6 Name : secure.contoso.com QueryType : RRSIG TTL : 830 Section : Authority TypeCovered : SOA Algorithm : 8 LabelCount : 3 OriginalTtl : 3600 Expiration : 1/26/2014 10:27:53 PM Signed : 1/16/2014 9:27:53 PM Signer : secure.contoso.com Signature : {56, 217, 3, 225...} Name : vfo5uo7g4u40gj25v1s0p3mh3pp7aai2.secure.contoso.com QueryType : NSEC3 TTL : 830 Section : Authority Name : vfo5uo7g4u40gj25v1s0p3mh3pp7aai2.secure.contoso.com QueryType : RRSIG TTL : 830 Section : Authority TypeCovered : NSEC3 Algorithm : 8 LabelCount : 4 OriginalTtl : 3600 Expiration : 1/26/2014 10:27:53 PM Signed : 1/16/2014 9:27:53 PM Signer : secure.contoso.com Signature : {97, 195, 245, 11...} Name : . QueryType : OPT TTL : 32768 Section : Additional Data : {}In this example, a non-domain-joined, nonauthoritative, recursive DNS server at 192.168.0.4 is queried. Since this DNS server has a valid trust anchor installed for the secure.contoso.com zone, the DNS query will succeed. Again, DNSSEC-related resource records are displayed because the zone is signed.
If DNSSEC validation does not succeed, an error will be displayed, see the following example.
PS C:\> Resolve-DnsName secure.contoso.com -Server 192.168.0.4 -dnssecok Resolve-DnsName : secure.contoso.com : DNS server failure At line:1 char:1 + Resolve-DnsName secure.contoso.com -Server 192.168.0.4 -dnssecok + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (secure.contoso.com:String) [Resolve-DnsName], Win32Exception + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsNameIn the previous example, the DNS server at 192.168.0.4 does not have a valid trust anchor installed for the secure.contoso.com domain.