Presented by

Greg Lindsay
Technical Writer
Windows Server Information Experience
Presented at:
Seattle Windows Networking User Group
April 7, 2010
 Windows 7 DNS client
 DNS devolution
 Security-awareness: DNSSEC
 Name Resolution Policy Table (NRPT)
 What is it?
 “A behavior in Active Directory environments that allows client computers that
are members of a child namespace to access resources in the parent namespace
without the need to explicitly provide the fully qualified domain name (FQDN)
of the resource.”
 What is different?
 Windows 7 introduces the concept of a devolution level.
 The devolution level can be configured. If not set, then the devolution level is
determined automatically according to a set of rules based on the number of
labels in the forest root domain (FRD) and the primary DNS suffix.
 By default, devolution now proceeds down to the FRD name and no further.
 Previously, the effective devolution level was always 2.

 Why the change?

 To prevent inadvertently treating systems outside of the organizational boundary as
though they were internal.

This update is also available for previous operating systems.

See Microsoft Security Advisory 971888: Update for DNS Devolution.
(http://go.microsoft.com/fwlink/?LinkId=166679).
 Example
 FRD: corp.contoso.com
 Primary DNS suffix: east.corp.contoso.com
 Devolution level as determined by rule: 3
 An application attempting to query the
hostname srv7 will attempt to resolve
srv7.east.corp.contoso.com and
srv7.corp.contoso.com.
 Previously, an attempt was also made to
resolve srv7.contoso.com.

 Devolution is not enabled if:

 A global suffix search list is configured.
 Append parent suffixes of the primary DNS suffix
is not selected in advanced TCP/IP settings.

More information: http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx

 The Windows 7 DNS client is a “Non-validating security-aware
stub resolver.”

Non-validating: The client will not validate on its own that DNS responses
have not been modified in transit.

The non-validating DNS client relies on a DNS server to perform DNS

security extensions (DNSSEC) signature validation.

Security-aware: The client is capable of establishing a secured channel to a

security-aware name server.

The security-aware client will expect the DNS server to indicate results of the
DNSSEC validation when returning the response. This is done by setting the
Authenticated Data (AD) bit in the response. If the DNS server fails to
validate successfully (as indicated by the AD bit not being set in the
response), the DNS client can reject the response.

Stub resolver: The client does not perform recursion itself but rather relies on
the DNS server to perform recursion as defined in RFC1034, section 5.3.1.
 Recursive
Query query
Local
Recursive DNS Authoritative
DNS

Authentic
Authentic
Response
Response
Cache

Spoofed
Responses Spoofed
Responses

Attacker
DNS does not
inherently
provide security
 DNSSEC
DNS query validation
Validation Recursive
requested DNS query
Local
Recursive DNS Authoritative
IPsec DNS
Authentic
Authentic, Response
validated Trust DNSKEY
Response Cache
anchor

 A Windows Server 2008 R2 DNS server deployed as a forwarder or a recursive DNS

server retrieves DNSKEY resource records required to perform DNSSEC validation if it
receives a query for information in a zone for which it has a configured trust anchor.
 Spoofed responses to queries for DNSSEC protected zones will fail validation because
they cannot provide the correct DNSKEY RRs.
 The Windows 7 DNS client can be configured to fail queries that are not successfully
validated using a new feature in Windows Server 2008 R2 called the Name Resolution
Policy Table (NRPT).
 For more information, see Understanding DNSSEC in Windows
(http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx).
 DirectAccess is a new feature in Windows 7 and Windows Server 2008 R2 that enables
users to access corporate resources anytime they have an internet connection, without
the need to establish a VPN connection.

Internet DirectAccess
server
intranet

 DirectAccess uses a new feature in Windows Server 2008 R2 called the Name Resolution
Policy Table (NRPT) to define DNS policy settings so that you can separate Internet
traffic from intranet traffic.
 NRPT rules define DNS client behavior for specific namespaces. You can specify policy
settings for a certain DNS suffix, prefix, FQDN, or IPv4 and IPv6 subnet.
Computer Configuration \Policies\Windows Settings\Name Resolution Policy

Workgroup clients can obtain settings from Local Group Policy.

**Do not use Local Group Policy Editor as this is currently bugged.
Group Policy:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig
Local Group Policy:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters\DnsPolicyConfig

View policy settings

Netsh namespace show policy
Netsh namespace show effectivepolicy
Netsh dns show state
 Namespace (required)
 Suffix, prefix, FQDN,
subnet
 Certification authority
(optional)
 Used with IPsec
 Enable DNSSEC or
Enable DirectAccess
(required)
 Require validation
(optional)
 Use IPsec (optional)
 Encryption type: none,
low, medium, high
 DNS servers (optional)
 Conditional forwarding
 Web proxy(optional)
 For HTTP traffic
 Use IPsec (optional)
 Encryption type: none, low,
medium, high
Advanced global policy settings are
not applied to DNSSEC rules

 Network Location Dependency

 Always and never use DA settings in
the NRPT are mostly for debugging
purposes
 Query Failure
 When you fail a query on a public
network and fall back, there is a risk
of being redirected.
 Query Resolution
 The Windows 7 DNS client includes an update to
DNS devolution.
 Earlier operating systems can install this update
 Windows 7 is a security-aware, non-validating
DNS client.
 DNSSEC and DirectAccess are two new features
available with Windows Server 2008 R2.
 The Windows 7 client operating system is required
 The Name Resolution Policy Table is used to
configure settings for DNS resolution when you
deploy DNSSEC or DirectAccess.