Presented by Greg Lindsay Technical Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group April 7, 2010 Windows 7 DNS client DNS devolution Security-awareness: DNSSEC Name Resolution Policy Table (NRPT) What is it? What is different? “A behavior in Active Directory environments that allows client computers that are members of a child namespace to access resources in the parent namespace without the need to explicitly provide the fully qualified domain name (FQDN) of the resource.” Windows 7 introduces the concept of a devolution level. The devolution level can be configured. If not set, then the devolution level is determined automatically according to a set of rules based on the number of labels in the forest root domain (FRD) and the primary DNS suffix. By default, devolution now proceeds down to the FRD name and no further. Previously, the effective devolution level was always 2. Why the change? To prevent inadvertently treating systems outside of the organizational boundary as though they were internal. This update is also available for previous operating systems. See Microsoft Security Advisory 971888: Update for DNS Devolution. (http://go.microsoft.com/fwlink/?LinkId=166679). Example FRD: corp.contoso.com Primary DNS suffix: east.corp.contoso.com Devolution level as determined by rule: 3 An application attempting to query the hostname srv7 will attempt to resolve srv7.east.corp.contoso.com and srv7.corp.contoso.com. Previously, an attempt was also made to resolve srv7.contoso.com. Devolution is not enabled if: A global suffix search list is configured. Append parent suffixes of the primary DNS suffix is not selected in advanced TCP/IP settings. More information: http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx The Windows 7 DNS client is a “Non-validating security-aware stub resolver.” Non-validating: The client will not validate on its own that DNS responses have not been modified in transit. The non-validating DNS client relies on a DNS server to perform DNS security extensions (DNSSEC) signature validation. Security-aware: The client is capable of establishing a secured channel to a security-aware name server. The security-aware client will expect the DNS server to indicate results of the DNSSEC validation when returning the response. This is done by setting the Authenticated Data (AD) bit in the response. If the DNS server fails to validate successfully (as indicated by the AD bit not being set in the response), the DNS client can reject the response. Stub resolver: The client does not perform recursion itself but rather relies on the DNS server to perform recursion as defined in RFC1034, section 5.3.1. Query Local Recursive DNS Recursive query Authoritative DNS Authentic Response Authentic Response Cache Spoofed Responses DNS does not inherently provide security Spoofed Responses Attacker DNS query Validation requested IPsec Authentic, validated Response DNSSEC validation Local Recursive DNS Recursive DNS query Authoritative DNS Authentic Response Trust anchor Cache DNSKEY A Windows Server 2008 R2 DNS server deployed as a forwarder or a recursive DNS server retrieves DNSKEY resource records required to perform DNSSEC validation if it receives a query for information in a zone for which it has a configured trust anchor. Spoofed responses to queries for DNSSEC protected zones will fail validation because they cannot provide the correct DNSKEY RRs. The Windows 7 DNS client can be configured to fail queries that are not successfully validated using a new feature in Windows Server 2008 R2 called the Name Resolution Policy Table (NRPT). For more information, see Understanding DNSSEC in Windows (http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx). DirectAccess is a new feature in Windows 7 and Windows Server 2008 R2 that enables users to access corporate resources anytime they have an internet connection, without the need to establish a VPN connection. Internet DirectAccess server intranet DirectAccess uses a new feature in Windows Server 2008 R2 called the Name Resolution Policy Table (NRPT) to define DNS policy settings so that you can separate Internet traffic from intranet traffic. NRPT rules define DNS client behavior for specific namespaces. You can specify policy settings for a certain DNS suffix, prefix, FQDN, or IPv4 and IPv6 subnet. Computer Configuration \Policies\Windows Settings\Name Resolution Policy Workgroup clients can obtain settings from Local Group Policy. **Do not use Local Group Policy Editor as this is currently bugged. Group Policy: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig Local Group Policy: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters\DnsPolicyConfig View policy settings Netsh namespace show policy Netsh namespace show effectivepolicy Netsh dns show state Namespace (required) Certification authority (optional) Suffix, prefix, FQDN, subnet Used with IPsec Enable DNSSEC or Enable DirectAccess (required) Require validation (optional) Use IPsec (optional) Encryption type: none, low, medium, high DNS servers (optional) Web proxy(optional) Conditional forwarding For HTTP traffic Use IPsec (optional) Encryption type: none, low, medium, high Advanced global policy settings are not applied to DNSSEC rules Network Location Dependency Query Failure Always and never use DA settings in the NRPT are mostly for debugging purposes When you fail a query on a public network and fall back, there is a risk of being redirected. Query Resolution The Windows 7 DNS client includes an update to DNS devolution. Windows 7 is a security-aware, non-validating DNS client. DNSSEC and DirectAccess are two new features available with Windows Server 2008 R2. Earlier operating systems can install this update The Windows 7 client operating system is required The Name Resolution Policy Table is used to configure settings for DNS resolution when you deploy DNSSEC or DirectAccess.