The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259381	WDNS-22-000053	SV-259381r945303_rule		Medium

Description
The NRPT is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some or all computers in the domain.

STIG	Date
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide	2024-01-09

Details

Check Text ( C-63120r945302_chk )
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. The NRPT is configured in, and deployed to clients from, Group Policy and will be pushed to all clients in the domain. The Active Directory zones will be signed and the clients, with NRPT, will require a validation of signed data when querying. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. At the Windows PowerShell prompt, type the following command: get-dnsclientnrptpolicy In the results, verify the "DnsSecValidationRequired" is "True". If there are no results to the "get-dnsclientnrptpolicy" cmdlet or the "DnsSecValidationRequired" is not "True", this is a finding.

Check Text ( C-63120r945302_chk )

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network.

The NRPT is configured in, and deployed to clients from, Group Policy and will be pushed to all clients in the domain. The Active Directory zones will be signed and the clients, with NRPT, will require a validation of signed data when querying.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

At the Windows PowerShell prompt, type the following command:

get-dnsclientnrptpolicy

In the results, verify the "DnsSecValidationRequired" is "True".

If there are no results to the "get-dnsclientnrptpolicy" cmdlet or the "DnsSecValidationRequired" is not "True", this is a finding.

Fix Text (F-63028r939847_fix)
Implement this fix for configuring name resolvers, including DNS servers configured for the caching role only. On Domain Controller, on the Server Manager menu bar, click "Tools" and then click "Group Policy Management". In the Group Policy Management console tree, under Domains >> domainname >> Group Policy Objects, right-click "Default Domain Policy" and then click "Edit". In the Group Policy Management Editor console tree, navigate to Computer Configuration >> Policies >> Windows Settings >> Name Resolution Policy. In the details pane, under "Create Rules" and "to which part of the namespace does this rule apply", choose "Suffix" from the drop-down list and type "domain.mil" next to "Suffix". On the "DNSSEC" tab, select "Enable DNSSEC" in this rule check box and then under "Validation", select the check box for "Require DNS clients to check that name and address data has been validated by the DNS server". In the bottom right corner, click "Create" and then verify that a rule for domain.mil was added under the NRPT. Click "Apply" and then close the Group Policy Management Editor. Open a Windows PowerShell prompt and enter the following commands: gpupdate /force get-dnsclientnrptpolicy In the results, select "True" for the "DnsSecValidationRequired" setting for the domain.mil namespace.

Fix Text (F-63028r939847_fix)

Implement this fix for configuring name resolvers, including DNS servers configured for the caching role only.

On Domain Controller, on the Server Manager menu bar, click "Tools" and then click "Group Policy Management".

In the Group Policy Management console tree, under Domains >> domainname >> Group Policy Objects, right-click "Default Domain Policy" and then click "Edit".

In the Group Policy Management Editor console tree, navigate to Computer Configuration >> Policies >> Windows Settings >> Name Resolution Policy.

In the details pane, under "Create Rules" and "to which part of the namespace does this rule apply", choose "Suffix" from the drop-down list and type "domain.mil" next to "Suffix".

On the "DNSSEC" tab, select "Enable DNSSEC" in this rule check box and then under "Validation", select the check box for "Require DNS clients to check that name and address data has been validated by the DNS server".

In the bottom right corner, click "Create" and then verify that a rule for domain.mil was added under the NRPT.

Click "Apply" and then close the Group Policy Management Editor.

Open a Windows PowerShell prompt and enter the following commands:
gpupdate /force
get-dnsclientnrptpolicy

In the results, select "True" for the "DnsSecValidationRequired" setting for the domain.mil namespace.