The Cable Guy
The Name Resolution Policy Table
Host configuration for Domain Name System (DNS) name queries typically consists of specifying one or more IPv4 or IPv6 addresses of DNS servers that service the queries on network interfaces. This configuration is typically done automatically for computers running Windows Vista or Windows Server 2008 through the use of the Dynamic Host Configuration Protocol (DHCP) or DHCP for IPv6 (DHCPv6). For computers running Windows Vista or Windows Server 2008, all DNS name queries for the entire DNS namespace go to the DNS servers configured through the network interfaces, hereafter known as interface-configured DNS servers.
Some technologies require special handling for name queries for specific portions of the DNS namespace. If the DNS name matches specified portions of the namespace, apply the special handling. If the DNS name does not match the specified portions of the namespace, perform a normal DNS query with interface-configured DNS servers. To address this need, Windows 7 and Windows Server 2008 R2 include the Name Resolution Policy Table (NRPT).
The NRPT contains rules configured by an administrator for either names or namespaces and the settings for the required special handling. When performing a DNS name resolution, the DNS Client service compares the requested name against each rule in the NRPT before sending a DNS name query. Queries and responses that match an NRPT rule get the specified special handling applied. Queries and responses that do not match an NRPT rule are processed normally; that is, the DNS Client service sends the name queries to interface-configured DNS servers.
In Windows 7 and Windows Server 2008 R2, DirectAccess and DNS Security Extensions (DNSSEC) require special handling for DNS name queries. When on the Internet, DirectAccess clients send DNS queries for intranet resources to the DNS servers specified in the NRPT. When resolving specific names or names within specific namespaces, typically high-value and secure intranet resources, the DNS Client service can use DNSSEC to ensure that the resolved name has been verified by the DNS server.
Configuring the NRPT
You can configure the NRPT with Group Policy through the Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig), or, for DirectAccess-based rules, by using the DirectAccess Setup wizard. There are no command-line interfaces for configuring the NRPT. For DNSSEC-based rules, Group Policy is the preferred method of configuration. For DirectAccess-based rules, the DirectAccess Setup wizard is the preferred method of configuration.
To configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration\Policies\Windows Settings\Name Resolution Policy for the appropriate Group Policy object. Figure 1 shows an example.
Figure 1 The NRPT in Group Policy
From this Group Policy add-in, you can create a new NRPT rule and edit or delete existing rules. For each rule, you must specify the portion of the namespace to which it applies, whether the special handling for the rule is associated with a specific certification authority (CA), whether the rule is for DNSSEC and its associated settings, and whether the rule is for DirectAccess and its associated settings. There are also advanced global settings that apply to all Windows 7 and Windows Server 2008 R2-based DNS clients.
When specifying the namespace to which the rule applies, you can select Suffix, FQDN, Subnet (IPv4), Subnet (IPv6), Prefix, or Any. To specify DNS names that end with a specific multi-part string, select Suffix and type the suffix name. For example, for all DNS names that end in contoso.com, select Suffix and type contoso.com. To specify DNS names that begin with a specific single-part string, select Prefix and type the prefix name. For example, for all DNS names that begin with “secsvr,” select Prefix and type secsvr.
To specify all DNS names, select Any. A DirectAccess-based NRPT rule for Any is used only if the Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Route all traffic through the internal network Group Policy setting is enabled for DirectAccess force tunneling. If a name matches multiple rules, the rule with the highest precedence is applied, and the order of precedence is FQDN, prefix, suffix, and then Any.
To specify DNS names for reverse resolution for an IPv4 subnet, select Subnet (IPv4) and type the IPv4 subnet prefix using network prefix length notation. For example, for all DNS names that end with 17.168.192.in-addr.arpa, select Subnet (IPv4) and type 192.168.17.0/24. To specify DNS names for reverse resolution for an IPv6 subnet, select Subnet (IPv6) and type the IPv6 subnet prefix. For example, for all DNS names that end with 184.108.40.206.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa, select Subnet (IPv6) and type 2001:db8:0:1::/64.
When you enable DNSSEC for a rule, you can specify whether the DNS Client service must ensure that the queried name response is verified by the DNS server and whether you want to use Internet Protocol security (IPsec) to protect DNS name query exchanges. For IPsec protection, you can specify No encryption (integrity only), Low: 3DES, AES (128, 192, 256), Medium: AES (128, 192, 256), and High: AES (192, 256). DES is the Data Encryption Standard and AES is the Advanced Encryption Standard.
When you enable DirectAccess for a rule, you can specify the IPv6 addresses of the set of intranet DNS servers to resolve names for DirectAccess clients when they are on the Internet; whether you want to use a Web proxy; and whether you want to use IPsec to protect DNS name query exchanges. You can specify the same set of options for IPsec protection.
You can view the configured set of NRPT rules on a computer running Windows 7 or Windows Server 2008 R2 with the netsh namespace show policy command. You can view the active set of NRPT rules with the netsh namespace show effectivepolicy command.
Advanced Global Policy Settings
When you click Advanced Global Policy Settings, the NRPT Group Policy add-in displays the default Configure Advanced Global Policy Settings dialog box. Figure 2 shows an example.
Figure 2 The Configure Advanced Global Policy Settings dialog box
In Network Location Dependency, you can configure DirectAccess clients to use the network location server and intranet detection to determine when they are connected to the intranet; to always use DirectAccess-based NRPT rules; or to never use DirectAccess-based NRPT rules.
In Query Failure, you can enable query failure options and then configure whether to use local name resolution (Link-Local Multicast Name Resolution [LLMNR] and NetBIOS broadcasts) only if the DNS name query response indicates that the name does not exist; to use local name resolution if the name does not exist or the DNS servers are unreachable when located on a network with private IPv4 addresses; or to use local name resolution for any type of name resolution failure or error.
In Query Resolution, you can enable query resolution options and specify either to resolve names to IPv6 addresses or to resolve names to both IPv6 and IPv4 addresses.
You can use the netsh dns show state command to display the current configuration of these settings.
To minimize the number of NRPT rules, you want to specify namespaces that encompass as much of the relevant namespace as possible. However, you also might need to specify that individual names or namespaces within those namespaces be exempted from special handling. For these cases, you must configure an NRPT exemption. For example, you want to use DNSSEC for all DNS names within the secure.corp.contoso.com namespace, except for the DNS name waystation.secure.corp.contoso.com.
An NRPT exemption is a rule that specifies no special handling. For DNSSEC, the rule enables DNSSEC but does not require validation or IPsec protection. For DirectAccess, the rule enables DirectAccess but does not specify a set of intranet DNS servers, a Web proxy, or IPsec protection. DNS names for NRPT exemption rules are processed using interface-configured DNS servers.
An example of a required NRPT exemption is the FQDN rule for the DirectAccess network location server, which DirectAccess clients use to determine whether they are connected to the intranet. To send DNS name queries to intranet servers, the NRPT for DirectAccess clients have a suffix rule for the namespace of the intranet—for example, corp.contoso.com—with the IPv6 addresses of intranet DNS servers. The network location server is typically within the same namespace, for example, nls.corp.contoso.com. However, depending on your IPv6 infrastructure, the intranet DNS servers might not be reachable at the specified IPv6 addresses, but are reachable using the interface-configured IPv4 addresses.
Without an exemption rule, the DirectAccess client connected to the intranet attempts to resolve the name of the network location server over IPv6. Because the intranet DNS servers are not reachable, the DirectAccess client cannot reach the network location server and determines that it is on the Internet rather than the intranet. In this state, the DirectAccess client cannot reach intranet resources by name. Therefore, an exemption rule for the network location server (nls.corp.contoso.com) must be present so that intranet detection can conclude successfully. The DirectAccess Setup wizard automatically creates NRPT rules for the intranet name space and the exemption for the network location server.
How the NRPT Works
Here is how the name resolution process works for Windows 7 and Windows Server 2008 R2:
- An application uses the DnsQuery() API or the GetAddrInfo() or GetHostByName() Windows Sockets APIs to resolve a name. If the name is a flat name, the DNS Client service creates an FQDN using configured DNS suffixes.
- The DNS Client service checks the DNS resolver cache for the FQDN, which contains the entries in the Hosts file and the results of recent positive and negative name queries. If an entry is found, the result is used and no further processing occurs.
- The DNS Client service passes the FQDN through the NRPT to determine the rules in which the FQDN matches the namespace of the rule.
- If the FQDN does not match any rules, or matches a single rule that is an exemption rule, the DNS Client service attempts to resolve the FQDN using interface-configured DNS servers.
- If the FQDN matches a single rule that is not an exemption rule, the DNS Client service applies the specified special handling.
- If the FQDN matches multiple rules, the DNS Client services sorts the matching rules for precedence—in order: FQDN, longest matching prefix, longest matching suffix [including IPv4 and IPv6 subnets], any—to determine the rule that most closely matches the FQDN.
- After determining the closest matching rule, the DNS Client service applies the specified special handling.
The NRPT in Windows 7 and Windows Server 2008 R2 allow you to specify the special handling for DNS name queries required for DNSSEC and DirectAccess in the form of rules, with the ability to specify namespaces, prefixes, FQDNs, and exemptions.
Sidebar: Example NRPT Rules for DirectAccess
The Contoso Corporation uses the DNS namespace contoso.com for Internet DNS names and corp.contoso.com for intranet DNS names. The network location server uniform resource locator (URL) is https://nls.corp.contoso.com and the DirectAccess server has been configured with the DNS server IPv4 address of 10.0.0.1 on its intranet interface. Based on this configuration, the DirectAccess Setup wizard creates two NRPT rules enabled for DirectAccess:
- A suffix rule for .corp.contoso.com to send DNS queries to the IPv6 address 2002:836b:2:1:0:5efe:10.0.0.1. This is an IPv6 address derived from the DirectAccess server’s public IPv4 address and the IPv4 address of the DNS server.
- An exemption rule for nls.corp.contoso.com.
Here is an example of how these rules display on a DirectAccess client with the netsh namespace show policy command:
Settings for nls.corp.contoso.com ---------------------------------------------------------------------- Certification authority : DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA DNSSEC (Validation) : disabled DNSSEC (IPsec) : disabled DirectAccess (DNS Servers) :DirectAccess (IPsec) : disabled DirectAccess (Proxy Settings) :Bypass proxy Settings for .corp.contoso.com ---------------------------------------------------------------------- Certification authority :DC=com, DC=contoso, DC=corp, CN=corp-DC1-CADNSSEC (Validation) : disabledDNSSEC (IPsec) : disabledDirectAccess (DNS Servers) : 2002:836b:2:1:0:5efe:10.0.0.1DirectAccess (IPsec) : disabledDirectAccess (Proxy Settings) : Bypass proxy
Joseph Davies is a Principal Technical Writer on the Windows networking writing team at Microsoft. He is author or coauthor of a number of books published by Microsoft Press, including Windows Server 2008 Networking and Network Access Protection (NAP)*, Understanding IPv6, Second Edition, and Windows Server 2008 TCP/IP Protocols and Services.