The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.

An XCCDF Rule

Description

<VulnDiscussion>The Name Resolution Policy Table (NRPT) is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some or all computers in the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-215618r561297_rule
Severity: Medium
References: CCI-001663
Updated: about 1 year ago

Implement this fix for configuring name resolvers, to include DNS servers configured for caching role only.

On Domain Controller, on the Server Manager menu bar, click Tools, and then click Group Policy Management.

In the Group Policy Management console tree, under Domains >; domainname >; Group Policy Objects, right-click Default Domain Policy, and then click Edit.
In the Group Policy Management Editor console tree, navigate to Computer Configuration >; Policies >; Windows Settings >; Name Resolution Policy.

In the details pane, under Create Rules and to which part of the namespace does this rule apply, choose Suffix from the drop-down list and type domain.mil next to Suffix.
 
On the DNSSEC tab, select the Enable DNSSEC in this rule check box and then under Validation select the Require DNS clients to check that name and address data has been validated by the DNS server check box.

In the bottom right corner, click Create and then verify that a rule for domain.mil was added under Name Resolution Policy Table.

Click Apply, and then close the Group Policy Management Editor.

Open a Windows PowerShell prompt and enter the following commands:
gpupdate /force <enter>
get-dnsclientnrptpolicy <enter>
In the results, select the True for "DnsSecValidationRequired" setting for the domain.mil namespace.

The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.

Description

Remediation - Manual Procedure