How to Configure Windows Server 2016 DNS Security Extensions
DNS Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing DNS data. DNSSEC protects against DNS cache poisoning and man-in-the-middle attacks by digitally signing DNS records, allowing resolvers to verify that the responses they receive are authentic and have not been tampered with in transit. Windows Server 2016 DNS includes full DNSSEC support for both authoritative zones and recursive resolving, making it straightforward to implement in Active Directory integrated environments.
Understanding DNSSEC Components
DNSSEC introduces several new DNS record types. The RRSIG record contains the cryptographic signature for a DNS record set. The DNSKEY record stores the public key used to verify RRSIG signatures. The DS (Delegation Signer) record links the parent zone to child zone keys. The NSEC/NSEC3 record provides authenticated denial of existence for records that do not exist. Understanding these record types is essential for troubleshooting DNSSEC issues.
Prerequisites
DNSSEC signing requires that the DNS zone is hosted on a Windows Server 2008 R2 or newer DNS server. For Active Directory integrated zones, all domain controllers hosting the zone should ideally run Windows Server 2016. Verify your DNS server role is installed and zones are operational before proceeding:
Get-WindowsFeature DNS -IncludeManagementTools
Get-DnsServerZone | Select ZoneName, ZoneType, IsDsIntegrated, IsSigned
Get-DnsServer | Select -ExpandProperty ServerSetting | Select ComputerName, BuildNumberStep 1: Sign a DNS Zone with DNSSEC
Use the Invoke-DnsServerZoneSign cmdlet to sign a primary zone. For Active Directory integrated zones, this creates a KSK (Key Signing Key) and ZSK (Zone Signing Key):
Invoke-DnsServerZoneSign -ZoneName "corp.local" -SignWithDefault -ForceFor more control over key parameters, specify the signing algorithm, key length, and rollover period:
$kskParam = New-DnsServerSigningScope -KeyOrZone KeySigningKey -KeyLength 2048 -CryptoAlgorithm RsaSha256 -InitialRolloverOffset (New-TimeSpan -Hours 0) -RolloverPeriod (New-TimeSpan -Days 365)
$zskParam = New-DnsServerSigningScope -KeyOrZone ZoneSigningKey -KeyLength 1024 -CryptoAlgorithm RsaSha256 -RolloverPeriod (New-TimeSpan -Days 90)
Invoke-DnsServerZoneSign -ZoneName "corp.local" -KSKParameters $kskParam -ZSKParameters $zskParam -ForceStep 2: Verify Zone Signing Status
After signing, verify that the zone has been signed and DNSSEC records have been created:
Get-DnsServerZone -Name "corp.local" | Select ZoneName, IsSigned
Get-DnsServerResourceRecord -ZoneName "corp.local" -RRType DnsKey | Select Name, RecordType, RecordData
Get-DnsServerDnsSecZoneSetting -ZoneName "corp.local"List all DNSKEY records in the signed zone:
Resolve-DnsName -Name "corp.local" -Type DNSKEY -Server 127.0.0.1 | Format-ListStep 3: Configure Trust Anchors
For resolving clients to validate DNSSEC signatures, they need the zone’s trust anchor (the KSK public key). For Active Directory integrated zones with Windows DNS clients, trust anchors are automatically distributed. For external zones, add trust anchors manually:
# View existing trust anchors
Get-DnsServerTrustAnchor -Name "corp.local"
# Export trust anchor to share with resolver operators
Export-DnsServerTrustAnchor -ZoneName "corp.local" -Path "C:DNSSECTrustAnchor.xml"
# Import a trust anchor from another zone
Import-DnsServerTrustAnchor -Path "C:DNSSECTrustAnchor.xml"Step 4: Enable DNSSEC Validation on the DNS Resolver
Configure the DNS server to validate DNSSEC signatures when performing recursive resolution. This ensures that responses from signed zones are cryptographically verified before being returned to clients:
# Enable DNSSEC validation on the DNS server
Set-DnsServerRecursion -Enable $true -SecureResponse $true
Set-DnsServerDnsSecZoneSetting -ZoneName "." -DenialOfExistenceNSec3 $true
# Verify DNSSEC validation settings
Get-DnsServerRecursion | Select IsEnabled, SecureResponseStep 5: Configure NRPT for Secure Zone Resolution
The Name Resolution Policy Table (NRPT) on client computers can be configured via Group Policy to require DNSSEC validation for specific zones. Responses from these zones that fail DNSSEC validation are discarded:
# Add NRPT rule requiring DNSSEC for corp.local
Add-DnsClientNrptRule -Namespace ".corp.local" -NameServers "10.0.0.1" -DnsSecValidationRequired $true -Comment "Require DNSSEC for internal domain"
# List current NRPT rules
Get-DnsClientNrptRule | Select Namespace, NameServers, DnsSecValidationRequiredConfigure NRPT via Group Policy for domain-wide deployment:
# Use Group Policy Management to configure NRPT:
# Computer Configuration > Windows Settings > Name Resolution Policy
# Add rule for your internal domain requiring DNSSEC validation
# This is typically done through the GPMC GUI but can be scripted
$gpoName = "DNSSEC Policy"
$gpo = New-GPO -Name $gpoName -Comment "DNSSEC NRPT configuration"
New-GPLink -Name $gpoName -Target "DC=corp,DC=local"Step 6: Manage DNSSEC Key Rollovers
Cryptographic keys must be periodically rolled over (replaced) to maintain security. Windows Server 2016 DNS supports automated key rollovers. Monitor key rollover status:
# View current signing keys and their rollover status
Get-DnsServerSigningKey -ZoneName "corp.local" | Select KeyTag, KeyType, ActiveKey, NextRolloverAction, NextRolloverTime
# Initiate a manual key rollover
Invoke-DnsServerSigningKeyRollover -ZoneName "corp.local" -KeyTag 12345 -Force
# Set automated key rollover period
Set-DnsServerSigningKey -ZoneName "corp.local" -KeyTag 12345 -RolloverPeriod (New-TimeSpan -Days 90) -DnsKeySignatureValidityPeriod (New-TimeSpan -Days 10)Step 7: Test DNSSEC Validation
Verify that DNSSEC validation is working correctly by querying signed records and checking for the AD (Authenticated Data) flag:
# Test DNSSEC validation with Resolve-DnsName
Resolve-DnsName -Name "dc01.corp.local" -DnssecOk | Select -ExpandProperty IP4Address
# Use nslookup for DNSSEC debugging
nslookup -type=DNSKEY corp.local 10.0.0.1
# Use Resolve-DnsName to check signature records
Resolve-DnsName -Name "corp.local" -Type RRSIG -Server 127.0.0.1 | Format-ListTroubleshooting DNSSEC
If DNSSEC validation failures occur, check the DNS debug log and event viewer:
Get-WinEvent -LogName "Microsoft-Windows-DNSServer/Operational" -MaxEvents 30 | Where-Object { $_.Message -like "*DNSSEC*" -or $_.Message -like "*validation*" } | Select TimeCreated, LevelDisplayName, Message
# Temporarily disable DNSSEC on a zone for troubleshooting
Invoke-DnsServerZoneUnsign -ZoneName "corp.local" -ForceDNSSEC is an important security enhancement for any organization’s DNS infrastructure. By signing zones and enforcing validation on resolvers, you eliminate a significant class of DNS-based attacks and build a foundation for additional security measures like DNS over HTTPS and DNS over TLS.
