Introduction to the NRPT

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows Registry that determines the DNS client’s behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client will consult the NRPT to determine if any additional flags must be set in the query. Upon receiving the response, the client will again consult the NRPT to determine any special processing or policy requirements. In the absence of the NRPT, the client will operate in a normal fashion. The NRPT stores configurations and settings that are used to deploy DNS Security Extensions (DNSSEC), and also stores information related to DirectAccess, a remote access technology.

The NRPT can be configured using Group Policy or by using the Windows Registry. For more information about configuring the NRPT, see Deploy Name Resolution Policy to Client Computers.

The preferred method of configuring the NRPT is with the Group Policy Management Editor. See the following example.


The properties of an NRPT rule are described in the following table:


Rule Property




Used to indicate the namespace to which the policy applies. When a query is issued, the DNS client will compare the name in the query to all of the namespaces in this column to find a match.

  • DNS suffix (*

  • DNS prefix (hrweb.*)

  • FQDN (

  • IP address subnet for reverse lookup (


Used to indicate whether the DNS client should check for DNSSEC validation in the response.

Selecting this option will not force the DNS server to perform DNSSEC validation. That validation is triggered by the presence of a trust anchor for the zone the DNS server is querying. Setting this value to true prompts the DNS client to check for the presence of the Authenticated Data bit in the response from the DNS server if the response has been validated, If not, the DNS client will ignore the response.

Binary (on or off)

DNS Over IPsec

Used to indicate whether IPsec must be used to protect DNS traffic for queries belonging to the namespace. Setting this value to true will cause the DNS client to set up an IPsec connection to the DNS server before issuing the DNS query.

Binary (on or off)

IPsec Encryption Level

Used to indicate whether DNS connections over IPsec will use encryption.

If DNSOverIPsec is off, this value is ignored.

  • Array:

  • 0 – Do not use encryption (only integrity is performed)

  • 1 – Low: 3DES, AES (all)

  • 2 – Medium: AES (all)

  • 3 – High: AES (192, 256)

IPsec CA

The CA (or list of CAs) that issued the DNS server certificates for DNS over IPsec connections. When using IPsec to allow the client to trust the DNS server, the DNS client checks for the server authorization based on the server certificates issued by this CA. If not set, all root CAs in the client computer’s stores are checked.

If DNSOverIPsec is off, this value is ignored.

String – The domain name of the CA that issued the DNS server certificate. If left blank, the authorization check is not required for this name.

This is checked along with the presence of a DNS EKU in the server certificate.

The following flowchart shows how the DNS client uses the NRPT when issuing queries.

How the DNS client uses the NRPT when querying

See Also

Community Additions