In this IT Pro challenges hands-on virtual lab, learners are introduced to skills required to enable DNSSEC. Exercises in this lab teach users the concept of DNS forward lookup zone, DNS manager, digital signature, and NRPT. The topics covered in this lab are critical for learners to be effective in system administrator roles in IT.

45 minutes
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »


DNSSEC guards from the simulated DNS data by utilizing public-key cryptography to digitally sign legal zone data when it arrives into the system and then verify it at its target. In other words, DNSSEC is a security method that provides DNS servers the capability to check that the information they collect is secure. Servers that ask the DNS records, also obtain the signature and the public key and can confirm that the accounts have been signed with the private key.

In this virtual lab, learners will learn how to enable DNSSEC. First, you will create a DNS zone and add resource records, and then digitally sign the zone. Next, you will configure the Name Resolution Policy Table (NRPT) so that clients check DNS zone resource record signatures to ensure the records have not been tampered with. The other guided and advanced challenges in this series are "Use EFS to Encrypt Files on NTFS Volumes" and "Can You Secure DNS Resource Records and Window NTFS Volume File Objects?"

Understand the Scenario

You are a system administrator for a company that uses a private DNS server. You need to configure DNS to mitigate DNS attacks, such as DNS cache poisoning. To accomplish this task, you will use a virtual machine named DC1 that runs Microsoft Windows Server 2016. DC1 is configured as a domain controller for an Active Directory domain named Contoso. You will connect to the virtual machine console directly in the lab environment.

Create a custom DNS forward lookup zone

A forward lookup zone is a DNS zone. In this, a hostname to IP address connections is stored. When a machine demands the IP address of a particular host name, the forward lookup zone is verified, checked, and the aspired output is delivered. In this section of the virtual lab, learners will learn how to create a custom DNS forward lookup zone. They will create a new DNS primary forward lookup zone named zone2.com that uses the default configuration settings and use the DNS Manager and Lookup Zones. In the New Zone Wizard, you will advance to the Zone Name page, and then in Zone name, enter zone2.com. Finally, you will complete the wizard, using the default values for all remaining steps. Microsoft Active Directory requires a DNS zone. In this challenge, learners will create an additional DNS zone, although the existing DNS zone. In zone2.com, create a New Host (A or AAAA) record named www that will use the given server's IP address.

Digitally sign a DNS zone

In this section of the virtual lab, you will digitally sign zone2.com by using the default settings to sign the zone. First, you will View the new DNS records in the zone2.com DNS zone and notice the new RR Signature and DNS KEY records. These indicate that this DNS zone is now digitally signed. Finally, you will check your work and confirm that the zone is digitally signed and contains RR Signature and DNS KEY DNS resource records.

Configure the Name Resolution Policy Table

After digitally signing the DNS zone, learners will configure the name resolution policy table. In the Default Domain Policy, you will configure the Name Resolution Policy by adding a rule that enables DNSSEC for all DNS queries in zone2.com. Next, you will refresh Group Policy and use the Windows PowerShell to view DNSSEC client settings. Finally, you will check your work and confirm that you enabled DNSSEC validation for zone2.com.

Lab Summary Conclusion

After completing the "Enable DNSSEC" virtual lab, you will have accomplished the following:

  • Created a new primary forward lookup DNS zone.
  • Added an A resource record to the zone.
  • Digitally sign a DNS zone.
  • Configured client DNSSEC validation settings in Group Policy.