Three new documents are now available that discuss DNS server and client features in Windows Server 2008 R2 and Windows 7:
1. What’s New in DNS provides an overview of the following four new features.
a. DNS Security Extensions (DNSSEC) is a new feature that allows you to sign and host DNSSEC-protected zones.
b. DNS Devolution is a process that allows computers to resolve single-label names, also known as flat names. For Windows 7, and computers that have installed an update, the default devolution behavior has changed.
c. DNS Cache Locking allows you to configure when cached DNS information can be overwritten. Cache locking reduces vulnerability to a flaw in recursive DNS servers reported by Dan Kaminsky that an attacker can use to spoof DNS data.
d. DNS Socket Pool implements source port randomization, which also reduces vulnerability to the Kaminsky flaw. Also see Microsoft’s Security Bullentin MS08-037 and CVE-2008-1447.
2. The Secure DNS Deployment Guide has information about security-related configuration options that are available with Windows DNS. This guide discusses settings you can use when Deploying a Secure DNS Configuration with Windows Server 2008 R2. Several of the settings are also available if you are using an earlier version of Windows Server.
The guide also provides detailed instructions and conceptual information you need for Deploying DNS Security Extensions (DNSSEC) with Windows Server 2008 R2. This includes the use of a new feature in Windows DNS called the Name Resolution Policy Table (NRPT).
3. The DNSSEC Deployment Guide is a downloadable Microsoft Word document with the same procedures that are provided in the DNSSEC section of the Secure DNS Deployment Guide described above.
You can also read more about these features in Shyam Seshadri’s blog on Windows DNS.
The Windows Server Networking Documentation Team