Windows 7 DNSSEC client not working

4

I try to use the built-in DNSSEC resolver in Windows 7, but it does not work properly.

Background:

I'm currently in a bad country, the ISP and government always poison/hijack DNS answers, I won't get a correct answer even if set DNS server to google or OPENDNS.

Every time they try to poison the query, my firewall will notice me. I currently using VPN and DNScrypt, both can work well, I just found the DNSSEC settings in Windows 7 and want to try it, but it seems not working right.

My tests and results:

A. Before configure:

  1. When use google DNS without VPN, the query got poisoned, the IP address is wrong, and firewall alerts.

  2. When use DNScrypt without VPN, the answer is correct.

  3. When use google DNS with VPN, the answer is correct.

B. Open Local group policy editor > computer configuration > Windows settings > Name resolution policy, in "To which part of the namespace does this rule apply" set to "Any", tick "Enable DNSSEC in this rule", leave other box unticked, then click "create", and "apply" button.

These settings makes no effect at all, the results are same as test 0.

C. Based on test 1, I further ticked "Require DNS clients to check that name and address data has been validated by the DNS server", leave other options unticked, and apply it.

Now the DNS dead, in all conditions a,b and c, no domain name can be resolved, ping will echo this "Ping request could not find host example.com. Please check the name and try again."

D. Based on test 1, I further ticked "Use IPsec in communication between the DNS client and DNS server", leave other options unticked, and apply it.

No matter what "encryption type" I choose for IPSec, the results are same as test 2, in all conditions, DNS dead.

E. I ticked both box in test 2 and 3, DNS still dead in all conditions(a, b, and c).

F. I tried set "Advanced Global Policy Settings" > "configure query failure options" to "Always fall back to LLMNR and NetBIOS for any kind of name resolution error.(least secure)". DNS still dead.

So could anyone tell me whats wrong with my DNSSEC in Windows 7?

Thanks!

Sam

Posted 2016-11-16T02:01:47.867

Reputation: 950

If you do not mind you can run BIND as a local DNS server and active with this DNSSec. – Wiffzack – 2016-11-16T18:28:52.463

Answers

0

Check out this one Simple DNSCrypt:

https://simplednscrypt.org/

user956584

Posted 2016-11-16T02:01:47.867

Reputation: 295

Asked: 2016-11-16T02:01:47.867

Viewed: 897 times

Active: 2017-09-02T14:43:30.980