Skip to content

Windows DNSSEC

Jump to bottom Edit New page
lifenjoiner edited this page Apr 6, 2026 · 2 revisions

DNSSEC on Windows

What is DNSSEC?

DNSSEC is a DNS record extension that delivers digital signatures of the answers. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.

DNSSEC does not provide confidentiality of data, not encrypted. It takes up a portion of the limited space of the UDP DNS packets, that increases the failure probability as over the limit.

Unfortunate limits

It seems that all Windows do not support DNSSEC and cannot validate DNSSEC themselves. They use a "security-aware" stub resolver that is able to differentiate between secure and non-secure responses by a recursive name server.

So, Windows can only work together with a trusted DNS server that is using DNSSEC to get DNSSEC capability.

Ref: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools. Even Windows Server 2012, it can support DNSSEC only acting as a server, but not a client.

How to config

  1. Turn on the filter

    # Server must support DNS security extensions (DNSSEC)
require_dnssec = true

  2. Some servers support DNSSEC but don't use it by default. They use it only when you request. So, choose those use DNSSEC by default, or disable those don't.

    # Server names chosen to use
server_names = []

# Server names to avoid even if they match all criteria
disabled_server_names = []

    For some people, choose some servers to use is easier.

    How to decide disabled_server_names? Take https://dnscheck.tools/ for example:

    ECDSA P-256 ECDSA P-384 Ed25519
    Valid 12345678.test-alg13.dnscheck.tools 12345678.test-alg14.dnscheck.tools 12345678.test-alg15.dnscheck.tools
    Invalid badsig-12345678.test-alg13.dnscheck.tools badsig-12345678.test-alg14.dnscheck.tools badsig-12345678.test-alg15.dnscheck.tools
    Expired expiredsig-12345678.test-alg13.dnscheck.tools expiredsig-12345678.test-alg14.dnscheck.tools expiredsig-12345678.test-alg15.dnscheck.tools
    Missing nosig-12345678.test-alg13.dnscheck.tools nosig-12345678.test-alg14.dnscheck.tools nosig-12345678.test-alg15.dnscheck.tools

    12345678 represents your client ID.

    Turn on your query log (query_log section), and then check the logs, to make sure:

    1. Queries for the first row passes. There must be 1 query passes for each column.
    2. And other rows all fails. Disable those servers passed but should fail.

Known disabled_server_names 

disabled_server_names = ['plan9dns-fl', 'plan9dns-fl-ipv6', 'plan9dns-mx', 'plan9dns-mx-ipv6', 'plan9dns-nj', 'plan9dns-nj.ipv6', 'plan9dns-fl-doh', 'plan9dns-fl-doh-ipv6', 'plan9dns-mx-doh', 'plan9dns-mx-doh-ipv6', 'plan9dns-nj-doh', 'plan9dns-nj-doh-ipv6']

Are these instructions not clear? Wrong? Insufficient? This documentation page is a Wiki, so you can contribute by improving it!

Clone this wiki locally