Home
  •  

Windows DNS 2016 and 1709+ DNSSEC Denial Of Existence - Zone Security Monitor

Microsoft.Windows.DNSServer.2016.Monitor.DNSSEC.DenialOfExistence (UnitMonitor)

This Monitor track whether the signed zone is NSEC3 enabled or plain NSEC is being used for secure denial of existence. Using only NSEC for secure denial of existence can cause zone enumeration. Disabled by default.

Knowledge Base article:

Summary

Monitors if the Zone has NSEC3 enabled on NSEC enabled. This monitor is also disabled by default. Certain users may want to monitor the Denial of Existence Type.

Causes

This Monitor track whether the Zone is NSEC3 enabled or plain NSEC. As plain NSEC leads to Zone data enumeration this might be a concern to a few customers. Whenever the DenialOfExistence status is changed to NSEC the monitor should show a warning.

Resolutions

Change the denial of existence type in Zone DNSSEC properties using the DNS management tools.

Element properties:

TargetMicrosoft.Windows.DNSServer.2016.Zone
Parent MonitorSystem.Health.PerformanceState
CategoryPerformanceHealth
EnabledFalse
Alert GenerateFalse
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.DNSServer.2016.DNSSEC.DenialOfExistence.MonitorType
RemotableTrue
AccessibilityPublic
RunAsMicrosoft.Windows.DNSServer.2016.ActionAccount

Source Code:

<UnitMonitor ID="Microsoft.Windows.DNSServer.2016.Monitor.DNSSEC.DenialOfExistence" Accessibility="Public" Enabled="false" Target="Microsoft.Windows.DNSServer.2016.Zone" ParentMonitorID="Health!System.Health.PerformanceState" Remotable="true" Priority="Normal" TypeID="Microsoft.Windows.DNSServer.2016.DNSSEC.DenialOfExistence.MonitorType" ConfirmDelivery="true" RunAs="Microsoft.Windows.DNSServer.2016.ActionAccount">

  <Category>PerformanceHealth</Category>

  <OperationalStates>

    <OperationalState ID="Unsigned.Or.NSEC3.State" MonitorTypeStateID="Unsigned.Or.NSEC3" HealthState="Success"/>

    <OperationalState ID="NSEC.State" MonitorTypeStateID="NSEC" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <ZoneName>$Target/Property[Type="Microsoft.Windows.DNSServer.2016.Zone"]/ZoneName$</ZoneName>

    <ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</ComputerName>

    <IntervalSeconds>900</IntervalSeconds>

    <SyncTime/>

    <TimeoutSeconds>300</TimeoutSeconds>

  </Configuration>

</UnitMonitor>