How to prevent DNS cache pollution (241352)



The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server 4.0

This article was previously published under Q241352
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

DNS cache pollution can occur if Domain Name System (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature.

Note If a DNS server has been configured to forward resolution requests to another server, establishing a child-parent relationship, the child DNS server could still be vulnerable to DNS cache pollution attacks performed against a parent DNS server if that server is not performing DNS cache pollution protection. By default, Microsoft DNS servers, using Windows 2000 Service Pack 3 or later, acting as a parent in a child-parent relationship will fully perform cache pollution protection. Therefore, make sure that all DNS servers in an organization have DNS cache pollution protection enabled.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Windows NT 4.0

With Windows NT 4.0 Service Pack 4 (SP4) or later, a Windows NT-based DNS server can filter out the responses for these non-secure records.

To enable this feature:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

  3. On the Edit menu, click Add Value, and then add the following registry value:

    Value Name: SecureResponses
    Data Type: REG_DWORD
    Value: 1 (To eliminate non-secure data)

  4. Quit Registry Editor.
By default, this key does not exist and non-secure data is not eliminated from responses.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

198409 Microsoft DNS Server Registry Parameters, Part 2 of 3

Windows 2000

A Windows 2000-based DNS server can filter out the responses for these non-secure records.

To enable this feature:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

  3. On the Edit menu, click Add Value, and then add the following registry value:

    Value Name: SecureResponses
    Data Type: REG_DWORD
    Value: 1 (To eliminate non-secure data)

  4. Quit Registry Editor.
By default, on Windows 2000 Service Pack 1 (SP1) and Windows 2000 Service Pack 2 (SP2), this key does not exist and non-secure data is not eliminated from responses. Although DNS cache pollution protection is enabled by default in Windows 2000 SP3 and later, the registry key does not exist and is not needed. The only reason to create this registry key is to disable DNS cache pollution protection. For more information about DNS cache pollution protection, click the following article number to view the article in the Microsoft Knowledge Base:

316786 Description of the DNS Server Secure Cache Against Pollution Setting



Note On Windows 2000, you can perform the same entry in the GUI. Use the following steps to do this:
  1. Open the DNS Management Console by clicking Start, Programs, Adminstrative Tools, and then clickingDNS.
  2. Right-click on the server name in the left window pane.
  3. Choose Properties.
  4. Choose the Advanced tab.
  5. Place a check in the box "Secure cache against pollution".

Windows 2003

DNS cache pollution protection is enabled by default in Microsoft Windows 2003.

To view the DNS cache pollution settings, use the following steps:
  1. Open the DNS Management Console by clicking Start, Programs, Adminstrative Tools, and then clicking DNS.
  2. Right click on the server name in the left window pane.
  3. Choose Properties.
  4. Choose the Advanced tab.
  5. Confirm that the "Secure cache against pollution" check box is selected.
Note In Windows 2003 DNS, the registry key setting does not exist, however the setting is enabled in the GUI by default. You can also check the current setting by running the following command at a command prompt: Dnscmd /Info /SecureResponses

Modification Type:MajorLast Reviewed:4/6/2005
Keywords:kbenv kbinfo KB241352