MORE INFORMATION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Configuration tools
You can use the following three tools to configure DNS registry entries:
- Registry Editor
- Dnscmd.exe
- The DNS console
Registry Editor
Some DNS registry entries can only be modified by using Registry Editor. To create DNS registry entries, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following
subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
- On the Edit menu, point to New, and then click the data type of the entry. For example, click DWORD.
- Type the name of the DNS server entry, and then press ENTER.
- Right-click the new entry, click Modify, type the value you want in the Value data box, and then click OK.
- Quit Registry Editor.
- Restart the DNS server for these changes to take
effect.
Dnscmd.exe
You can use the Dnscmd.exe command-line tool to perform most of the tasks that you can perform by using the DNS console. For example, you can use the Dnscmd.exe command-line tool to perform the following tasks:
- Create, delete, and view zones and records
- Reset server and zone properties
- Perform the following routine administration operations:
- Update, reload, and refresh the zone
- Write the zone back to a file or to Active Directory directory service
- Pause and resume the zone
- Clear the cache
- Start and stop the DNS service
- View statistics
You can also use the Dnscmd.exe command-line tool to write scripts for remote administration. For more information about Dnscmd.exe, see Windows 2000 Support Tools Help. For more information about how to install and use the Windows 2000 Support Tools and about Support Tools Help, see the Sreadme.doc file in the Support\Tools folder on the Windows 2000 Server CD-ROM.
The DNS console
You can use the DNS console to configure many DNS settings. To start the DNS console, click
Start, point to
Programs, point to
Administrative Tools, and then click
DNS.
DNS server entries
The following registry entries (along with the entries that are described in part 2 and part 3) determine the behavior of the whole
DNS server. Each of these registry entries is located under the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
These registry entries are read-only when the computer starts. Some registry entries can
be reset. Therefore, the server behavior is occasionally changed dynamically through
the DNS Administrator. However, if you manually reset a registry entry, you must restart the DNS server to process the entry's new value.
RecursionRetry
Type: DWORD
Default value: 0x3
Function: Determines how frequently DNS repeats recursive client
queries when it does not receive a response from a remote server.
You can use the RecursionRetry registry entry to specify how frequently DNS repeats recursive client queries when it does not receive a response from a remote server. If the DNS server does not receive a response before the expiration of the time that is set in the RecursionRetry entry, the DNS server repeats the query to the same server or to other DNS servers.
The default value is appropriate for most servers. However, if this value is less than the time that a remote server requires to respond over a slow link, increase this value so that it is slightly longer than the response time that you noted.
Change method
Use Dnscmd.exe to change the value of the RecursionRetry entry. The change is effective immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. If you change the value of the RecursionRetry entry by editing the registry, the changes are not effective until you restart the DNS server.
Note Windows 2000 does not add the RecursionRetry entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
RecursionTimeout
Type: DWORD
Default value: 0xF (15 seconds)
Function: Determines how long DNS waits for remote servers
to respond to a recursive client query before the search is stopped.
You can use the RecursionTimeout registry entry to specify how long DNS waits for remote servers to respond to a recursive client query before DNS stops the search. If the DNS server does not receive a response to a recursive query, the server repeats the query at intervals that are specified by the value of the RecursionRetry entry. If the server does not receive a response before the value of the RecursionTimeout entry expires, the DNS server stops the search and sends a SERVER_FAILURE response to the query.
This value is appropriate for most DNS servers. However, if this value is less than the time a remote server requires to respond over a slow link, increase this value so that it is slightly longer than the response time that you note. In measuring actual response times, make sure that you distinguish between responses from remote DNS servers and repeated query tries by the client.
Change method
Use Dnscmd.exe to change the value of the RecursionRetry entry. The change is effective immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. If you change the value of the RecursionRetry entry by editing the registry, the changes are not effective until you restart the DNS server.
Note Windows 2000 does not add the RecursionRetry entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
RoundRobin
Type: DWORD (Boolean)
Default value: 1
Function: Determines the order that the DNS server
returns address (A) records when it has multiple A records for the same name.
You can use the RoundRobin registry entry to specify the order that the DNS server returns A records when it has multiple A records for the same name.
Valid RoundRobin entries
| Value | Meaning |
| 0 | The DNS server returns the A records in a fixed, file load order. |
| 1 | The DNS server rotates among the A records it returns for a particular name. Rotating helps balance the load that is placed on each connection to the named server. |
Change method
To change the value of the RoundRobin entry, use the DNS console. Right-click the server name, click
Properties, and then click the
Advanced tab. The RoundRobin entry corresponds to the
Enable round robin option. You can also use Dnscmd.exe. When you use either method, your changes are effective immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. If you change the value of the RoundRobin entry by editing the registry, the changes are not effective until you restart the DNS server.
Note The order that A records are returned depends on the value of the RoundRobin entry and of the LocalNetPriority entry. Note the following items:
- When both entries are set to 1 or if the RoundRobin entry is not in the registry, the DNS server rotates among the A records it returns in local net priority order. This is the order of their similarity to the IP address of the querying client.
- If the value of the RoundRobin entry is 0 and the value of the LocalNetPriority entry is 1, the DNS server returns the records in local net priority order. The DNS server does not rotate among available addresses.
- If the value of the RoundRobin entry is 1 and the value of the LocalNetPriority entry is 0, the DNS server rotates among the available records in the order that the records were added to the database.
- If the values of the RoundRobin entry and the LocalNetPriority entry are 0, the DNS server returns the records in the order that they were added to the database. The DNS server does not try to sort them or to rotate among them.
RpcProtocol
Type: DWORD
Default value: 0xFFFFFFFF
Function: Determines if the scavenging feature of DNS is turned on, and specifies how frequently the DNS server scavenges its database
records.
You can use the RpcProtocol registry entry to specify the protocols that administrative remote procedure calls (RPCs) use. Although these flags are not specific to DNS, the DNS server establishes endpoints to create connections that use these protocols.
The value of the RpcProtocol entry is a bitmap. You can set multiple bits by adding the bits together and setting the value of the RpcProtocol entry to that sum.
| Bit | Meaning |
| 0x0 | No protocols (disables RPC for DNS) |
| 0x1 (001 binary) | TCP/IP |
| 0x2 (010 binary) | Named pipes |
| 0x4 (100 binary) | LPC |
| 0xFFFFFFFF | All protocols |
Change method
To change the value of the RpcProtocol entry, use the Dnscmd.exe. Do not change the value of the RpcProtocol entry by editing the registry.
Start method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
ScavengingInterval
Type: DWORD
Default value: 0x0
Function: Determines if the scavenging feature of the DNS
is turned on, and specifies how frequently the DNS server scavenges its database records.
You can use the ScavengingInterval registry entry to specify if the scavenging feature of DNS is turned on, and specifies how frequently the DNS server scavenges its database records.
During the scavenging process, the DNS server examines the timestamps of resource records in the DNS database and deletes records that are out of date.
Valid ScavengingInterval entries
| Value | Meaning |
| 0x0 | Turns off scavenging. The DNS server does not delete old resource records. |
| 0x1-0xFFFFFFFF | Turns on scavenging and specifies the number of hours between each scavenging pass. |
Change method
To change the value of the ScavengingInterval entry, do not edit the registry directly. Instead, use the DNS console. Right-click a server name, click
Properties, click the
Advanced tab, and then click to select the
Enable automatic scavenging of stale records check box.
You can also use Dnscmd.exe to configure this entry.Activation method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
Note DNS adds the ScavengingInterval entry to the registry when you use the DNS console or Dnscmd.exe to turn on scavenging and set a scavenging interval. If you turn off scavenging, the DNS console sets the value of the ScavengingInterval entry to 0x0.
Important By default, scavenging is turned off. To turn on the DNS scavenging feature on any zone, you must turn on scavenging on the server by using the ScavengingInterval entry and turned on for the zone by using the Aging entry in a Zone-name subkey. If the ScavengingInterval entry specifies that scavenging is turned off on the DNS server, all values that configure scavenging for any zone are ignored.
SecureResponses
Type: DWORD (Boolean)
Default value: 0
Function: Set the interval between successive cleanup walks of the DNS database.
The CleanupInterval registry entry is not available in Windows 2000.
You can use the SecureResponses registry entry to specify if the DNS server tries to eliminate illegitimate records by filtering the records that it saves in its memory cache.
The DNS server saves the records of recursive name queries in a memory cache so that it can respond quickly to new queries for the same name. By default, it saves all records. However, if the value of the SecureResponses entry is 1, DNS saves only those query records for names that are in the same subtree as the server that provided them. For example, the DNS server would save a name server (NS) record for ns.example.com from the example.com server, but it would not save the NS record for ns.example2.com from the example.com server. This filtering is designed to minimize the effect of malicious attacks on an Internet server, but it might generate additional network traffic.
Valid SecureResponses entries
| Value | Meaning |
| 0 | The DNS server saves all name query records in its memory cache. It does not try to filter out illegitimate records. |
| 1 | The DNS server saves only those records of names that are in the same subtree as the name in the original query. |
Change method
To change the value of the SecureResponses entry, use the DNS console. Right-click the name of a DNS server, click
Properties, and then click the
Advanced tab. The SecureResponses entry stores the setting of the
Secure cache against pollution check box.
Start method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
Note Windows 2000 does not add the SecureResponses entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
SendPort
Type: DWORD
Default value: 0x0
Function: Specifies a port that the DNS server
uses to send recursive User Datagram Protocol (UDP) queries to other DNS servers.
You can use the SendPort registry entry to specify a port that the DNS server
uses to send recursive UDP queries to other DNS servers.
By default, the DNS server sends recursive UDP queries through a randomly selected port that is named the DNS port. The SendPort entry directs the DNS server to use a particular port. You may want to add the SendPort entry to the registry if you want to use port 53 or another port.
If the value of the SendPort entry is 0 or if the entry does not appear in the registry, DNS randomly selects a port.
Start method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
Note Windows 2000 does not add the SendPort entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
StrictFileParsing
Type: DWORD
Default value: 0
Function: Determines how the DNS server responds when it receives
zone files whose records contain errors that violate Requests for Comments (RFCs).
You can use the StrictFileParsing registry entry to specify how the DNS server responds when it receives zone files whose records contain errors that violate Requests for Comments (RFCs). These include records for names that are outside the zone, canonical name (CNAME) records at names that contain other records, and other records at names that contain CNAME records.
Valid StrictFileParsing entries
| Value | Meaning |
| 0 | When the DNS server encounters an erroneous record, it writes an error to the DNS log in Event Viewer and continues to load. |
| 1 | When the DNS server encounters erroneous records, it writes an error to the DNS log in Event Viewer and stops without loading. |
Change method
To change the value of the StrictFileParsing entry, use the DNS console. Right-click the server name, click
Properties, and then click the
Advanced tab. The StrictFileParsing entry corresponds to the
Fail on load if bad zone data option. You can also use Dnscmd.exe to configure this setting. You can use either method, and the changes are effective immediately so that you do not have to restart the DNS server.
Activation method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console or Dnscmd.exe. If you change the value of the StrictFileParsing entry by editing the registry, the changes are not effective until you restart the DNS server.
Note The default behavior of DNS changed in Microsoft Windows NT 4.0 with Service Pack 4 (SP4). In versions of Windows NT 4.0 before SP4, the DNS server does not start if it encounters incorrect zone records. Check the system log in Event Viewer for errors.
Important Windows 2000 does not add the StrictFileParsing entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
UpdateOptions
Type: DWORD
Default value: 0x30F
Function: Prevents DNS dynamic update of certain types of records.
The UpdateOptions registry entry prevents DNS dynamic update of certain types of records.
You can use the UpdateOptions entry to turn off DNS dynamic update on a record type, set the bit for that record type to 1, or sum the hexadecimal values of the record types.
The UpdateOptions entry is a bitmask.
Valid UpdateOptions entries
| Value | Meaning |
| 0x0 | DNS dynamic update does not restrict any record types. |
| 0x1 | Start of Authority (SOA) records. |
| 0x2 | Name server (NS) records. |
| 0x4 | Delegation NS records. |
| 0x8 | Server host records. |
| 0x100 | On secure dynamic update, exclude SOA records. |
| 0x200 | On secure dynamic update, exclude root NS records. |
| 0x30F | On standard dynamic update, exclude NS, SOA, and server host records. On secure dynamic update, exclude root NS and SOA records. Permit delegations and server host updates. |
| 0x400 | On secure dynamic update, exclude delegation NS records. |
| 0x800 | On secure dynamic update, exclude server host records. |
| 0x1000000 | DS peer records. |
| 0x80000000 | Turn off DNS dynamic update. |
Start method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
Note Windows 2000 does not add the UpdateOptions entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
To find other registry entries that are related to DNS dynamic update, type "dynamic update" on the
Search tab in this file.
WriteAuthorityNs
Type: DWORD (Boolean)
Default value: 0 (Do not use database)
Function: Determines when the DNS serverwrites NS (name server) records in the Authority section of a response.
You can use the WriteAuthorityNs registry entry to specify when the DNS server writes NS records in the Authority section of a response. The WriteAuthorityNs entry prevents the DNS server from writing unnecessary NS records in the Authority section, and it makes sure that the DNS server complies with relevant Requests for Comments (RFCs).Valid WriteAuthorityNs entries
| Value | Meaning |
| 0 | The DNS server writes NS records in the Authority section of referrals only. The WriteAuthorityNs entry complies with RFC 1034, Domain names-concepts and facilities, and with RFC 2181, Clarifications to the DNS Specification. |
| 1 | The DNS server writes NS records in the Authority section of all successful authoritative responses. These NS records are neither required nor useful. |
Change method
To change the value of the WriteAuthorityNs entry, use Dnscmd.exe. The change is effective immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using Dnscmd.exe. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
Note The default value is optimal for most DNS servers. Providing NS records in the Authority section consumes processor time and network bandwidth, and we do not recommend it unless a network program or service requires it.
Important Windows 2000 does not add the WriteAuthorityNs entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
XfrConnectTimeout
Type: DWORD (Boolean)
Default value: 1E (30 seconds)
Function: Sets security on zone transfer requests.
You can use the XfrConnectTimeout registry entry to specify how long the DNS server waits for the secondary server to connect to a primary server. If the connection is not established when the value of the XfrConnectTimeout entry expires, the DNS server drops the connection.
Start method
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
Note Windows 2000 does not add the XfrConnectTimeout entry to the registry. You can add it by editing the registry or by using a program that edits the registry.