DNS cache pollution protection is enabled by default in Windows 2000 SP3 and later.
DNS cache pollution protection is enabled by default in Windows Server 2003. In Windows 2003 DNS the registry key setting does not exist, however the setting is enabled by default. Within a command window you can check the current setting by running the following command:
Dnscmd /Info /SecureResponses
For additional information about how to enable DNS cache pollution protection in Windows NT 4.0 or Windows 2000, click the article number below
to view the article in the Microsoft Knowledge Base:
241352 How to Prevent DNS Cache Pollution
Example of Cache Pollution Protection
The DNS server receives this response to a query that is sent to a name server for example.com:
question: www.example.com A
answer: no records
auth: example.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4
The DNS server always caches the NS record in this response because it is for a name that is within the authority of the DNS server it was received from. With cache pollution protection disabled, the A record is also cached. However with cache pollution protection enabled, the A record is ignored, and the DNS server initiates a cache update query to resolve the address of ns.isp.com. This is because the query was received from a name server for example.com, but ns.isp.com is outside the example.com domain. Although an extra DNS query is required to resolve the original query in this example, the results of the ns.isp.com query are cached so the impact should be minimal.
Another Example of Cache Pollution Protection
The DNS server receives this response to a query that is sent to a name server for example.com:
question: www.example.com A
answer: no records
auth: microsoft.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4
With cache pollution protection disabled, the attacker's NS record for microsoft.com is cached, which causes name resolution to fail or be hijacked for subsequent queries for names that are in the microsoft.com domain. With cache pollution protection enabled, both the NS record and the A record in this response are ignored because they are both for names outside example.com.