Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Description of the DNS Server Secure Cache Against Pollution setting


View products that this article applies to.

Summary

This article provides a description of the DNS Server "Secure cache against pollution" setting. Microsoft DNS server in Windows NT 4.0 and Windows 2000 is capable of cache pollution protection (also called "Secure cache against pollution" or "SecureResponses"). By default, this setting is not enabled in Windows NT 4.0 and pre-Windows 2000 Service Pack 3 (SP3). After you enable this setting, the DNS server ignores DNS resource records that come from servers that are not authoritative for them. Although it can cause extra DNS queries, the security benefits far outweigh the cost of the extra queries, so enabling DNS cache pollution protection is highly recommended.

↑ Back to the top


More information

DNS cache pollution protection is enabled by default in Windows 2000 SP3 and later. DNS cache pollution protection is enabled by default in Windows Server 2003. In Windows 2003 DNS the registry key setting does not exist, however the setting is enabled by default. Within a command window you can check the current setting by running the following command:
Dnscmd /Info /SecureResponses
For additional information about how to enable DNS cache pollution protection in Windows NT 4.0 or Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:
241352 How to Prevent DNS Cache Pollution

Example of Cache Pollution Protection

The DNS server receives this response to a query that is sent to a name server for example.com:
question: www.example.com A
answer: no records
auth: example.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4
The DNS server always caches the NS record in this response because it is for a name that is within the authority of the DNS server it was received from. With cache pollution protection disabled, the A record is also cached. However with cache pollution protection enabled, the A record is ignored, and the DNS server initiates a cache update query to resolve the address of ns.isp.com. This is because the query was received from a name server for example.com, but ns.isp.com is outside the example.com domain. Although an extra DNS query is required to resolve the original query in this example, the results of the ns.isp.com query are cached so the impact should be minimal.

Another Example of Cache Pollution Protection

The DNS server receives this response to a query that is sent to a name server for example.com:
question: www.example.com A
answer: no records
auth: microsoft.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4
With cache pollution protection disabled, the attacker's NS record for microsoft.com is cached, which causes name resolution to fail or be hijacked for subsequent queries for names that are in the microsoft.com domain. With cache pollution protection enabled, both the NS record and the A record in this response are ignored because they are both for names outside example.com.

↑ Back to the top


Keywords: KB316786, kbnetwork, kbinfo, kbenv

↑ Back to the top

Article Info
Article ID : 316786
Revision : 5
Created on : 2/22/2007
Published on : 2/22/2007
Exists online : False
Views : 734