Article ID: 241352 - View products that this article applies to.
This article was previously published under Q241352
DNS cache pollution can occur if Domain Name System (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature.
Note If a DNS server has been configured to forward resolution requests to another server, establishing a child-parent relationship, the child DNS server could still be vulnerable to DNS cache pollution attacks performed against a parent DNS server if that server is not performing DNS cache pollution protection. By default, Microsoft DNS servers, using Windows 2000 Service Pack 3 or later, acting as a parent in a child-parent relationship will fully perform cache pollution protection. Therefore, make sure that all DNS servers in an organization have DNS cache pollution protection enabled.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Windows NT 4.0With Windows NT 4.0 Service Pack 4 (SP4) or later, a Windows NT-based DNS server can filter out the responses for these non-secure records.
To enable this feature:
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/198409/EN-US/ )Microsoft DNS Server Registry Parameters, Part 2 of 3
Windows 2000A Windows 2000-based DNS server can filter out the responses for these non-secure records.
To enable this feature:
(http://support.microsoft.com/kb/316786/ )Description of the DNS Server Secure Cache Against Pollution Setting
Note On Windows 2000, you can perform the same entry in the GUI. Use the following steps to do this:
Windows 2003DNS cache pollution protection is enabled by default in Microsoft Windows 2003.
To view the DNS cache pollution settings, use the following steps:
Article ID: 241352 - Last Review: February 28, 2007 - Revision: 2.4
Contact us for more help