Article ID: 316786 - Last Review: February 22, 2007 - Revision: 1.4

Description of the DNS Server Secure Cache Against Pollution setting

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q316786

On This Page

Expand all | Collapse all

SUMMARY

This article provides a description of the DNS Server "Secure cache against pollution" setting. Microsoft DNS server in Windows NT 4.0 and Windows 2000 is capable of cache pollution protection (also called "Secure cache against pollution" or "SecureResponses"). By default, this setting is not enabled in Windows NT 4.0 and pre-Windows 2000 Service Pack 3 (SP3). After you enable this setting, the DNS server ignores DNS resource records that come from servers that are not authoritative for them. Although it can cause extra DNS queries, the security benefits far outweigh the cost of the extra queries, so enabling DNS cache pollution protection is highly recommended.
Back to the top

MORE INFORMATION

DNS cache pollution protection is enabled by default in Windows 2000 SP3 and later. DNS cache pollution protection is enabled by default in Windows Server 2003. In Windows 2003 DNS the registry key setting does not exist, however the setting is enabled by default. Within a command window you can check the current setting by running the following command:
Dnscmd /Info /SecureResponses
For additional information about how to enable DNS cache pollution protection in Windows NT 4.0 or Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:
241352  (http://support.microsoft.com/kb/241352/EN-US/ ) How to Prevent DNS Cache Pollution
Back to the top

Example of Cache Pollution Protection

The DNS server receives this response to a query that is sent to a name server for example.com:
question: www.example.com A
answer: no records
auth: example.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4
The DNS server always caches the NS record in this response because it is for a name that is within the authority of the DNS server it was received from. With cache pollution protection disabled, the A record is also cached. However with cache pollution protection enabled, the A record is ignored, and the DNS server initiates a cache update query to resolve the address of ns.isp.com. This is because the query was received from a name server for example.com, but ns.isp.com is outside the example.com domain. Although an extra DNS query is required to resolve the original query in this example, the results of the ns.isp.com query are cached so the impact should be minimal.
Back to the top

Another Example of Cache Pollution Protection

The DNS server receives this response to a query that is sent to a name server for example.com:
question: www.example.com A
answer: no records
auth: microsoft.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4
With cache pollution protection disabled, the attacker's NS record for microsoft.com is cached, which causes name resolution to fail or be hijacked for subsequent queries for names that are in the microsoft.com domain. With cache pollution protection enabled, both the NS record and the A record in this response are ignored because they are both for names outside example.com.
Back to the top
APPLIES TO
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Back to the top
Keywords: 
kbenv kbinfo kbnetwork KB316786
Back to the top