Description of the DNS Server Secure Cache Against Pollution setting (316786)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
This article was previously published under Q316786

SUMMARY

This article provides a description of the DNS Server "Secure cache against pollution" setting. Microsoft DNS server in Windows NT 4.0 and Windows 2000 is capable of cache pollution protection (also called "Secure cache against pollution" or "SecureResponses"). By default, this setting is not enabled in Windows NT 4.0 and pre-Windows 2000 Service Pack 3 (SP3). After you enable this setting, the DNS server ignores DNS resource records that come from servers that are not authoritative for them. Although it can cause extra DNS queries, the security benefits far outweigh the cost of the extra queries, so enabling DNS cache pollution protection is highly recommended.

MORE INFORMATION

DNS cache pollution protection is enabled by default in Windows 2000 SP3 and later. DNS cache pollution protection is enabled by default in Windows Server 2003. In Windows 2003 DNS the registry key setting does not exist, however the setting is enabled by default. Within a command window you can check the current setting by running the following command:

Dnscmd /Info /SecureResponses

For additional information about how to enable DNS cache pollution protection in Windows NT 4.0 or Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

241352 How to Prevent DNS Cache Pollution

Example of Cache Pollution Protection

The DNS server receives this response to a query that is sent to a name server for example.com:

question: www.example.com A
answer: no records
auth: example.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4

The DNS server always caches the NS record in this response because it is for a name that is within the authority of the DNS server it was received from. With cache pollution protection disabled, the A record is also cached. However with cache pollution protection enabled, the A record is ignored, and the DNS server initiates a cache update query to resolve the address of ns.isp.com. This is because the query was received from a name server for example.com, but ns.isp.com is outside the example.com domain. Although an extra DNS query is required to resolve the original query in this example, the results of the ns.isp.com query are cached so the impact should be minimal.

Another Example of Cache Pollution Protection

The DNS server receives this response to a query that is sent to a name server for example.com:

question: www.example.com A
answer: no records
auth: microsoft.com NS ns.isp.com
additional: ns.isp.com A 1.2.3.4

With cache pollution protection disabled, the attacker's NS record for microsoft.com is cached, which causes name resolution to fail or be hijacked for subsequent queries for names that are in the microsoft.com domain. With cache pollution protection enabled, both the NS record and the A record in this response are ignored because they are both for names outside example.com.
Modification Type:MinorLast Reviewed:4/12/2005
Keywords:kbenv kbinfo kbnetwork KB316786
©2004 Microsoft Corporation. All rights reserved.