JSI Tip 5873. DNS Caching, Network Prioritization, and Security.
October 28, 2002
Microsoft TechNet article DNS Caching, Network Prioritization, and Security contains:
DNS Caching, Network Prioritization, and Security
The default settings of DNS might need to be changed in order to optimize the performance and security of the Windows XP Professional DNS client. You can make configuration changes in order to:
Configure caching and negative caching.
Configure Subnet prioritization.
Prevent the resolver from receiving responses from nonqueried servers.
Configuring Caching and Negative Caching
When the Windows XP Professional resolver receives a positive or negative response to a query, it adds that positive or negative response to its cache, thus creating a DNS resource record. The resolver always checks the cache before querying any DNS server, so if a DNS resource record is in the cache, the resolver uses the record from the cache rather than querying a server. This expedites queries and decreases network traffic for DNS queries.
You can use the Ipconfig tool to view and to flush the DNS resolver cache.
To view the DNS resolver cache
At the command prompt, type:
ipconfig /displaydns
Ipconfig displays the contents of the DNS resolver cache, including the DNS resource records preloaded from the Hosts file as well as any recently queried names that were resolved by the system.
After a certain amount of time, specified in the Time to Live (TTL) associated with the DNS resource record, the resolver discards the record from the cache. You can also flush the cache manually. After you flush the cache, the computer must query DNS servers again for any DNS resource records previously resolved by the computer.
To flush the cache manually by using Ipconfig
At the command prompt, type:
ipconfig /flushdns
The local Hosts file is preloaded into the resolver's cache and reloaded into the cache whenever Hosts is updated.
The length of time for which a positive or negative response is cached depends on the values of entries in the following registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSCacheParameters
The TTL for positive responses is the lesser of the following values:
the number of seconds specified in the query response the resolver received
the value of the registry entry MaxCacheEntryTtlLimit
The default TTL for positive responses is 86,400 seconds (1 day).
The TTL for negative responses is the number of seconds specified in the registry entry NegativeCacheTime.
The default TTL for negative responses is 300 seconds. If you do not want negative responses to be cached at all, set the value of NegativeCacheTime to 0.
Caution
Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference in the Microsoft Windows 2000 Server Resource Kit at http://www.microsoft.com/reskit.
Configuring Subnet Prioritization
Each DNS database consists of resource records. In general, resource records contain information related to a particular host computer, such as its IP address, owner of the host, or the type of services it provides. Table 20.4 lists some of the common types of resource records.
Table 20.4 Common Types of Resource Records
Resource Record Type | Description | Explanation |
---|---|---|
SOA | Start of Authority | This record designates the start of a zone. It contains information such as the name of the zone, the e-mail address of the zone administrator, and settings that control how secondary DNS servers update the zone data files. |
A | Address | This record lists the IP address of a particular host name. This is the key record for name resolution. |
PTR | Pointer | This record designates a reverse mapping of a host IP address to a host DNS domain name. |
CNAME | Canonical Name | This record specifies an alias or nickname for the standard (canonical) host name. |
MX | Mail Exchanger | This record lists the host computer that is responsible for receiving e-mail sent to a domain. |
NS | Name Server | This record specifies the name server responsible for a given zone. |
If the resolver receives multiple IP address mappings (A resource records) from a DNS server, and some of the records have IP addresses from networks to which the computer is directly connected, the resolver places those resource records first. This reduces network traffic across subnets by forcing computers to connect to network resources that are closer to them.
For example, suppose there are three Web servers that all host the Web page for www.reskit.com, and they are all located on different subnets. The DNS name server for the network contains the following resource records:
www.reskit.com.IN A172.16.64.11www.reskit.com.IN A172.17.64.22www.reskit.com.IN A172.18.64.33
When a Windows XP Professional– based computer's DNS resolver (client) receives a response to the query for the A record of www.reskit.com, it returns A records in order starting with the IP addresses from subnets to which the computer is directly connected. For example, if a computer with the IP address 172.17.64.93 is queried for www.reskit.com, the resolver returns the resource records in the following order:
www.reskit.com.IN A172.17.64.22www.reskit.com.IN A172.16.64.11www.reskit.com.IN A172.18.64.33
Subnet prioritization prevents the resolver from choosing the first IP address returned in the DNS query and using the DNS server's round robin feature (defined in RFC 1794.) With round robin enabled, the server rotates the order of resource records returned when multiple A resource records exist for a queried DNS domain name. Thus, in the example described earlier, if a user queried for www.reskit.com, the name server replies to the first client request by ordering the addresses as follows:
172.16.64.11172.17.64.22172.18.64.33
It replies to the second client request by ordering the addresses as follows:
172.17.64.22172.18.64.33172.16.64.11
It replies to the third client request by ordering the addresses as follows:
172.18.64.33172.16.64.11172.17.64.22
With round robin enabled, if clients are configured to use the first IP address in the list that they receive, different clients will use different IP addresses, thus balancing the load among multiple network resources with the same name. However, if the resolvers are configured for subnet prioritization, the resolvers reorder the list to favor IP addresses from networks to which they are directly connected, reducing the effectiveness of the round robin feature.
Although subnet prioritization does reduce network traffic across subnets, in some cases you might prefer to have the round robin feature work as described in RFC 1794. If so, you can disable the subnet prioritization feature on your clients by adding the registry entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in the following registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnsCacheParameters
Preventing the Resolver from Accepting Responses from Nonqueried Servers
By default, the resolver accepts responses from servers that it did not query, as well as from those it did. This presents a possible security liability, in that unauthorized DNS servers might pass along invalid A resource records for the purpose of misdirecting subsequent DNS queries. If you want to disable this feature, add the registry entry QueryIpMatching with a value of 1 (REG_DWORD data type) to the following registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnsCacheParameters
Caution
Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference in the Microsoft Windows 2000 Server Resource Kit at http://www.microsoft.com/reskit.
About the Author
You May Also Like