13.17. Preventing Cache Pollution on DNS Servers

Problem

You want to prevent the DNS cache on a name server from becoming polluted with false information.

Solution

Using a graphical user interface

  1. Open the DNS snap-in and connect to the name server you want to manage.

  2. Right-click on the name server node and select Properties.

  3. Select the Advanced tab.

  4. Select the checkbox labeled Secure against cache pollution.

  5. Click OK.

Using a command-line interface

The following command adds the value SecureResponses to the HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters registry key and assigns it a value of 1:

> reg /add HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v SecureResponses 
/t REG_DWORD /d 1

Using VBScript

You can provide the same function with the following code:

set objWSHShell = CreateObject("WScript.Shell")
strRegKey = "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
objWSHShell.RegWrite regkey & "SecureResponses", 1

One additional method of doing something similar with VBScript is to clear the DNS cache of resource records. The following code utilizes WMI to clear the DNS cache on the current computer:

strComputer = "."
set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftDNS")
set colItems = objWMI.ExecQuery("Select * From MicrosoftDNS_Cache")
for each objItem in colItems
    objItem.ClearCache( )
next

Discussion

The DNS Server cache is used to temporarily store the result of DNS queries from clients so that if the same query is received within a short time ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.