Saturday, January 31, 2009

SecureResponses Registry Key

This registry determines whether to cache all or only the Name Sever (NS) records in the same subtree of the domain.

By default, the DNS server saves all the NS records of recursive name queries in the dns memory cache. However, if the reg key value is 1, then DNS server saves only those NS query response records for names that are in the same subtree as the server that provided them.

For example, the DNS server will save all name server (NS) records for from the server, but it will not save the Name Sever(NS) record for the server.

The registry key is located at "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters".
Key Name: SecureResponses
Type: DWORD (Boolean)
Default: NoKey (No secureresponses)

Value: 0 (The DNS server saves all name query records in its memory cache)
1 (The DNS server saves only those NS records that are in the same
subtree of origination dns server)

To set value of this key, then run

reg add HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v SecureResponses /t reg_dword /d 1
The changes through regedit.exe are will be effective only after restarting the DNS server.

To change secureresponses with out restarting dns server, do the following

1. Open DNS manager using dnsmgmt.msc command
2. In the dns manager console tree, right click on the dns server node and click properties.

3. In the dns server properties dialog, go to AdvancedTab and check
"Secure cache against pollution" option, click apply and finally click OK button.


Design by infinityskins.blogspot