Set EnableDnsSec using dnscmd

To set EnableDnsSec on command line.

1. To set EnableDnsSec to 1, run
dnscmd /config /EnabledDnsSec 1





To verify the settings, do run
dnscmd /info /EnableDnsSec


2. To set EnableDnsSec to 0, run
dnscmd /config /EnabledDnsSec 0

To verify the settings, do run
dnscmd /info /EnableDnsSec






3. To set EnableDnsSec to 2, run
dnscmd /config /EnabledDnsSec 2

To verify the settings, do run
dnscmd /info /EnableDnsSec

EnableDnsSec Registry Key

This registry key value restricts all or few dnssec resource records to be included in dns query responses. By Default(Reg key doesn't exists), DNSSEC resource records include for only queries which contain OPT resource record.

Key Name: EnableDnsSec
Type: dword
Default: 0x1
Range: [0x1..0x2]
Functionality: restricts dnssec resource records to be include in query responses.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

If reg value 0xo, then dnssec resource records are included in responses for only queries which contain requests for any of SIG, KEY or NXT resource records.
If reg value 0x1, then resource records include for only queries which contain OPT resource records.
If reg value 0x2, then DNSSEC resource records in all query responses.

Note: Incorrect edition of registry key may have adverse effect on dns system. Just save Last Known Good Configuration startup option before making any changes to this key. In any adverse cases, start system with last know good configuration.

Relevant Posts:
Set enablednssec on command line

UpdateOptions Registry Key

This registry key allows to selectively disallow dynamic updates for resource record types. i,e using the reg key can prohibit dns dynamic update of certain resourse record types.

By default, In windows 2000, For unsecure zone, Allows dynamic updates for NS, SOA, and server host records. For secure zones, allows dynamic updates for root NS and SOA records and allows delegations and server host updates for both zones. But in windows 2003, For standard unsecure zones, prohibits all update policy options. For secure zones, only SOA and zone root NS updates are allowed.

Key Name: UpdateOptions
Type: dword
Default: 0x30F
Functionality: Prohibits dynmic updates by bit masking reg value. Each bit in reg value prohibits one type of record.
Location: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

This reg value is a bitmask value. Each bit in this, corresponds to a particular resource record.
To disable or enable DNS dynamic update on a certain record type, set or unset the corresponding bit in the reg value.

The following shows bit position and it's corresponding record type

For standard nonsecure zones:

Reg Value Meaning
0x1 Allows SOA (Start of Authority) records.
0x2 NS(name server) records
0x4 Delegation NS records.
0x8 Host A records in the DNS server's own host record.

For secure zones:

Reg Value Meaning
0x100 SOA records.
0x200 NS records.
0x400 Delegation NS records.
0x800 A (address) records in the DNS server's own host record.

Other general values irrespective of zone types

Value Meaning
0x0 Allows DNS dynamic update on all record types.
0x30F Prevents all of the update policy options for unsecure
zones, and allows only SOA and zone root NS updates for secure zones.
0x1000000 Prevents the relay to a DNS server's peers of the server's A record updates.


To set the reg key value to say 0x0, do

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v UpdateOptions /t reg_dword /d 0 /f


Note: 1. Direct changes to registry key will be effective only after rebooting the dns server.
2. DNS Manage console can be used to set the value for UpdateOptions and get that
effect without having to restart the server.

AutoCacheUpdate registry key

This registry key determines whether to update dns cahe root hints when the dns server starts.

By Default, dns server update dns cache files based on the responses received for NS and A records.

Key Name: AutoCacheUpdate
Type: DWORD (Boolean)
Default: NoKey (does automatic cache update)
Functionality: Determine whether server attempts to update cache entries using data from root servers.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

If the reg key is zero, then the DNS server disables cache update.

To disable auto cache updates, do the following

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v AutoUpdateCache 0

If the AutoCacheUpdate key does NOT exist or is nonzero, then the server will update the cache file based on the responses received for root hint queries on start up.

Note: This reg key applies only on window 2000 or earlier versions.

RoundRobin Vs LocalNetPriority

The order of Type A records to be returned from dns server depends on the values of roundrobin and LocalNetPriority registry key. The following illustrates the scenarios and order of Type A records.

1. If LocalNetPriority reg key is set to 1 and Round-Robin key does not exist or is set to 1, then DNS server roundrobins(rotates) among Type A records it returns in LocalNetPriority order(order of IP addresses having similar subnet mask address of the querying client) .

2. If RoundRobin reg key is 0 and LocalNetPriority is 1, then the DNS server returns the records in local net priority order. Here the dns server does not rotate among returned addresses.

3. If the value of RoundRobin is 1 and the value of LocalNet Priority is 0, the DNS server roundrobins(rotates) among available Type A records which are not in local net priority order.

4. If the values of RoundRobin and LocalNetPriority are 0, then the DNS server returns the records in the order in which they were added to the database. i.e for the same query always returns the first Type A record among available records in the database.

RecursionTimeout Registry Key

This reg key determines the maximum time a dns server is allowed to do recursive query to remote servers repeatedly at regular intervals for resolving NS queries. i.e, If the DNS server does not receive a response for a recursive query, the server repeats the query at intervals as specified by the value of the registry key RecursionRetry. If the server does not receive a response before the value of RecursionTimeout expires.
Key Name: RecursionTimeout
Type: DWORD
Default: NoKey (Timeout is 15 seconds)
Functionaliry: timeout of DNS server to give up recursive query.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
\Parameters"

By default, the RecursionTimeout is 15 seconds. But can be changed by editing the registry as shown below (assuem the time to be set is 200 seconds)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v RecursionTimeout /t reg_dword /d 200

Note: 1. changes to key done through reg add will be effective only after restarting the server
2. default 15 seconds is enough for most of the scenarios unless the dns server is on very low speed link.
3. if RecursionTimeout key is deleted, does not exist is zero, the DNS server timeouts after 15 seconds.

SecureResponses Registry Key

This registry determines whether to cache all or only the Name Sever (NS) records in the same subtree of the domain.

By default, the DNS server saves all the NS records of recursive name queries in the dns memory cache. However, if the reg key value is 1, then DNS server saves only those NS query response records for names that are in the same subtree as the server that provided them.

For example, the DNS server will save all name server (NS) records for subtree.mydns.com from the mydns.com server, but it will not save the Name Sever(NS) record for subtree.notmydns.com the mydns.com server.

The registry key is located at "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters".

Key Name: SecureResponses
Type:     DWORD (Boolean)
Default:  NoKey (No secureresponses)

Value:   0 (The DNS server saves all name query records in its memory cache)
         1 (The DNS server saves only those NS records that are in the same
     subtree of origination dns server)

To set value of this key, then run

reg add HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v SecureResponses /t reg_dword /d 1
Note, The changes through regedit.exe are will be effective only after restarting the DNS server.

To change secureresponses with out restarting dns server, do the following

1. Open DNS manager using dnsmgmt.msc command
2. In the dns manager console tree, right click on the dns server node and click properties.
















3. In the dns server properties dialog, go to AdvancedTab and check "Secure cache against pollution" option, click apply and finally click OK button.

MaxCacheTtl Registry key

Recursive query records are saved by the DNS server. The length of cache time of saved records is determined by the TimeToLive (TTL) field in the record. This registry key determines maximum cache time of records saved by dns server irrespective of TimeToLive (TTL) field in the record. The DNS server deletes records from the cache when MaxCacheTime expires, even if the value of the TTL field in the record is greater than MaxCacheTime.

The registry key is located at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"


Key Name: MaxCacheTtl
Type : DWORD
Default : NoKey (Cache for up to one day)
Range : 0x0 | 0x1–0xFFFFFFFF seconds

To change the value the registry key to some cache time say 200 seconds, run the following

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v MaxCacheTtl /t reg_dword /t 200



Note: 1. The changes to registry key through regedit will be effective only after restarting the DNS server.
2. This registry key doesnot have effect on WINS records saved in the DNS memory cache.

3. This registry key is supported by windows 2ooo, windows 2003 and windows 2008.

ForwardDelegations Registry key

This registry key applys only if the delegated subzone is within the DNS server's authoritative zone. This reg key determines whether the DNS server should forwards dns queries about delegated subzones(delegated subzone is with in the DNS Server zone) to servers outside of its authoritative zone or to the delegated subzone itself.

The registry key is located at "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

Key Name: ForwardDelegations
Type:     DWORD (Boolean)
Default:  NoKey (doesnot forward delegations.)

By default, whenever a DNS server receives a dns query for a normal zone(not a delegated zone) name outside its authoritative zone, it simply forwards to a similar name server outside of its zone. However, when it receives a query for a delegated subzone, it sends the query directly to the delegated subzone and does not forward it.

But,if the registry key is set to 1, then the query for a delegated subzone (with in the authorative zone) should be sent to outside of authorative zone just as it does by default.

Forexample, A dns server has a delegation for blogspot.com to blogger.com, if the server receives a query for dns-info.blogspot.com then the server should send the query to delegated zone blogger.com. if the registry key is set to 1, then the server sends the query to blogspot.com.

To change the reg key value to 1, then run the following on command prompt

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v ForwardDelegations /t REG_DWORD /d 1 /f

Note:
1. Changes to ForwardDelegations reg key will be effective only after restarting the server.

2. This reg key used only when forwarding is enabled. If forwarding not enabled then queries to delegated zones not forwarded.

3. Forwarding should be enabled if the delegation itself was at a remote site that is reachable only through the forwarder.

LocalNetPriority Registry key

This registry key determines the priority in ordering returned dns query responses for a given dns query.

Name : LocalNetPriority
Type : REG_DWORD
Default : 0x000000FF
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \DNS\parameters"
Functionality: Return dns query responses in local priority net order.

To set Local Net Prioriry to use 16-most significant bits(0x0000FFFFF) to order responses, just reset 16 -most significant bits in 0xFFFFFF i.e 0x0000FFFF and add the resultant value to reg key

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LocalNetPriority /t REG_DWORD /d 0x0000FFFF

To set Local Net Priority to windows 2000 mode, then set the reg key to 0x00FFFFFF.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\parameters" /v LocalNetPriority /t REG_DWORD /d 0x00FFFFFF

Netmask Ordering of Type A Records in DNS Server Responses

When a DNS server finds more than one Host A (address) resource records for a dns query, it must determine a order in which the response records should be sent to the client. Traditionally,the DNS server returns address records in the order based on the following methods.

1. Subnet Address Proximity to the client.

2. Load balancing.

Subnet Address Proximity to the client: An address was said be in the proximity of the client. if it's subnet mask address is same as that of the client. For example, if the client had a Class A IP address, then all the Host type A response records with host addresses having same Class A subnet mask address will be put first in the result list.
This is called “local net prioritization".

The following shows the order of Host A responses to be sent for a dns query to a dns client having a Subnet mask address "S".

Host A Responses with Matching Subnet Mask "S"

Host A response but with different subnet masks

Load balancing: if the DNS server sends Host A records in the same proximity order every time a dns query repeats from a dns client,Then the hosts which are first in order list will receive more load than hosts which are in last position. To alleviate this problem, DNS server sends Host A type records in round robin fashion.

In windows 2003 and windows 2008, load balancing is improved further. The following illustrates the improved behavior.

Suppose, In an orgainisation, or In WAN environment, internet address space can be organized in to Class A, Class B or even in Class C addresses. Using the default behavior of Address Proximity, Class B and Class C Host A records may not in the Proximity Address list even though the Class B and C addresses are physically nearer to the client. To address this issue, All addresses with matching 24 most significant bits will put in "Proximity Address List".

The following load balancing modes are supported in windows 2003 and windows 2008.

Default mode: In this mode, 24 most significant bits used to find proximity list.

Backport mode: In this mode, Address Proximity list is calculated using traditional windows 2000 behavior.

Extended Mode: In this mode, variable no of most significant bits can be used to find proximity address list.

Note: In windows 2000, load balancing using round rabin is applied only to Type "A" dns responses. But In windows 2003 and 2008 round rabbin is applied to all types of dns responses.

Relevant Posts:

set localnetpriority using dnscmd
Local Net Prioriry Registry Key
round-robin vs localnetpriority

Enable DNS Server forwarding

The following shows on how to enable forwarding on a dns server.

Assume the dns server name is "dnsserver" and the forwarding dns server ip address is "198.168.1.200"

1. open dns manager using the command dnsmgmt.msc.
2. In the left pane, select the dns server "dnsserver", right click on it, and select properties
















3. Go to forwarding tab in the dns server properties dialog, Enter IP Address of forwarding dns server , click add, press apply and finally click ok.

















4. One can verify that the forwarder IP Address exist in registry.

DNS forwarders registry key

A local DNS Server's Forwarders registry key holds a list of boundary dns server's IP addresses which are responsible for forwarding dns queries from local dns servers to remote dns servers. Here the local dns server acts as a dns client on behalf on it's dns clients..

The registry key is located at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS"

Key Name: Forwarders
Type: BINARY
Default: NoKey (No forwarders)
Value: list of forwarders ip addresses.

Using DNS Forwarders is useful in following ways:
1. Save network traffic on slow links:

Suppose local DNS server uses low speed broadband/dial up connection to an ISP boundary server. And If local DNS server sends queries to remote servers, it may use up all the network bandwidth for sending recursive queries to remote servers. But if ISP's DNS server acts as a forwarder, then ISP server will do recursive queries to remote servers and returns the single final result to the local dns server.



2. Reduced remote traffic.

The forwarder dns server's dns cache, particularly in a environment where multiple local dns servers exists, is very much useful. When ever a local dns server sends a query, the forwarder looks in to its cache. If found, returns response immediately which saves remote traffic and round trip time.



Note: If the Forwarders key does not exist, then the local DNS server uses the normal iterative query process to answer recursive queries for remote names.

what is recursive dns query

A dns query is said to recursive if it's RecursiveBit is set to 1. A dns server can resolve this query recursively unless NoRecursion reg key is set to nonzero.

DNS Enable Recursion

To enable recursion for performing name resolution for a dns query, do the following.

1. Open dns manager using command dnsmgmt.msc.











2. In the dns manager console tree, right click on dns server (assume server name is dnsserver"), then click properties.
















3. Go to advanced tab, uncheck disable recursion option, press apply and click ok. Thus enabled recusrion on dns server "dnsserver"




















To disable recursion, go the same steps 1 to 3 but just check the "disable recursion" option.

DNS Server Create New Forwarder

To Create Create New DNS Server Forwarder do the following,

1. Open DNS Manager using command dnsmgmt.msc.
2. On the console tree, right click on the DNS server(Assume the DNS Sever is also Domain Controller (DC)for the Domain "mydns") and then click on properties context menu item.
3. Enter the new DNS Server IP Address "192.168.1.200" which will be the new forwarding DNS Server, click add then press Apply button and finally click OK button.
4. Thus adds the forwarding DNS server for the domain "mydns".

DNS query Forwarding

In Domain Name System (DNS), DNS server forwards DNS queries for resolving external DNS names. DNS query forwarder, name resolution for names outside your network can be easily managed.

The following illustrates the DNS query forwarding

A DNS server that is used as a DNS query forwarder behaves as follows:

1. After receiving DNS query, DNS server attempts to resolve this query by using the domain zones that the server it hosts and by using its cache.
2. If the step 1 fails then the DNS server forwards the DNS query to the DNS server that acts as a DNS query forwarder.
3. If above fails, then DNS server attempts to use its root hints of DNS query Domain Name to resolve it.
   

Following are the advantages to use DNS server forwarding in an organization.
1 Since DNS server forwarder is responsible for handling external traffic, DNS server can be hided from exposure to external network.
2. A DNS server forwarder caches external DNS information so that the response time for DNS clients is low.

Note: DNS server on a network that forwards DNS queries according to the DNS domain name in the query is called conditional DNS query forwarder. For example, A DNS server can be configured to forward all the DNS queries for domain names ending with dns-info.blogspot.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Windows 2003 and windows 2008 supports conditional forwarding.

what is DNS query

A DNS query is a question from a DNS client to resolve a domain name into an IP address. The DNS Serves in a DNS should be configured to respond to such dns queries and resolve them.

However, DNS servers can act authoritative for some domain names, slaves for others and forward queries. DNS queries are classified into following based on the way the queries resolved by DNS servers .

1. Recursive DNS Query : The complete information to the dns query is always returned. Recursive is optional for DNS servers for resolving domain names.
2. Iterative DNS Query: The complete information for the DNS query may be available. DNS servers strictly needed to support this.
3. Inverse DNS Query: This is also know as reverse ip lookup. In this IP address is resolved in to domain name
4. Multiple DNS query: In this, The DNS Servers will forward dns query to multiple secondary DNS servers to resolve the query.

nslookup is dns query tool comes with windows xp , windows 2003, vista and windows 2008 which is used to test dns query.

Relevant Posts:
DNS Query Forwarding