Globalqueryblocklist Registry key

The globalqueryblocklist reg key contains list of host names whose name resolution to be blocked from querying.
Key Name: Globalqueryblocklist
Type: reg_sz
Default: Doesn't exists
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters
Functionality: Specifies list of host names to be blocked from querying.
If a host name to be blocked from querying, then set the reg key to contain that host name.
The following shows blocking host name "dnsclient.myrootdns2008.com"
reg add HKLM\SYSTEM\CurrentControlSet\Services\dns\parameters /v Globalqueryblocklist /t reg_sz /d "dnsclient.myrootdns2008.com" /f
Relevant Posts:
Enable Global Query Block List on command prompt
Set QueryBlockList on command line

strictfileparsing registry key

This registry key specifies the dns server on how to respond when it receives zone files which contain erroneous resource records. The error records can be records for names out of the dns zone and wrong CNAME records.

Key Name: strictfileparsing
Type: dword(boolean)
Default: 0
Location: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Functionality: Defines the behavior of the dns server when it finds wrong resource records while loading zone data.

By Default(Reg key does exists), If the dns server receives erroneous records, it logs the error in to dns eventlog and continues loading.
If the reg key is one, If the server receives error records, it logs error in dns event log viewer and stops loading.
Note: 1. In the earlier versions of Windows NT 4.0, dns server doesn't start if it finds erroneous resource records.
2. Direct changes to registry key will be effective only after restarting the dns server. This is due to fact that the dns server loads this registry at the startup.

To change the reg key value to 1, without having to restart the dns server, do the following.
1. Assume the dns server name is "dnsserver".
2. Open dns manager using the command dnsmgmt.msc
3. In the console tree, right click on server node "dnsserver" and click properties.












4. Go to advanced tab, Select "Fail on Load If bad zone data", click apply and click OK button.

















Relevant Posts:
Set Strictfileparsing on command Prompt

xfrconnecttimeout Registry Key

The xfrconnecttimeout registry key specifies the maximum time the dns system must wait for the secondary server to connect to the primary server. If the secondary server didn't connect to the primary server in time, then the dns system drops the connection from secondary server to primary server.

Key Name: xfrconnecttimeout
Type: dword
Default: 0x1E secs
Range: 0x0 to 0xFFFFFFFF
Functionality: maximum time to wait for the connection from seconday server to primary server before dropping the connection.
Location: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

The default value of the reg key is 30 secs.
Note: Direct changes to reg key doesn't becomde effective untill the server restarts. Instead use dnscmd.exe to change the reg key value.

Disablensrecordsautocreation registry Key

This registry key restricts the dns server to create name server(NS) resource records automatically while loading it's dns zones. By Default (reg key doesn't exists), the dns server automates creation of name server(NS) resource records upon loading it's zones.

Key Name: Disablensrecordsautocreation
Type: dword
Default: 0
Functionality: Determines auto creation of NS records for authoritative zones on dns server.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters"

If reg key set to 1, then dns server restricted from registering NS resource records for authoritative zones, and also existing Name server (NS) records for the authoritative zones that are located on the DNS server are deleted automatically.

Note: 1. This reg settings restricted to only NS resource records that registered to Active Directory integrated Domain Controllers(DC).
2. Incorrectly editing the registry key may have adverse effect on the system. Save Last Known Good Configuration before editing the reg key.
3. The registry key doesn't exist by default, however if one wants to restrict (disallow) NS record registration, then create the reg key and set it to 1.
4. One must be a member of the Administrators group on the local computer, or must have been delegated the appropriate authority.

Dstombstoneinterval Registry Key

This registry key configured for a DNS server determines the amount of time in seconds to keep tombstoned (deleted) records in Active Directory alive .

Key Name: Dstombstoneinterval
Type: dword
Default: 4 secs.
Functionality:
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters.

Relevant Posts:
set dstombstoneinterval on command prompt

EnableDnsSec Registry Key

This registry key value restricts all or few dnssec resource records to be included in dns query responses. By Default(Reg key doesn't exists), DNSSEC resource records include for only queries which contain OPT resource record.

Key Name: EnableDnsSec
Type: dword
Default: 0x1
Range: [0x1..0x2]
Functionality: restricts dnssec resource records to be include in query responses.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

If reg value 0xo, then dnssec resource records are included in responses for only queries which contain requests for any of SIG, KEY or NXT resource records.
If reg value 0x1, then resource records include for only queries which contain OPT resource records.
If reg value 0x2, then DNSSEC resource records in all query responses.

Note: Incorrect edition of registry key may have adverse effect on dns system. Just save Last Known Good Configuration startup option before making any changes to this key. In any adverse cases, start system with last know good configuration.

Relevant Posts:
Set enablednssec on command line

DisableAutoReverseZones Registry Key

This registry key determines whether to create reverse lookup dns zones automatically or not.
Automatically creating reverse lookup zones is a useful and optimized dns feature. If reverse lookup zones are created automatically, then the authoritative server can avoid recursive queries for most of the common dns queries.

By default, the DNS server is generally authoritative for the following three reverse lookup zones:

1. 0.in-addr.arpa (0.0.0.0).
2. 127.in-addr.arpa (127.0.0.1 - loopback).
3. 255.in-addr.arpa (255. 255. 255. 255 - broadcast).

Key Name: DisableAutoReverseZones

Type: REG DWORD
Default value: 0 (Creates three reverse lookupzones specified above automatically).
Functionality: Allow/disallow DNS Server to create standard dns reverse lookup zones automatically.
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters.

Note: 1. DNS by default, does not add the DisableAutoReverseZones reg entry in to the registry. One can add to registry directly or by using the command Dnscmd.exe.
2. In both the above cases, dns server should restarted in make the changes effective. This is due to the fact that dns server creates reverse lookup zones during the startup.

Relevant Posts:
Enable or Disable disableautoreversezones on command prompt .

DefaultRefreshInterval Registry Key

This registry key specifies the duration during which the active directory integrated dns zone can update timestamp of dns resource records. During DefaultRefreshInterval period Scavenging settings doesn't have effect on dns zones.

Key Name: DefaultRefreshInterval
Type: dword
Default: 7 days.
Functionality: Specifies the duration of refresh interval.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters".

When a new active directory dns zone is created, the system copies the DefaultRefreshInterval reg value in the new dns zone's sub key entry DefaultRefreshInterval.

Note: Direct changes to this key will be effective only after rebooting the server.

To change DefaultRefreshInterval with having to restart the system, do the following.

1. Assume the dns server name is "dnserver".
2. Open DnsManger using the command dnsmgmt.msc.
3. In the console tree, right click on the server node "dnsserver" and click "set Aging and Scavenging for this server".












4. In the server Aging/Scavenging properties dialog, select the option "DefaultRefreshInterval" , set the interval click apply and click ok button.



















5. Click ok on confirmation dialog.





















Relevant Posts:
set defaultrefreshinterval on command prompt

DefaultNoRefreshInterval Registry Key

DefaultNoRefreshInterval reg key determines the time duration during which the dns server cannot update the timestamp of resource record and scavenging settings does take into affect. This feature is used for enhancing dns services which are related to Active Directory operations.

When a new active directory integrated zone is created, the system copies the value of the DefaultNoRefreshInterval reg entry value in to new dns zone's sub key DefaultNoRefreshInterval entry.
Key Name: DefaultNoRefreshInterval
Type: DWORD
Default value: 168 hours (1 week)
Functionality: duration of the no-refresh interval.
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters.

Bydefault, the NoRefreshInterval is set to 168 hours.

Note: 1. Direct change to reg key doesn't going to be effective until one restarts the server.

To change the NoRefreshInterval with having to restart the server, do the following

1. Open DnsManager using the command dnsmgmt.msc
2. In the console tree, right click on dns server node "dnsserver" and click set aging and scavenging













3. Select "NoRefresh Interval" option and set the duration, click apply and finally click OK button.



















Relevant Post:
set defaultnorefreshinterval on command line

EnableEDNSProbes Registry Key

This reg key is used to enable or disable EdnsO response to EdnsO requests containing OPT resource records. To configure a DNS server to respond to EDNS0 requests containing OPT resource records with EDNSo response containing OPT resource records, must set this registry key to 1(enable). This reg key is enabled by default in Windows Server 2003 and Windows Server 2008. To disable it, just set the reg key to 0.

The following shows the reg key info:
Key Name: EnableEDNSProbes
Type: reg_dword
Default: enabled
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters
Functionality: enables or disables EDNS Probes.

EDNSCacheTimeout Registry Key

This reg key determines the amount of time the EDns information should be kept in cache.

Key Name: EDnsCacheTimeout
Type: reg_dword
Default: 604,800 secs (one week)
Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
Functionality: Determines the EDnsCacheTimeout
By default, the default value of EDnsCacheTimeout is set to 604,800 seconds (one week).
The EdnsCacheTimeout Can range from 3,600 secs (1 hour) and 15,724,800 secs (182 days).

Note: This reg key specifies the cachetimoout, on this dns server, of EDns extension information supported by other DNS servers that have responded to a query, from this dns server, with a OPT resource record.

DefaultAgingState Registry Key

This registry key determines whether turn on scavenging feature by default on newly created Active Directory integrated dns zones.

Key Name: DefaultAgingState
Type: DWORD
Default value: 0
Functionality: Determines turning on scavenging on new Active Directory directory service zones.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters"
By default(reg value is 0), scavenging is turned off on new Active Directory integrated dns zones. Hence Dns serve won't delete any old resource records.

If the reg key is set to 1, then if any new Active Directory integrated dns zone is created, then the dns system copies this reg value in to new zone name's sub reg key Aging and then uses this sub key entry value for Aging resource records.

Note: 1.Direct Changes to reg key effective only after rebooting the machine.
2. By default, scavenging is disabled on the DNS server and on all dns zones. To enable scavenging for anydns zone, First enable it on the DNS server using ScavengingInterval reg key and on specific dns zone using Aging sub reg key.

To change DefaultAgingState, do the following
1. Assume the dns server name is "dnsserver", dns zone name is "myrootdns.com".
2. Open DNS manager using dnsmgmt.msc command.
3. In the left panel, right click on server node "dnsserver", clcik "set Aging\Scavenging for all zones"











3. Select "Scavenge stale resource records" options and click ok.

















4. In the confirmation dialog, select "Apply these settings to the existing Active Directory–integrated zones" option if one wants to update existing AD integrated dns zones.

ScavengingInterval Registry Key

This registry key determines whether to scavenge state records or not. By default, scavenging is disabled. If scavenging is enabled, then the DNS server looks in to timestamps of resource records in DNS storage and deletes records that are out of date.

Key Name: ScavengingInterval
Type: dword(boolean)
Default: disabled (0x0)
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dns\Parameters"
Functionality: Determines scavenging interval.

Note: 1. Direct changes to reg key through regedit.exe will be effective only after rebooting the server.

To make the scavenging enabled with out having to restart the server, do the following.

1. Open DNS Manager console using the command dnsmgmt.msc.
2. In the dns console tree, right click on the server node "dnsserver" (Assume the server name is dnsserver), select properties.













3. Go to advanced tab in the properties dialog and select "Enable Automatic scavenging of stale records" option, click apply and click ok.



















Note: By default,when scavenging is enabled, the scavenging interval is set to a week i.e 168hours.

DsPollingInterval Registry Key

This registry key determines polling frequency of dns name servers to look for changes in the Active Directory. DNS Name servers integrated with (Active Directory)AD periodically polls Active Directory for any changes in the dns zones. By default, the interval set to 5 mins.

Key Name: DsPollingInterval
Type: reg_dword
Default: 5mins.
Functionality: Polling frequency to check Active Directory for changes.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

ListenAddresses Registry Key

This registry key determines the list of IP addresses to be used for listening by the dns server. By default, DNS Server attempts to listen on every available address.

Key Name: ListenAddresses
Type: REG_BINARY
Default: NoKey (Uses all IP addresses)
Functionality: List all IP addresses to be bounded to DNS server.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\Paramaers"
This registry key is desairable in the following situations:
1. If some IP address are needed for other services (servers).
2. If no of IP addresses is huge, then it would be difficult to bind all of them.
3. If addresses are more than 35 in number, then the DNS server will not detect all addresses.
This is due to the fact that underlying winsock api function getAddressByName() has limitation on number of addresses.


If the ListenAddresses key does not exist, then the DNS server attempts to bind to every IP address.

Note: Do change the reg key directly, Instead use dns console manager.
The following illustrates adding list of address to the dns server.
1. Open dns manager using command dnsmgmt.msc
2. In console window, right click on the server node "dnsserver", click on properties (Assume dns server host name is "dnsserver").
3. Go to interfaces tab in properties dialog, And enter the list of addresses to be used


Relevant Posts:
Set Listen Addresses on command line using dnscmd

CleanupInterval Registry Key

This reg key is used for the purpose of cleaning dns server memory by removing timedout and staled records and also dns server updates dirty records if any in the dns memory.

Key Name:  CleanupInterval
Reg Type:  REG_DWORD
Default:  NoKey (Interval is one hour)
Functionality: Sets interval for dns memory cleanup
Location: "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

By default, if reg key doesn't exist or zero, the dns server will do memory
cleanup/updates once on every hour. If reg key exists and has value x > 0 seconds,
then dns server will do clean up for every x seconds.

The following illustrates on how to change the value of this key to some value say 100 secs:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dns\parameters" /v CleanupInterval /t reg_dword /d 100 /f

Generally, it's suggested that in low memory environment keep the interval low,
to avoid exhausting dns server memory. In high memory environment, keep interval higher
than hour, which improves the performance.

Note: This reg key is not available in windows 2000.

UpdateOptions Registry Key

This registry key allows to selectively disallow dynamic updates for resource record types. i,e using the reg key can prohibit dns dynamic update of certain resourse record types.

By default, In windows 2000, For unsecure zone, Allows dynamic updates for NS, SOA, and server host records. For secure zones, allows dynamic updates for root NS and SOA records and allows delegations and server host updates for both zones. But in windows 2003, For standard unsecure zones, prohibits all update policy options. For secure zones, only SOA and zone root NS updates are allowed.

Key Name: UpdateOptions
Type: dword
Default: 0x30F
Functionality: Prohibits dynmic updates by bit masking reg value. Each bit in reg value prohibits one type of record.
Location: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

This reg value is a bitmask value. Each bit in this, corresponds to a particular resource record.
To disable or enable DNS dynamic update on a certain record type, set or unset the corresponding bit in the reg value.

The following shows bit position and it's corresponding record type

For standard nonsecure zones:

Reg Value Meaning
0x1 Allows SOA (Start of Authority) records.
0x2 NS(name server) records
0x4 Delegation NS records.
0x8 Host A records in the DNS server's own host record.

For secure zones:

Reg Value Meaning
0x100 SOA records.
0x200 NS records.
0x400 Delegation NS records.
0x800 A (address) records in the DNS server's own host record.

Other general values irrespective of zone types

Value Meaning
0x0 Allows DNS dynamic update on all record types.
0x30F Prevents all of the update policy options for unsecure
zones, and allows only SOA and zone root NS updates for secure zones.
0x1000000 Prevents the relay to a DNS server's peers of the server's A record updates.


To set the reg key value to say 0x0, do

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v UpdateOptions /t reg_dword /d 0 /f


Note: 1. Direct changes to registry key will be effective only after rebooting the dns server.
2. DNS Manage console can be used to set the value for UpdateOptions and get that
effect without having to restart the server.

AllowUpdate Registry key

This registry key determines whether zone is allowed to accepts dynamic update requests.

Key Name: Allow Update
Type: REG DWORD (Boolean)
Default: NoKey (Do automatic cache updates) zero for normal dns server, 2 for Active Directory Integrated Services.
Functionality: Determine whether server attempts to update cache entries using data from root servers

Location:"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNSServer\Zones"

if reg key value is 0, Then the dns zone does not accept dynamic update requests.
if reg key is 1, Then the dns zone accepts dynamic update requests.
if reg key is 2, then then zone accepts only secure dynamic update requests(this option available only for zones that are integrated with Active Directory).



To change the value of the key say 1, do

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNSServer\Zones" /v AllowUpdate /t reg_dword /d 1 /f

Note: 1. This reg key applies only on primary zones in dns
2. Direct changes to registry key will be effective only after restarting the dns server.
3. Dns server reads this registry entry during start up only, to update this key dynacmically usn dns manager snapin (dnsmgmt.msc).

AutoCacheUpdate registry key

This registry key determines whether to update dns cahe root hints when the dns server starts.

By Default, dns server update dns cache files based on the responses received for NS and A records.

Key Name: AutoCacheUpdate
Type: DWORD (Boolean)
Default: NoKey (does automatic cache update)
Functionality: Determine whether server attempts to update cache entries using data from root servers.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

If the reg key is zero, then the DNS server disables cache update.

To disable auto cache updates, do the following

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v AutoUpdateCache 0

If the AutoCacheUpdate key does NOT exist or is nonzero, then the server will update the cache file based on the responses received for root hint queries on start up.

Note: This reg key applies only on window 2000 or earlier versions.

WriteAuthorityNs Registry Key

This registry determines wheather dns server should write NS (name server) records in the Authority section of a dns response packet.

By default, Windows Operating Systems, DNS server in to the Authority section of a response packets in the following scenarios.
1. For NS records when making a referral.
2. For SOA record is allowed caching of a NAME_ERROR response.
Key Name: WriteAuthorityNs
Type: REG_WORD (Bool)
Default: NoKey (Do not write unnecessary NS records)
Functionality: Writes NS records in to authority section in the response packet.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DNS\Parameters"
If the reg key is nonzero, the server will write NS records of the zone into the Authority section
If the registry key does not exist or is zero, the server acts by default behavior as described above.

To set this registry key, run
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v WriteAuthorityNs /t reg_dword /d 1
Note: