DNS: Cache locking should be configured to 90% or greater

Updated: October 15, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Product/Feature

DNS

Severity

Warning

Category

Configuration

Issue

The cache locking value is less than 90%. By default, the cache locking value is 100%.

Cache locking provides for enhanced security against cache poisoning attacks.

Impact

A low cache locking value increases the chance of a successful cache poisoning attack. Network traffic might be directed to a malicious site.

Resolution

Configure the cache locking value to be 90% or greater.

Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, then the DNS server will not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This means that cached entries will not be overwritten for the entire duration of the TTL. The cache locking value is stored in the CacheLockingPercent registry key. If the registry key is not present, then the DNS server will use the default cache locking value of 100.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure cache locking

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd /Config /CacheLockingPercent <percent>
    
  3. Restart the DNS Server service.

Parameter Description

dnscmd

The command-line tool for managing DNS servers.

/Config

Required. Allows the user to change a value in the Windows Registry.

/CacheLockingPercent

Required. Specifies the CacheLockingPercent registry key.

<percent>

Optional. Specifies the cache locking percent, from 0 to 100 in decimal format. If no value is entered, the cache locking percent is set to 0.

Tip

Use the /Info command to view the current value of a registry key, for example: Dnscmd /Info /CacheLockingPercent.