Exporter (0) Imprimer
Développer tout

Configure Cache Locking

Publication: octobre 2009

Mis à jour: octobre 2009

S'applique à: Windows Server 2008 R2

Cache locking is a new security feature available with Windows Server® 2008 R2 that allows you to control whether or not information in the DNS cache can be overwritten. When a recursive DNS server responds to a query, it will cache the results obtained so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server will keep information in its cache is determined by the Time to Live (TTL) value for a resource record. Until the TTL period expires, information in the cache might be overwritten if updated information about that resource record is received. If an attacker successfully overwrites information in the cache, they might be able to redirect traffic on your network to a malicious site.

Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, then the DNS server will not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This means that cached entries will not be overwritten for the entire duration of the TTL. The cache locking value is stored in the CacheLockingPercent registry key. If the registry key is not present, then the DNS server will use the default cache locking value of 100.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Consultez les informations détaillées sur l'utilisation des comptes et des appartenances aux groupes appropriés sur le site Web suivant : Groupes locaux et de domaine par défaut(http://go.microsoft.com/fwlink/?LinkId=83477).

Configuring cache locking

TipConseil
The command line utility DnsCmd.exe is the recommended method for configuring cache locking.

To configure cache locking using a command line

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd /Config /CacheLockingPercent <percent>
    
  3. Restart the DNS Server service.

 

Parameter Description

dnscmd

The command-line tool for managing DNS servers.

/Config

Required. Allows the user to change a value in the Windows Registry.

/CacheLockingPercent

Required. Specifies the CacheLockingPercent registry key.

<percent>

Optional. Specifies the cache locking percent, from 0 to 100 in decimal format. If no value is entered, the cache locking percent is set to 0.

TipConseil
Use the /Info command to view the current value of a registry key, for example: Dnscmd /Info /CacheLockingPercent.

To configure cache locking using the Windows interface

  1. Click Start, click Run, type regedit.exe, and then press ENTER.

  2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters.

  3. If the CacheLockingPercent registry key is not present, right-click Parameters, click New, click DWORD (32-bit) Value, and then type CacheLockingPercent for the name of the new registry key.

  4. Double-click the CacheLockingPercent registry key.

  5. Under Base, choose Decimal, under Value data type a value from 0 to 100 for the cache locking percent, and then click OK.

  6. Close Registry Editor.

  7. Restart the DNS Server service.

Voir aussi

Cela vous a-t-il été utile ?
(1500 caractères restants)
Merci pour vos suggestions.

Ajouts de la communauté

AJOUTER
Afficher:
© 2014 Microsoft