DNS Cache Locking

Cache locking is a new security feature available with Windows Server® 2008 R2 that allows you to control whether or not information in the DNS cache can be overwritten.

What are the major changes?

Cache locking is a new feature available if your DNS server is running Windows Server 2008 R2. When you enable cache locking, the DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value. Cache locking provides for enhanced security against cache poisoning attacks. You can also customize the settings used for cache locking.

What does cache locking do?

When a recursive DNS server responds to a query, it will cache the results obtained so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server will keep information in its cache is determined by the Time to Live (TTL) value for a resource record. Until the TTL period expires, information in the cache might be overwritten if updated information about that resource record is received. If an attacker successfully overwrites information in the cache, they might be able to redirect traffic on your network to a malicious site.

Who will be interested in this feature?

This feature will be of interest to IT professionals who manage Active Directory® Domain Services (AD DS) and DNS, as well as to security administrators.

Are there any special considerations?

Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, then the DNS server will not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This means that cached entries will not be overwritten for the entire duration of the TTL. The cache locking value is stored in the CacheLockingPercent registry key. If the registry key is not present, then the DNS server will use the default cache locking value of 100.

What settings have been added or changed?

The following registry keys can be used to configure the cache locking. However, the recommended method for configuring cache locking settings is with the dnscmd.exe command line tool. For more information about configuring the Socket Pool, see Configure Cache Locking.

Registry settings

Setting name Location Default value Possible values

CacheLockingPercent

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters

100

0 to 100

Tip

To apply changes to settings for cache locking, you must restart the DNS service.

Which editions include this feature?

This feature is available in all editions.

See Also

Concepts

Deploying a Secure DNS Configuration