How do I disabled DNS Server Caching on windows 2008 server?

A security vulnerability has been found on windows 2008 server.

How do I disabled DNS Server Caching on windows 2008 server?
http://www.nessus.org/plugins/index....ingle&id=12217

Is there any document to say that it is not recommended to disabled?

"chris" <> wrote in message
news2309745-6278-4723-B691-...
>A security vulnerability has been found on windows 2008 server.
>
> How do I disabled DNS Server Caching on windows 2008 server?
> http://www.nessus.org/plugins/index....ingle&id=12217
>
> Is there any document to say that it is not recommended to disabled?
>
>


You can disable it for the client side resolver on all machines, including a
DNS server's client side resolver by disabling the DNS Client service. But
that does NOT affect the DNS Service itself. It's designed to cache any
successful lookups it has resolved.

The only thing I can think of is to reduce the MaxCacheTtl in the registry
to zero (0). However I suggest not to do that, or the DNS server performance
will be greatly reduced. This article shows you the setting:

Microsoft DNS Server Registry Parameters, Part 1 of 3
http://support.microsoft.com/kb/198408

However, as said, I suggest to not disable it, and rather I strongly suggest
to make sure your DNS server, and all other servers for that matter, are up
to date with current updates and security hotfixes.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hi,

MaxCacheTtl is not found on a windows 2008 server?

What should I do to disabled as one of my customer wanted to disabled?


"Ace Fekay [MCT]" wrote:

> "chris" <> wrote in message
> news2309745-6278-4723-B691-...
> >A security vulnerability has been found on windows 2008 server.
> >
> > How do I disabled DNS Server Caching on windows 2008 server?
> > http://www.nessus.org/plugins/index....ingle&id=12217
> >
> > Is there any document to say that it is not recommended to disabled?
> >
> >
>
>
> You can disable it for the client side resolver on all machines, including a
> DNS server's client side resolver by disabling the DNS Client service. But
> that does NOT affect the DNS Service itself. It's designed to cache any
> successful lookups it has resolved.
>
> The only thing I can think of is to reduce the MaxCacheTtl in the registry
> to zero (0). However I suggest not to do that, or the DNS server performance
> will be greatly reduced. This article shows you the setting:
>
> Microsoft DNS Server Registry Parameters, Part 1 of 3
> http://support.microsoft.com/kb/198408
>
> However, as said, I suggest to not disable it, and rather I strongly suggest
> to make sure your DNS server, and all other servers for that matter, are up
> to date with current updates and security hotfixes.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
> .
>

"chris" <> wrote in message
news:53EA623D-AF67-4B55-8400-...
>
> Hi,
>
> MaxCacheTtl is not found on a windows 2008 server?
>
> What should I do to disabled as one of my customer wanted to disabled?

You can simply create it. It's a DWORD entry. The following article can
guide you. Just set it to 0 instead of what the article speaks of, since
that is a different issue.

968372 Windows Server 2008 DNS Servers may fail to resolve queries for some
top-level domains
http://support.microsoft.com/default...b;EN-US;968372

You can also test to see if it works. Prior to creating the entry, run
Perfmon DNS counters for the cache, and save the logs. Then set it 0, and
run another Perfmon log and evaluate the difference.

Ace

Hi,

Thanks.

Is there a command to test to verify it is working that cache has been
cleared and registry has been configure sucessfully?

"Ace Fekay [MCT]" wrote:

> "chris" <> wrote in message
> news:53EA623D-AF67-4B55-8400-...
> >
> > Hi,
> >
> > MaxCacheTtl is not found on a windows 2008 server?
> >
> > What should I do to disabled as one of my customer wanted to disabled?
>
> You can simply create it. It's a DWORD entry. The following article can
> guide you. Just set it to 0 instead of what the article speaks of, since
> that is a different issue.
>
> 968372 Windows Server 2008 DNS Servers may fail to resolve queries for some
> top-level domains
> http://support.microsoft.com/default...b;EN-US;968372
>
> You can also test to see if it works. Prior to creating the entry, run
> Perfmon DNS counters for the cache, and save the logs. Then set it 0, and
> run another Perfmon log and evaluate the difference.
>
> Ace
>
>
> .
>

"chris" <> wrote in message
news:4ED7CB18-0C52-4685-BEEC-...
> Hi,
>
> Thanks.
>
> Is there a command to test to verify it is working that cache has been
> cleared and registry has been configure sucessfully?
>

You can simply put the DNS console into Advanced view, and look at the
cache.

Ace