Configuring DNS Cache Locking

If you recall a normal DNS query works like this:

• A DNS client queries a recursive DNS server.
• The server caches the result.
• Next time the DNS server will be able to respond more quickly to other DNS clients querying the same information.
• The amount of time that a record resides in cache is determined by the Time to Live (TTL) value of the record.
• If the TTL, is set to a shorter time or percentage a record could be overwritten if more recent data is available for the record.
• However, this exposes a security issue. A malicious person may try to overwrite the record and redirect clients to an unsafe Web site.

To mitigate this risk in Windows server 2016:

• You can use DNS cache locking to determine when information in the DNS cache can be overwritten.
• When you enable cache locking the DNS server does not allow updates until the TTL has fully expired.
• By default, the TTL is set to 100% or 24 hours.

To configure Cache Locking we need to open up PowerShell in administrator mode.
I’ll show you two ways to accomplish setting your TTL percentage. First to check the current percentage

Get-Dnsserver

If we Drop down to the ServerCache heading we notice that the locking percent by default is set to 100%. If you want to change the percentage type to 70% type

Set-DnsServerCache –LockingPercent 70

You can also use the dnscmd to accomplish this.

• You can check the current TTL setting by typing the command dnscmd /info /cachelockingpercent
• In most environments you are not going to adjust this, but if you want to reduce the time that a record in your cache can get overwritten, you can do so by running the following commands:

dnscmd /config /cachelockingpercent 100 (24 hours)
dnscmd /config /cachelockingpercent 75 (18 hours)
dnscmd /config /cachelockingpercent 50 (12 hours)
dnscmd /config /cachelockingpercent 0 (Update immediately)