Configuring DNS Cache Locking

Sign up to access this lesson

Click here to sign up and get access to this lesson!

Saving Progress...

If you recall a normal DNS query works like this:

  • A DNS client queries a recursive DNS server.
  • The server caches the result.
  • Next time the DNS server will be able to respond more quickly to other DNS clients querying the same information.
  • The amount of time that a record resides in cache is determined by the Time to Live (TTL) value of the record.
  • If the TTL, is set to a shorter time or percentage a record could be overwritten if more recent data is available for the record.
  • However, this exposes a security issue. A malicious person may try to overwrite the record and redirect clients to an unsafe Web site.

To mitigate this risk in Windows server 2016:

  • You can use DNS cache locking to determine when information in the DNS cache can be overwritten.
  • When you enable cache locking the DNS server does not allow updates until the TTL has fully expired.
  • By default, the TTL is set to 100% or 24 hours.

To configure Cache Locking we need to open up PowerShell in administrator mode.
I’ll show you two ways to accomplish setting your TTL percentage. First to check the current percentage

Get-Dnsserver

If we Drop down to the ServerCache heading we notice that the locking percent by default is set to 100%. If you want to change the percentage type to 70% type

Set-DnsServerCache –LockingPercent 70

You can also use the dnscmd to accomplish this.

  • You can check the current TTL setting by typing the command dnscmd /info /cachelockingpercent
  • In most environments you are not going to adjust this, but if you want to reduce the time that a record in your cache can get overwritten, you can do so by running the following commands:

dnscmd /config /cachelockingpercent 100 (24 hours)
dnscmd /config /cachelockingpercent 75 (18 hours)
dnscmd /config /cachelockingpercent 50 (12 hours)
dnscmd /config /cachelockingpercent 0 (Update immediately)

Sign up to access the rest of this lesson

You must either log in or sign up to access this lesson.

Saving Progress...

0 0 votes
Lesson Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments

Installing and Configuring Domain Name System (DNS)

0%

0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 4hr 11min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 55min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete