Configuring DNS Cache Locking
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
Instructions
Q&A (0)
Resources (0)

Saving Progress...
Resources
There are no resources for this lesson.
If you recall a normal DNS query works like this:
- A DNS client queries a recursive DNS server.
- The server caches the result.
- Next time the DNS server will be able to respond more quickly to other DNS clients querying the same information.
- The amount of time that a record resides in cache is determined by the Time to Live (TTL) value of the record.
- If the TTL, is set to a shorter time or percentage a record could be overwritten if more recent data is available for the record.
- However, this exposes a security issue. A malicious person may try to overwrite the record and redirect clients to an unsafe Web site.
To mitigate this risk in Windows server 2016:
- You can use DNS cache locking to determine when information in the DNS cache can be overwritten.
- When you enable cache locking the DNS server does not allow updates until the TTL has fully expired.
- By default, the TTL is set to 100% or 24 hours.
To configure Cache Locking we need to open up PowerShell in administrator mode.
I’ll show you two ways to accomplish setting your TTL percentage. First to check the current percentage
Get-Dnsserver
If we Drop down to the ServerCache heading we notice that the locking percent by default is set to 100%. If you want to change the percentage type to 70% type
Set-DnsServerCache –LockingPercent 70
You can also use the dnscmd to accomplish this.
- You can check the current TTL setting by typing the command dnscmd /info /cachelockingpercent
- In most environments you are not going to adjust this, but if you want to reduce the time that a record in your cache can get overwritten, you can do so by running the following commands:
dnscmd /config /cachelockingpercent 100 (24 hours)
dnscmd /config /cachelockingpercent 75 (18 hours)
dnscmd /config /cachelockingpercent 50 (12 hours)
dnscmd /config /cachelockingpercent 0 (Update immediately)
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.