0%

0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 3hr 41min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 54min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete

Configuring DNS Cache Locking

Instructions

Q&A (0)

Resources (0)

Saving Progress...

Resources

There are no resources for this lesson.

If you recall a normal DNS query works like this:

  • A DNS client queries a recursive DNS server.
  • The server caches the result.
  • Next time the DNS server will be able to respond more quickly to other DNS clients querying the same information.
  • The amount of time that a record resides in cache is determined by the Time to Live (TTL) value of the record.
  • If the TTL, is set to a shorter time or percentage a record could be overwritten if more recent data is available for the record.
  • However, this exposes a security issue. A malicious person may try to overwrite the record and redirect clients to an unsafe Web site.

To mitigate this risk in Windows server 2016:

  • You can use DNS cache locking to determine when information in the DNS cache can be overwritten.
  • When you enable cache locking the DNS server does not allow updates until the TTL has fully expired.
  • By default, the TTL is set to 100% or 24 hours.

To configure Cache Locking we need to open up PowerShell in administrator mode.
I’ll show you two ways to accomplish setting your TTL percentage. First to check the current percentage

Get-Dnsserver

If we Drop down to the ServerCache heading we notice that the locking percent by default is set to 100%. If you want to change the percentage type to 70% type

Set-DnsServerCache –LockingPercent 70

You can also use the dnscmd to accomplish this.

  • You can check the current TTL setting by typing the command dnscmd /info /cachelockingpercent
  • In most environments you are not going to adjust this, but if you want to reduce the time that a record in your cache can get overwritten, you can do so by running the following commands:

dnscmd /config /cachelockingpercent 100 (24 hours)
dnscmd /config /cachelockingpercent 75 (18 hours)
dnscmd /config /cachelockingpercent 50 (12 hours)
dnscmd /config /cachelockingpercent 0 (Update immediately)

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments