0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 3hr 41min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 54min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete

Configuring DNS Cache Locking


Q&A (0)

Notes (0)

Resources (0)

Saving Progress...


There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

If you recall a normal DNS query works like this:

  • A DNS client queries a recursive DNS server.
  • The server caches the result.
  • Next time the DNS server will be able to respond more quickly to other DNS clients querying the same information.
  • The amount of time that a record resides in cache is determined by the Time to Live (TTL) value of the record.
  • If the TTL, is set to a shorter time or percentage a record could be overwritten if more recent data is available for the record.
  • However, this exposes a security issue. A malicious person may try to overwrite the record and redirect clients to an unsafe Web site.

To mitigate this risk in Windows server 2016:

  • You can use DNS cache locking to determine when information in the DNS cache can be overwritten.
  • When you enable cache locking the DNS server does not allow updates until the TTL has fully expired.
  • By default, the TTL is set to 100% or 24 hours.

To configure Cache Locking we need to open up PowerShell in administrator mode.
I’ll show you two ways to accomplish setting your TTL percentage. First to check the current percentage


If we Drop down to the ServerCache heading we notice that the locking percent by default is set to 100%. If you want to change the percentage type to 70% type

Set-DnsServerCache –LockingPercent 70

You can also use the dnscmd to accomplish this.

  • You can check the current TTL setting by typing the command dnscmd /info /cachelockingpercent
  • In most environments you are not going to adjust this, but if you want to reduce the time that a record in your cache can get overwritten, you can do so by running the following commands:

dnscmd /config /cachelockingpercent 100 (24 hours)
dnscmd /config /cachelockingpercent 75 (18 hours)
dnscmd /config /cachelockingpercent 50 (12 hours)
dnscmd /config /cachelockingpercent 0 (Update immediately)

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Notify of
profile avatar
Inline Feedbacks
View all comments