Appendix C: Windows Sockets and DNS Registry Parameters

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

AFD Registry Parameters

Afd.sys is the kernel-mode driver that is used to support Windows Sockets applications. When there are three default values, the default is calculated based on the amount of memory detected in the system:

• The first value is the default for smaller computers (less than 19 MB).

• The second value is the default for medium computers (<32 MB on Windows XP Professional, <64 MB on Windows Server 2003).

• The third value is the default for large computers (>32 MB on Windows XP Professional, >64 MB on Windows Server 2003).

For example, if the default is given as 0/2/10, a system containing 12.5 to
20 MB of RAM would default to 2.

The following values can be set under:

HKEY_LOCAL_MACHINE

     \SYSTEM

          \CurrentControlSet

               \Services

                    \Afd

                         \Parameters

DefaultReceiveWindow

Value Type: REG_DWORD

Default: 4096/8192/8192

Description: The number of receive bytes that AFD buffers on a connection before imposing flow control. For some applications, a larger value here gives slightly better performance at the expense of increased resource utilization. Applications can modify this value on a per-socket basis with the SO_RCVBUF socket option.

DefaultSendWindow

Value Type: REG_DWORD

Default: 4096/8192/8192

Description: This is similar to DefaultReceiveWindow, but for the send side of connections.

DisableAddressSharing

Value Type: REG_DWORD

Default: 0

Range: 0, 1

Description: This parameter is used to prevent address sharing (SO_REUSEADDR) between processes so that if a process opens a socket, no other process can steal data from it. A similar effect can be achieved if an application uses the new socket option SO_EXCLUSIVEADDRUSE. This setting allows administrators to secure older applications that are not aware of this option.

FastCopyReceiveThreshold

Value Type: REG_DWORD

Default: 1024

Description: When an application posts a receive with a buffer that is smaller than the current packet being buffered by Winsock, AFD can either make an additional copy of the packet and then copy data to the application buffers directly (which is a two-stage copy because application buffers cannot be accessed directly under the lock), or it can lock and map application buffers and copy data once. This value represents a compromise between extra code execution for data copying, and extra code execution in the I/O subsystem and memory manager. The default value was found, by testing, to be the best overall value for performance. Changing this value is not generally recommended.

FastSendDatagramThreshold

Value Type: REG_DWORD

Default: 1024

Description: Datagrams smaller than the value of this parameter go through the fast I/O path or are buffered on send. Larger ones are held until the datagram is actually sent. The default value was found by testing to be the best overall value for performance. Fast I/O means copying data and bypassing the I/O subsystem, instead of mapping memory and going through the I/O subsystem. This is advantageous for small amounts of data. Changing this value is not generally recommended.

IgnorePushBitOnReceives

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 0 (false)

Description: Normally, Windows Server 2003 completes a Windows Sockets Receive when one of the following occurs:

• Data arrives with the push bit set.

• The user recv buffer is full.

• 0.5 seconds have elapsed since any data arrived.

Setting this parameter to a 1 causes Afd.sys to treat all incoming packets as though the push bit was set. This should only be done when necessary to work around client TCP/IP implementations that are not properly pushing data.

LargeBufferSize

Value Type: REG_DWORD

Default: PAGE_SIZE (4096 bytes on i386, 8192 bytes on Alpha)

Description: The size, in bytes, of large buffers used by AFD. Smaller values use less memory and larger values can improve performance.

LargeBufferListDepth

Value Type: REG_DWORD

Default: 0/2/10

Description: Depth of large buffer look-aside list.

MaxFastTransmit

Value Type: REG_DWORD

Valid Range: 0–0xffffffff

Default: 64 KB

Description: This parameter controls the maximum amount of data that is transferred in a TransmitFile request on the fast path. Fast I/O is essentially copying data and bypassing the I/O subsystem, instead of mapping memory and going through the I/O subsystem. This is advantageous for small amounts of data. Changing this value is not generally recommended.

MaxFastCopyTransmit

Value Type: REG_DWORD

Valid Range: 0–0xFFFFFFFF

Default: 128

Description: This parameter controls the maximum size of data that uses copy instead of cached memory on the fast-path. Fast I/O is essentially copying data and bypassing the I/O subsystem, instead of mapping memory and going through the I/O subsystem. This is advantageous for small amounts of data. Changing this value is not generally recommended.

MediumBufferSize

Value Type: REG_DWORD

Default: 1504

Description: The size, in bytes, of medium buffers used by AFD.

MediumBufferListDepth

Value Type: REG_DWORD

Default: 4/8/24

Description: Depth of medium buffer look-aside list.

OverheadChargeGranularity

Value Type: REG_DWORD

Default: 1 page

ValidRange: A power of 2

Description: This parameter determines in what increments overhead is actually charged. The default is one page, and the intention is to properly charge and contain attacker type applications that try to run the system out of memory.

PriorityBoost

Value Type: REG_DWORD

Default: 2

Valid Range: 0–16

Description: The priority boost that AFD gives to a thread when it completes I/O for that thread. If a multithreaded application experiences starvation of some threads, the problem may be remedied by reducing this value.

SmallBufferListDepth

Value Type: REG_DWORD

Default: 8/16/32

Description: Depth of the small buffer look-aside list.

SmallBufferSize

Value Type: REG_DWORD

Default: 128

Description: The size in bytes of small buffers used by AFD.

StandardAddressLength

Value Type: REG_DWORD

Default: 22

Description: The length of TDI addresses that are typically used for the computer. When using an alternate transport protocol, such as TP4, which uses very long addresses, increasing this value results in a slight performance improvement.

TransmitIoLength

Value Type: REG_DWORD

Default: PAGE_SIZE/PAGE_SIZE*2/65536

Description: The default size for I/O (reads and sends) performed by TransmitFile(). For Windows XP Professional, the default I/O size is exactly one page.

TransmitWorker

Value Type: REG_DWORD

Default: 0x10

Valid Range: 0x10, 0x20

Description: This parameter controls how Afd.sys uses system threads. Setting it to 0x10 causes AFD to use system threads to perform IO that results from a long (more than 2 SendPacketLength worth of data) TransmitFile request. Setting it to 0x20 causes AFD to use kernel-mode APC for IO and to execute everything in the context of the same thread. This is new in Windows Server 2003 and can improve performance by reducing the number of context switches in long TransmitFile requests.

Dynamic Update Registration Parameters

These parameters control behavior of the dynamic update DNS registration client. If a parameter is not present, the default value listed is used.

DNSQueryTimeouts

Key: Tcpip\Parameters

Value Type: REG_MULTI_SZ—list of timeouts terminated by a zero

ValidRange: valid list of numbers

Default: 1 2 2 4 8 0 (format note: after entering each number hit return and terminate the list with zero)

Description: This parameter can be used to change the DNS query timeouts that the DNS client uses. In a controlled non-Internet or low-delay environment this could be used to decrease the time to failure of the query.

DefaultRegistrationTTL

Key: Tcpip\Parameters

Value Type: REG_DWORD—seconds

Default: 0x4B0 (1200 decimal, or 20 minutes)

Valid Range: 0–0xFFFFFFFF

Description: This parameter can be used to control the TTL value sent dynamically with DNS registrations.

EnableAdapterDomainNameRegistration

Key: Tcpip\Parameters\Interfaces\interface

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 0 (false)

Description: This parameter can be used to enable DNS dynamic update registration of a specific adapter's domain name information. This setting is useful when registrations of the adapter address(es) under the adapter's domain name are needed. When this key is set to true and DisableDynamicUpdate is false, the given adapter's address(es) is registered under the specific adapter's domain name and under the system's primary domain name.

DisableDynamicUpdate

Key: Tcpip\Parameters, Tcpip\Parameters\Interfaces\interface

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 0 (false; dynamic update-enabled)

Description: This parameter can be used to completely disable DNS dynamic update registration. This parameter is both a per-interface parameter and a global parameter, depending upon where the registry key is located. If the value at the Tcpip\Parameters level is set to 1, dynamic update is disabled for the entire system. If the value at the Tcpip\Parameters level is set to 0, dynamic updates can be disabled on a per-adapter basis.

DisableReplaceAddressesInConflicts

Key: Tcpip\Parameters

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 0 (false)

Description: This parameter is used to turn off the address registration conflict rule that the last writer wins. By default, a computer does not replace any current records on the DNS server that do not appear to have been owned by it at one time.

DisableReverseAddressRegistrations

Key: Tcpip\Parameters\Interfaces\interface

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 0 (false; registration of PTR records enabled)

Description: This parameter can be used to turn off DNS dynamic update reverse address (PTR) record registration. If the DHCP server that configures this computer is running Windows Server 2003, then it is capable of registering the PTR record with the DNS dynamic update protocol. However, if the DHCP server is not capable of performing DNS dynamic update PTR registrations and you do not want to register PTR records with the DNS dynamic update protocol, set this parameter to 1.

UpdateSecurityLevel

Key: Tcpip\Parameters

Value Type: REG_DWORD—flags

Default: 0

Valid Range: 0,0x00000010, 0x00000020, 0x00000100

Description: This parameter can be used to control the security that is used for DNS dynamic updates. It defaults to 0, to try nonsecure update, and if refused, to send Windows Server 2003 secure dynamic updates. Valid values are listed below:

• 0x00000000—default, nonsecure updates

• 0x00000010—security OFF

• 0x00000100—secure ONLY ON

DNS Caching Resolver Service Registry Parameters

Windows Server 2003 includes a DNS caching resolver service. This service performs the function of caching DNR answers so that the DNS server does not need to be repeatedly queried for the same information. The service can be stopped using the Service Control Manager MMC snap-in. Registry parameters for this service are located under the \System\CurrentControlSet\Services\Dnscache\Parameters key.

AdapterTimeoutCacheTime

Value Type: REG_DWORD—seconds

Valid Range: 0–0xFFFFFFFF

Default: 300 (5 minutes)

Description: The amount of time that a particular adapter on a multihomed machine is disabled when a DNS query attempt fails (times out) for all of the given adapter's DNS servers. For instance, if you have two adapters and the DNS servers on one of the networks are unreachable, mark the adapter as unusable for this time period. (A Plug and Play event or cache time-out forces the resolver to retry this interface and mark it as disabled, if needed.)

DefaultRegistrationRefreshInterval

Value Type: REG_DWORD—time in seconds

Default: 0x15180 (86400 decimal, or 24 hours)

Range: 0–0xFFFFFFFF

Description: This parameter can be used to control the dynamic update DNS registration refresh interval.

MaxCacheEntryTtlLimit

Value Type: REG_DWORD—time in seconds

Default: 0x15180 (86400 decimal)

ValidRange: 0–0xFFFFFFFF (suggested value less than one day, to prevent very stale records)

Description: This parameter can be used to control the maximum cache entry time-to-live (TTL) value. It overrides any value that may have been set on a specific record that is larger.

MaxSOACacheEntryTtlLimit

Value Type: REG_DWORD—time, in seconds

Valid Range: 0–0xFFFFFFFF

Default: 120 (2 minutes)

Description: The maximum number of seconds that the resolver cache caches any SOA records. This value overrides any TTL value greater than itself for a specific SOA record that is returned from a DNS query. SOA records are essential for dynamic updates; therefore, they are not cached for long, to ensure that the most up-to-date record data is available for the DNS start of authority.

NegativeCacheTime

Value Type: REG_DWORD—time, in seconds

Default: 0x12c (300 decimal, or 5 minutes)

ValidRange: 0–0xFFFFFFFF (the suggested value is less one day, to prevent very stale records)

Description: This parameter can be used to control the cache time for negative records.

NegativeSOACacheTime

Value Type: REG_DWORD—time, in seconds

Default: 0x78 (120 decimal, or 2 minutes)

ValidRange: 0–0xFFFFFFFF (the suggested value is less than five minutes)

Description: This parameter can be used to control the cache time for negative Start of Authority (SOA) records. DNS registrations that fail are retried at five and ten minutes, so if this value is set to five minutes or more, retries are answered negatively from cache, instead of from the server, which could be available.

NetFailureErrorPopupLimit

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 0 (false)

Description: This parameter enables the UI popup to indicate that the DNS resolver was unable to query (reach) the configured DNS servers for a repeated number of query attempts.

NetFailureCacheTime

Value Type: REG_DWORD—time, in seconds

Default: 0x1e (30 decimal)

ValidRange: 0–0xFFFFFFFF (suggested value is less than five minutes)

Description: This parameter is used to control the general network failure cache time. It prevents the resolver from querying for a period of time when it has been detected that a time-out error is occurring for queries against all known DNS servers. This avoids slowness (caused by time-outs) when the network does not respond.

Name Resolution Parameters

The following list of parameters is used by the Domain Name Resolver service.

AllowUnqualifiedQuery

Key: Tcpip\Parameters

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 0

Description: This parameter controls whether or not the Domain Name Resolver queries the Domain Name Server(s) with the host name, followed by a dot (.) only (an unqualified query). For example, if your computer is in mydomain.com and you ping target, by default the DNS is queried for target.mydomain.com only. When this parameter is set to 1, target is also queried.

DisjointNameSpace

Key: Tcpip\Parameters

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 1

Description: This parameter instructs the DNR to treat each interface as a disjoint name space. On a multihomed computer, a query to the DNS server(s) that is/are configured for one interface may result in a name error. This parameter is used to instruct the resolver to try the query against the possible DNS servers that are configured for other interfaces before returning results.

PrioritizeRecordData

Key: Tcpip\Parameters

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 1

Description: This parameter controls whether or not the Domain Name Resolver sorts the addresses that are returned in response to a query for a multihomed host. By default, the DNR sorts addresses that are on the same subnet as one of the interfaces in the querying computer to the top of the list. This is done to give preference to a common-subnet (non-routed) IP address, when possible.

QueryIpMatching

Key: Tcpip\Parameters

Value Type: REG_DWORD—Boolean

ValidRange: 0, 1 (false, true)

Default: 1

Description: This parameter controls whether or not the IP address of the DNS server queried is matched to the IP address of the server that sent the DNS response. This can be used as a primitive security feature to ensure that the resolver is not being fooled by a random query response from some computer other than the intended DNS server.

UseDomainNameDevolution

Key: Tcpip\Parameters

Value Type: REG_DWORD—binary

ValidRange: 0, 1 (false, true)

Default: 1 (true)

Description: This parameter can be used to disable domain name devolution for unqualified DNS queries. Devolution describes the process of attempting to locate a host in the DNS by first appending the domain suffix of the client to the host name, and then querying for the full string. If that query fails, one label is removed at a time, and the query is resubmitted. For example, if a user or application on the computer mycomputer.support.microsoft.com attempts to reach a host named target, the DNR by default tries target.support.microsoft.com, and target.microsoft.com, and possibly target, depending on the value of the AllowUnqualifiedQuery parameter.