Appendix C: Windows Sockets and DNS Registry Parameters
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
AFD Registry Parameters
Afd.sys is the kernel-mode driver that is used to support Windows Sockets applications. When there are three default values, the default is calculated based on the amount of memory detected in the system:
The first value is the default for smaller computers (less than 19 MB).
The second value is the default for medium computers (<32 MB on Windows XP Professional, <64 MB on Windows Server 2003).
The third value is the default for large computers (>32 MB on Windows XP Professional, >64 MB on Windows Server 2003).
For example, if the default is given as 0/2/10, a system containing 12.5 to
20 MB of RAM would default to 2.
The following values can be set under:
HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services
\Afd
\Parameters
DefaultReceiveWindow
Value Type: REG_DWORD
Default: 4096/8192/8192
Description: The number of receive bytes that AFD buffers on a connection before imposing flow control. For some applications, a larger value here gives slightly better performance at the expense of increased resource utilization. Applications can modify this value on a per-socket basis with the SO_RCVBUF socket option.
DefaultSendWindow
Value Type: REG_DWORD
Default: 4096/8192/8192
Description: This is similar to DefaultReceiveWindow, but for the send side of connections.
DisableAddressSharing
Value Type: REG_DWORD
Default: 0
Range: 0, 1
Description: This parameter is used to prevent address sharing (SO_REUSEADDR) between processes so that if a process opens a socket, no other process can steal data from it. A similar effect can be achieved if an application uses the new socket option SO_EXCLUSIVEADDRUSE. This setting allows administrators to secure older applications that are not aware of this option.
FastCopyReceiveThreshold
Value Type: REG_DWORD
Default: 1024
Description: When an application posts a receive with a buffer that is smaller than the current packet being buffered by Winsock, AFD can either make an additional copy of the packet and then copy data to the application buffers directly (which is a two-stage copy because application buffers cannot be accessed directly under the lock), or it can lock and map application buffers and copy data once. This value represents a compromise between extra code execution for data copying, and extra code execution in the I/O subsystem and memory manager. The default value was found, by testing, to be the best overall value for performance. Changing this value is not generally recommended.
FastSendDatagramThreshold
Value Type: REG_DWORD
Default: 1024
Description: Datagrams smaller than the value of this parameter go through the fast I/O path or are buffered on send. Larger ones are held until the datagram is actually sent. The default value was found by testing to be the best overall value for performance. Fast I/O means copying data and bypassing the I/O subsystem, instead of mapping memory and going through the I/O subsystem. This is advantageous for small amounts of data. Changing this value is not generally recommended.
IgnorePushBitOnReceives
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 0 (false)
Description: Normally, Windows Server 2003 completes a Windows Sockets Receive when one of the following occurs:
Data arrives with the push bit set.
The user recv buffer is full.
0.5 seconds have elapsed since any data arrived.
Setting this parameter to a 1 causes Afd.sys to treat all incoming packets as though the push bit was set. This should only be done when necessary to work around client TCP/IP implementations that are not properly pushing data.
LargeBufferSize
Value Type: REG_DWORD
Default: PAGE_SIZE (4096 bytes on i386, 8192 bytes on Alpha)
Description: The size, in bytes, of large buffers used by AFD. Smaller values use less memory and larger values can improve performance.
LargeBufferListDepth
Value Type: REG_DWORD
Default: 0/2/10
Description: Depth of large buffer look-aside list.
MaxFastTransmit
Value Type: REG_DWORD
Valid Range: 0–0xffffffff
Default: 64 KB
Description: This parameter controls the maximum amount of data that is transferred in a TransmitFile request on the fast path. Fast I/O is essentially copying data and bypassing the I/O subsystem, instead of mapping memory and going through the I/O subsystem. This is advantageous for small amounts of data. Changing this value is not generally recommended.
MaxFastCopyTransmit
Value Type: REG_DWORD
Valid Range: 0–0xFFFFFFFF
Default: 128
Description: This parameter controls the maximum size of data that uses copy instead of cached memory on the fast-path. Fast I/O is essentially copying data and bypassing the I/O subsystem, instead of mapping memory and going through the I/O subsystem. This is advantageous for small amounts of data. Changing this value is not generally recommended.
MediumBufferSize
Value Type: REG_DWORD
Default: 1504
Description: The size, in bytes, of medium buffers used by AFD.
MediumBufferListDepth
Value Type: REG_DWORD
Default: 4/8/24
Description: Depth of medium buffer look-aside list.
OverheadChargeGranularity
Value Type: REG_DWORD
Default: 1 page
ValidRange: A power of 2
Description: This parameter determines in what increments overhead is actually charged. The default is one page, and the intention is to properly charge and contain attacker type applications that try to run the system out of memory.
PriorityBoost
Value Type: REG_DWORD
Default: 2
Valid Range: 0–16
Description: The priority boost that AFD gives to a thread when it completes I/O for that thread. If a multithreaded application experiences starvation of some threads, the problem may be remedied by reducing this value.
SmallBufferListDepth
Value Type: REG_DWORD
Default: 8/16/32
Description: Depth of the small buffer look-aside list.
SmallBufferSize
Value Type: REG_DWORD
Default: 128
Description: The size in bytes of small buffers used by AFD.
StandardAddressLength
Value Type: REG_DWORD
Default: 22
Description: The length of TDI addresses that are typically used for the computer. When using an alternate transport protocol, such as TP4, which uses very long addresses, increasing this value results in a slight performance improvement.
TransmitIoLength
Value Type: REG_DWORD
Default: PAGE_SIZE/PAGE_SIZE*2/65536
Description: The default size for I/O (reads and sends) performed by TransmitFile(). For Windows XP Professional, the default I/O size is exactly one page.
TransmitWorker
Value Type: REG_DWORD
Default: 0x10
Valid Range: 0x10, 0x20
Description: This parameter controls how Afd.sys uses system threads. Setting it to 0x10 causes AFD to use system threads to perform IO that results from a long (more than 2 SendPacketLength worth of data) TransmitFile request. Setting it to 0x20 causes AFD to use kernel-mode APC for IO and to execute everything in the context of the same thread. This is new in Windows Server 2003 and can improve performance by reducing the number of context switches in long TransmitFile requests.
Dynamic Update Registration Parameters
These parameters control behavior of the dynamic update DNS registration client. If a parameter is not present, the default value listed is used.
DNSQueryTimeouts
Key: Tcpip\Parameters
Value Type: REG_MULTI_SZ—list of timeouts terminated by a zero
ValidRange: valid list of numbers
Default: 1 2 2 4 8 0 (format note: after entering each number hit return and terminate the list with zero)
Description: This parameter can be used to change the DNS query timeouts that the DNS client uses. In a controlled non-Internet or low-delay environment this could be used to decrease the time to failure of the query.
DefaultRegistrationTTL
Key: Tcpip\Parameters
Value Type: REG_DWORD—seconds
Default: 0x4B0 (1200 decimal, or 20 minutes)
Valid Range: 0–0xFFFFFFFF
Description: This parameter can be used to control the TTL value sent dynamically with DNS registrations.
EnableAdapterDomainNameRegistration
Key: Tcpip\Parameters\Interfaces\interface
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 0 (false)
Description: This parameter can be used to enable DNS dynamic update registration of a specific adapter's domain name information. This setting is useful when registrations of the adapter address(es) under the adapter's domain name are needed. When this key is set to true and DisableDynamicUpdate is false, the given adapter's address(es) is registered under the specific adapter's domain name and under the system's primary domain name.
DisableDynamicUpdate
Key: Tcpip\Parameters, Tcpip\Parameters\Interfaces\interface
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 0 (false; dynamic update-enabled)
Description: This parameter can be used to completely disable DNS dynamic update registration. This parameter is both a per-interface parameter and a global parameter, depending upon where the registry key is located. If the value at the Tcpip\Parameters level is set to 1, dynamic update is disabled for the entire system. If the value at the Tcpip\Parameters level is set to 0, dynamic updates can be disabled on a per-adapter basis.
DisableReplaceAddressesInConflicts
Key: Tcpip\Parameters
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 0 (false)
Description: This parameter is used to turn off the address registration conflict rule that the last writer wins. By default, a computer does not replace any current records on the DNS server that do not appear to have been owned by it at one time.
DisableReverseAddressRegistrations
Key: Tcpip\Parameters\Interfaces\interface
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 0 (false; registration of PTR records enabled)
Description: This parameter can be used to turn off DNS dynamic update reverse address (PTR) record registration. If the DHCP server that configures this computer is running Windows Server 2003, then it is capable of registering the PTR record with the DNS dynamic update protocol. However, if the DHCP server is not capable of performing DNS dynamic update PTR registrations and you do not want to register PTR records with the DNS dynamic update protocol, set this parameter to 1.
UpdateSecurityLevel
Key: Tcpip\Parameters
Value Type: REG_DWORD—flags
Default: 0
Valid Range: 0,0x00000010, 0x00000020, 0x00000100
Description: This parameter can be used to control the security that is used for DNS dynamic updates. It defaults to 0, to try nonsecure update, and if refused, to send Windows Server 2003 secure dynamic updates. Valid values are listed below:
0x00000000—default, nonsecure updates
0x00000010—security OFF
0x00000100—secure ONLY ON
DNS Caching Resolver Service Registry Parameters
Windows Server 2003 includes a DNS caching resolver service. This service performs the function of caching DNR answers so that the DNS server does not need to be repeatedly queried for the same information. The service can be stopped using the Service Control Manager MMC snap-in. Registry parameters for this service are located under the \System\CurrentControlSet\Services\Dnscache\Parameters key.
AdapterTimeoutCacheTime
Value Type: REG_DWORD—seconds
Valid Range: 0–0xFFFFFFFF
Default: 300 (5 minutes)
Description: The amount of time that a particular adapter on a multihomed machine is disabled when a DNS query attempt fails (times out) for all of the given adapter's DNS servers. For instance, if you have two adapters and the DNS servers on one of the networks are unreachable, mark the adapter as unusable for this time period. (A Plug and Play event or cache time-out forces the resolver to retry this interface and mark it as disabled, if needed.)
DefaultRegistrationRefreshInterval
Value Type: REG_DWORD—time in seconds
Default: 0x15180 (86400 decimal, or 24 hours)
Range: 0–0xFFFFFFFF
Description: This parameter can be used to control the dynamic update DNS registration refresh interval.
MaxCacheEntryTtlLimit
Value Type: REG_DWORD—time in seconds
Default: 0x15180 (86400 decimal)
ValidRange: 0–0xFFFFFFFF (suggested value less than one day, to prevent very stale records)
Description: This parameter can be used to control the maximum cache entry time-to-live (TTL) value. It overrides any value that may have been set on a specific record that is larger.
MaxSOACacheEntryTtlLimit
Value Type: REG_DWORD—time, in seconds
Valid Range: 0–0xFFFFFFFF
Default: 120 (2 minutes)
Description: The maximum number of seconds that the resolver cache caches any SOA records. This value overrides any TTL value greater than itself for a specific SOA record that is returned from a DNS query. SOA records are essential for dynamic updates; therefore, they are not cached for long, to ensure that the most up-to-date record data is available for the DNS start of authority.
NegativeCacheTime
Value Type: REG_DWORD—time, in seconds
Default: 0x12c (300 decimal, or 5 minutes)
ValidRange: 0–0xFFFFFFFF (the suggested value is less one day, to prevent very stale records)
Description: This parameter can be used to control the cache time for negative records.
NegativeSOACacheTime
Value Type: REG_DWORD—time, in seconds
Default: 0x78 (120 decimal, or 2 minutes)
ValidRange: 0–0xFFFFFFFF (the suggested value is less than five minutes)
Description: This parameter can be used to control the cache time for negative Start of Authority (SOA) records. DNS registrations that fail are retried at five and ten minutes, so if this value is set to five minutes or more, retries are answered negatively from cache, instead of from the server, which could be available.
NetFailureErrorPopupLimit
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 0 (false)
Description: This parameter enables the UI popup to indicate that the DNS resolver was unable to query (reach) the configured DNS servers for a repeated number of query attempts.
NetFailureCacheTime
Value Type: REG_DWORD—time, in seconds
Default: 0x1e (30 decimal)
ValidRange: 0–0xFFFFFFFF (suggested value is less than five minutes)
Description: This parameter is used to control the general network failure cache time. It prevents the resolver from querying for a period of time when it has been detected that a time-out error is occurring for queries against all known DNS servers. This avoids slowness (caused by time-outs) when the network does not respond.
Name Resolution Parameters
The following list of parameters is used by the Domain Name Resolver service.
AllowUnqualifiedQuery
Key: Tcpip\Parameters
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 0
Description: This parameter controls whether or not the Domain Name Resolver queries the Domain Name Server(s) with the host name, followed by a dot (.) only (an unqualified query). For example, if your computer is in mydomain.com and you ping target, by default the DNS is queried for target.mydomain.com only. When this parameter is set to 1, target is also queried.
DisjointNameSpace
Key: Tcpip\Parameters
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 1
Description: This parameter instructs the DNR to treat each interface as a disjoint name space. On a multihomed computer, a query to the DNS server(s) that is/are configured for one interface may result in a name error. This parameter is used to instruct the resolver to try the query against the possible DNS servers that are configured for other interfaces before returning results.
PrioritizeRecordData
Key: Tcpip\Parameters
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 1
Description: This parameter controls whether or not the Domain Name Resolver sorts the addresses that are returned in response to a query for a multihomed host. By default, the DNR sorts addresses that are on the same subnet as one of the interfaces in the querying computer to the top of the list. This is done to give preference to a common-subnet (non-routed) IP address, when possible.
QueryIpMatching
Key: Tcpip\Parameters
Value Type: REG_DWORD—Boolean
ValidRange: 0, 1 (false, true)
Default: 1
Description: This parameter controls whether or not the IP address of the DNS server queried is matched to the IP address of the server that sent the DNS response. This can be used as a primitive security feature to ensure that the resolver is not being fooled by a random query response from some computer other than the intended DNS server.
UseDomainNameDevolution
Key: Tcpip\Parameters
Value Type: REG_DWORD—binary
ValidRange: 0, 1 (false, true)
Default: 1 (true)
Description: This parameter can be used to disable domain name devolution for unqualified DNS queries. Devolution describes the process of attempting to locate a host in the DNS by first appending the domain suffix of the client to the host name, and then querying for the full string. If that query fails, one label is removed at a time, and the query is resubmitted. For example, if a user or application on the computer mycomputer.support.microsoft.com attempts to reach a host named target, the DNR by default tries target.support.microsoft.com, and target.microsoft.com, and possibly target, depending on the value of the AllowUnqualifiedQuery parameter.