Secure the Server Cache Against Names Pollution

Applies To: Windows Server 2008

By default, the DNS Server service is secured from cache pollution, which occurs when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option prevents an attacker from successfully polluting the cache of a DNS server with resource records that were not requested by the DNS server. Changing this default setting will reduce the integrity of the responses that are provided by DNS Server service. You can use this procedure to restore the default setting if it was previously changed.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To secure the server cache against names pollution

  1. Open DNS Manager.

  2. In the console tree, click the applicable DNS server.

    Where?

    • DNS/applicable DNS server
  3. On the Action menu, click Properties.

  4. Click the Advanced tab.

  5. In Server options, select the Secure cache against pollution check box, and then click OK.

Additional considerations

  • To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  • The Secure cache against pollution option is enabled by default.

Additional references