Secure the DNS Cache

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Cache pollution occurs when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option prevents an attacker from successfully polluting the cache of a DNS server with resource records that were not requested by the DNS server. Changing this default setting is a security risk that can allow an attacker to insert data into the DNS cache that redirects DNS clients to a malicious site. You can use this procedure to restore the default setting if it was previously changed.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To secure the server cache against names pollution

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, click the name of the DNS server you wish to configure.

  3. On the Action menu, click Properties.

  4. Click the Advanced tab.

  5. In Server options, select the Secure cache against pollution check box, and then click OK.


The Secure cache against pollution option is enabled by default.

See Also


Checklist: Implementing a Secure DNS Configuration