Problem, you are running NT's DNS service and it's failing to resolve some domains but everything else works fine. Restarting the DNS service seems to cure it for a while but later you notice that there are again domains that don't resolve. Normally you see this in your email server because mail gets returned with a "cannot resolve" error. Well folks here is the solution. Do the registry edit then stop and start the dns service.
PSS ID Number: Q241352
Article last modified on 01-12-2001
:2000,4.0
======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Server version 4.0
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
-------------------------------------------------------------------------------
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if
a problem occurs. For information about how to do this, view the
"Restoring
the Registry" Help topic in Regedit.exe or the "Restoring a Registry
Key" Help
topic in Regedt32.exe.
SUMMARY
=======
DNS cache pollution can occur if Domain Name System (DNS) "spoofing"
has been
encountered. The term "spoofing" describes the sending of non-secure
data in
response to a DNS query. It can be used to redirect queries to a rogue DNS
server and can be malicious in nature.
MORE INFORMATION
================
WARNING: Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that
problems resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and
Values" Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete
Information in the Registry" and "Edit Registry Data" Help topics
in
Regedt32.exe. Note that you should back up the registry before you edit it. If
you are running Windows NT or Windows 2000, you should also update your
Emergency Repair Disk (ERD).
Windows NT 4.0
--------------
With Windows NT 4.0 Service Pack 4 (SP4) or later, a Windows NT-based DNS server
can filter out the responses for these non-secure records.
To enable this feature:
1. Start Registry Editor (Regedt32.exe).
2. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
3. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: SecureResponses
Data Type: REG_DWORD
Value: 1 (To eliminate non-secure data)
4. Quit Registry Editor.
By default, this key does not exist and non-secure data is not eliminated from
responses.
For additional information, click the article number below to view the article
in
the Microsoft Knowledge Base:
Q198409 Microsoft DNS Server Registry Parameters, Part 2 of 3
Windows 2000
------------
A Windows 2000-based DNS server can filter out the responses for these
non-secure
records.
To enable this feature:
1. Start Registry Editor (Regedt32.exe).
2. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
3. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: Secure Responses
Data Type: REG_DWORD
Value: 1 (To eliminate non-secure data)
4. Quit Registry Editor.
By default, this key does not exist and non-secure data is not eliminated from
responses.
Additional query words: spoof corruption
======================================================================
Keywords : kbenv
Technology : kbWinNTsearch kbwin2000AdvServSearch kbwin2000DataServSearch
kbWinNTSsearch kbwin2000Ssearch kbExchange400 kbWinAdvServSearch
kbWinDataServSearch
Version : :2000,4.0
Issue type : kbinfo
=============================================================================
Copyright Microsoft Corporation 2001.