6.3 Advanced Resolver Features
The Windows 2000 resolver has some advanced features that are worth describing here.
The Windows 2000 resolver stores every record it receives in a shared cache available to all programs on the system. The Windows NT 4.0 resolver caches, but only on a per-process basis. For example, if you have two different web browsers running (say, Internet Explorer and Netscape Navigator), each has its own copy of the resolver with a separate cache. Windows 98, 95, and 3.1 resolvers don't do any caching.
The Windows 2000 resolver obeys the TTL (time to live) field on resource records it caches, up to a maximum of 24 hours by default. So if a record specifies a TTL longer than that, the resolver rounds down to 24 hours. This maximum TTL is configurable with a Registry setting:
MaxCacheEntryTtlLimit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters Data type: REG_DWORD Range: 0x0 - 0xFFFFFFFF seconds Default value: 0x15180 (86,400 seconds = 24 hours)
The Windows 2000 resolver also supports negative caching. It caches negative responses for five minutes by default. This negative caching timeout is also configurable with a Registry setting:
NegativeCacheTime HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters Data type: REG_DWORD Range: 0x0 - 0xFFFFFFFF seconds Default value: 0x12C (300 seconds = 5 minutes)
To disable negative caching altogether, set this value to zero.
To view the resolver's cache, use ipconfig /displaydns . To clear the cache, type ipconfig /flushdns .
6.3.2 Subnet Prioritization
This feature is analogous to the BIND resolver's address-sorting feature. When the resolver receives multiple address records for the same domain name , it examines the IP address in each record and adjusts the order of the records before returning the list to the calling application: any records with IP addresses on the same subnets as the host on which the resolver is running are moved to the top of the list. Since most applications use addresses in the order returned by the resolver, this behavior causes traffic to remain on local networks.
For example, Movie University has two mirrored web servers on two different subnets:
www.movie.edu. IN A 18.104.22.168 www.movie.edu. IN A 22.214.171.124
Let's say the resolver on terminator.movie.edu (126.96.36.199) sends a query and receives these records. It sorts the record with address 188.8.131.52 to the top of the list because terminator shares a network with that address.
Note that this behavior defeats the round- robin feature implemented by most name servers. Round robin refers to the name server behavior of rotating the order of multiple address records in successive responses to distribute the load among the servers (again taking advantage of the behavior of most applications to use the first address in the list returned by the resolver). With subnet prioritization enabled, the order of the records is subject to shuffling by the resolver. You can disable subnet prioritization with a Registry setting:
PrioritizeRecordData HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters Data type: REG_DWORD Range: 0 - 1 Default value: 1 (Subnet prioritization enabled)
6.3.3 Loose Response Acceptance
By default, the Windows 2000 resolver accepts and caches any response it receives, even if it arrives from an unexpected source (i.e., a name server the resolver did not query)! We think this behavior is more than a little dangerous because it opens up your resolver to spoofing attacks. It's easy to forge a DNS response and send it to an unsuspecting resolver, which then caches it. Fortunately, this behavior can be disabled with a Registry setting:
QueryIpMatching HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters Data type: REG_DWORD Range: 0 - 1 Default value: 0 (IP addresses of responses are not checked)