Registry Tip #41: Windows 2000 DNS Client Resolver Security

Hits: Failed to execute CGI : Win32 Error Code = 3


The Windows 2000 client DNS resolver accepts responses from DNS servers that it did not query. This behavior speeds up performance but can be a security risk if the responding DNS servers have been compromised. If you want to disable this default setting, use the following registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
Name: QueryIpMatching
Type: REG_DWORD
Value:
1 Disable
0 Enable
If you are interested in this item as a security setting, it is not a domain level setting but has to be set on each workstation and server individually.





Keywords: Windows 2000 Registry Tip, client, DNS, resolution, security setting, default, accept responses, compromised server, risk