Interesting article on DNS cache tweaks

Discussion in 'other security issues & news' started by spy1, Jun 5, 2006.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    http://www.techiwarehouse.com/cms/engine.php?page_id=163e0b14

    I had just yesterday contacted the authors of both CleanCache and Index.datSuite to see if an option could be added to have the dns cache flushed at every re-start - then I read this article this morning when trying to learn more about it.

    The QueryIpMatching addition looked useful, too. Pete
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    The ability to flush the dns cache will be an option in the upcoming release of a new version of Index.dat Suite per Steven Burns email just received. Pete
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi Spy,

    That link doesn't seem to work for me, even though it appears to be correct after fetching it via a Google search cache !

    Good news about the upcoming DNS clearout in a future Index.datSuite. Won't effect me or those on 98SE though. So you like my " better than sliced bread " phrase i see you posted on BBR lol.


    StevieO
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Stevie0 - For some reason, the link's not working here for me in FireFox - but it does work in IE (quoting appicable section):

    "Configure the DNS Resolver Cache
    A way to minimize problems from the long default wait times that are used for holding data in the DNS cache is to reduce the times (known as Time to Live or TTL). This requires a Registry edit so should be done only by those who know how to restore their Registry. The Registry key that is involved is
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters

    The binary entry MaxCacheEntryTtlLimit can be used to control how long positive responses are kept. Values are in seconds and the default value in the absence of an entry (the usual case) is 86,400 seconds or one day. If you wish to shorten the TTL, create the entry and enter your preferred time in seconds. Most PC users will probably not gain much this way, however.

    Negative responses are another story. I often encounter Web sites that do not respond immediately but which are available after a short wait and a retry. A wait of five minutes would be neither convenient nor necessary. I see no reason to store negative responses in the DNS cache and I have tweaked my own Registry to prevent them from being entered. In this case create a binary entry for the above Registry key and name it NegativeCacheTime. Set the value to "0" (zero). If you prefer to keep the negative responses, but with a shorter TTL, enter the appropriate number of seconds. The default TTL is 300 seconds.

    Defend Against Responses from Non-Queried Servers
    If its settings are left alone, the DNS cache will also accept responses from servers that it never queried. In other words, Web sites that you never tried to reach could send a message looking like a response and it would be stored in the cache. This is a security hole that might allow unauthorized DNS servers to send invalid information for the purpose of misdirecting subsequent DNS queries.
    Again a Registry edit is called for. To disable responses from sites that you never asked for, create a DWORD entry named QueryIpMatching . Put it in the same Registry key above and give it a value of 1."

    Interesting stuff. (Not quite as good as sliced bread, however! :) ) Pete
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I've been informed via PM that an alternate location for the QueryIpMatching registry key is:

    HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters

    I'll check mine here tomorrow, as I haven't done anything so far beyond reading the article. Good night, all. Pete
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Could you use a batchfile to run at startup with "ipconfig /flushdns" ?
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Franklin - Yes, I'm sure you could if you're knowledgeable about those kinds of things.

    The "QueryIpMatching" key didn't exist in either of the locations noted

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


    above - so I put it in both locations. Everything's still working here. Pete
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Does this involve the DNS Client service? Because some say it´s best to disable this service, just checking.
     
  9. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Source: HelpWithWindows, Technet.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
Loading...
Thread Status:
Not open for further replies.