DOCUMENT:Q198410 11-JUN-2002 [winnt] TITLE :Microsoft DNS Server Registry Parameters, Part 3 of 3 PRODUCT :Microsoft Windows NT PROD/VER::4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: Q256986 Description of the Microsoft Windows Registry SUMMARY ======= This article consists of 3 parts and describes settings for the Microsoft Domain Name Service (DNS) server. You can modify most settings using the DNSADMIN tool, although some settings can only be altered using Registry Editor. For additional information, please see the following articles in the Microsoft Knowledge Base: Q198408 Microsoft DNS Server Registry Parameters, Part 1 of 3 Q198409 Microsoft DNS Server Registry Parameters, Part 2 of 3 MORE INFORMATION ================ WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To change these parameters, use the following procedure: 1. Start Registry Editor (Regedt32.exe). 2. From the HKEY_LOCAL_MACHINE subtree, go to the following key: SYSTEM\CurrentControlSet\Services 3. From the Edit menu, click Add Value and add a value to the key described in the appropriate entry below. Type in the value, and use the "Data Type" check box to set the value type. 4. Click OK. 5. Quit Registry Editor. 6. Restart the DNS server for the above changes to take affect. Server Parameters ----------------- Several registry parameters determine behavior of the entire server. Each of these is a registry value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters NOTE: These registry keys are read only at startup. Some may be reset and, in some cases, the server behavior dynamically changed, through the DNS Administrator. But if manually reset, the DNS server must be restarted to pick up the new value. SendOnNonDnsPort ---------------- Value: SendOnNonDnsPort Added: SP4 (April 1998) Type: DWORD Default: NoKey (Send on DNS port - 53) Function: Determines port on which server sends UDP queries to other DNS servers. By default, the DNS server sends queries to other DNS servers on a socket bound to the DNS port. Sometimes this situation is NOT desirable. The most obvious case being when an admin firewalls off the DNS port, to prevent outside access to the DNS server, but still wants the DNS server to be able to contact Internet DNS servers to provide Internet name resolution for internal clients. This is also desirable if the server is serving disjoint nets (see discussion below for DisjointNets key). Setting the SendOnNonDnsPort key to a non-zero value, causing the DNS server to bind to an arbitrary port for sending to remote DNS servers. If the SendOnNoDnsPort value is set >1024, then the DNS server will bind explicitly to the port value given. This is useful is the admin wants to fix the port for firewalling purposes. Examples: SendOnNonDnsPort missing or 0 => sends to other DNS servers come from port 53. SendOnNonDnsPort = 1 => sends come from arbitrary port. SendOnNonDnsPort = 2000 => sends comes from port 2000. DisjointNets ------------ Value: DisjointNets Added: SP2 Type: DWORD (Boolean) Default: NoKey (Version dependent see below) Function: Allows override of default binding for socket used to send queries to remote servers. Resolver behavior dictates that DNS servers bind explicitly to IP addresses (see discussion in ListenAddresses above). This, in turn, means that there is a tradeoff in determining the binding of the socket used to query remote DNS servers. The binding must be such that the remote server can respond to the address in the IP source address of the query. If there is a single IP address for the computer running the DNS server, there is no problem. However if the computer is multihomed, a problem may arise as the send socket may have be chosen in one of two ways: 1. Bind send socket to INADDR_ANY. In this case, the TCP/IP stack determines the IP source address when the query is sent to the remote DNS. This is ideal in that the stack will always choose the IP source address of the adapter the packet is sent on and, hence, the IP address will be reachable when the remote DNS sends back. However, it means that the DNS server MUST be listening on the address the stack chooses. If the server is configured to only listen on some of the IP addresses on the computer, problems may arise. 2. Use one of the DNS listen sockets as send socket. In this case, the packet is always sent with a source IP that corresponds to one of the DNS listen addresses. Unfortunately, this IP may not be on the adapter the stack must send on to reach the remote DNS server. And in this case, when the remote DNS server attempts to respond, it may not have a route back to this IP. This would happen when the DNS server has "Disjoint Nets"; in other words, it is attached to two (or more) networks that are not otherwise connected. This is the classic case of the DNS server sitting on a firewall or proxy server. The DisjointNets registry key allows override of default server behavior, forcing sends on socket bound to INADDR_ANY (method 1 above). If the DisjointNets registry key exists and is nonzero, a send socket is created bound to INADDR_ANY. If the DisjointNets registry key does not exist or is zero, the default server behavior occurs. Default server behavior (Service Pack 3 and later): - Single DNS IP, use the listen socket for send also. - Multihomed, all addresses in use by DNS (or DisjointNets set) use INADDR_ANY socket. - Multihomed, all addresses not in use by DNS, use first listen IP's socket as send socket. Note that, in the case where the computer has multiple IP addresses and they are not all in use by DNS, there is no guarantee of correct behavior in the disjoint net case. The DisjointNets key can be turned on to force use of method 1, but there is no guarantee that the stack will always select an IP address that the DNS server is listening on. If using the DNS server on two disjoint nets (for example, on a firewall), configure the computer with only a small number of IP addresses and let DNS run on them all (that is, do NOT configure ListenAddresses). DisableAutoReverseZones ----------------------- Value: DisableAutoReverseZones Added: Windows NT 4.0 Type: DWORD (Boolean) Default: NoKey (Create automatic reverse-lookup zones) Function: Determine whether server automatically creates standard reverse lookup zones. Every DNS server should (according to RFC) be authoritative for three reverse lookup zones: - 0.in-addr.arpa. - 127.in-addr.arpa. - 255.in-addr.arpa The reason for this is that clients sometimes query for standard IP addresses such as 0.0.0.0, 127.0.0.1 (loopback), and 255.255.255.255 (broadcast). By being authoritative for the zones corresponding to these queries, the DNS server avoids unnecessary recursions to the root servers on these queries. If the DisableAutoReverseZones key does not exist or is zero, the Microsoft DNS server will automatically create these zones with the correct entries (none except for a PTR for 127.0.0.1 to localhost). If DisableAutoReverseZones is nonzero, the server does NOT create these zones. AutoCacheUpdate --------------- Value: AutoCacheUpdate Added: Windows NT 4.0 Type: DWORD (Boolean) Default: NoKey (Do automatic cache updates) Function: Determine whether server attempts to update cache entries using data from root servers. When a DNS server starts, it needs a list of root server "hints" -- NS and A records for the servers, historically called the cache file. Traditionally DNS administrators could keep this file current by downloading a new copy from the InterNIC. This method works adequately when the root servers stay fairly static, but does require attention on the part of the administrator when updates and changes are made (for example, the massive renaming in late 1995). The Microsoft DNS server has a feature to allow the server to attempt to write back a new cache file based on the response from the root servers. If the AutoCacheUpdate key does NOT exist or is nonzero, the Microsoft DNS server will rewrite the cache file based on the data received from querying the root DNS servers on startup. If the key is zero, the DNS server does not do this update. CleanupInterval --------------- Value: CleanupInterval Added: Windows NT 4.0 Type: DWORD Default: NoKey (Interval is one hour) Function: Set interval between successive cleanup walks of DNS database. NOTE: The CleanupInterval Registry Key is not available in Win2k. Periodically, the DNS server wakes up a thread to walk the database and eliminate cached records and nodes, which have timed out. (The only purpose is to recover the memory.) The thread will also check the authoritative zones and write back any that are "dirty" -- have records from administrative update that have NOT been written back to database file. The value of this key is the interval between wakeups of the cleanup thread in seconds. If the key does not exist, the default is one hour. There is no particular reason to change this value, although in a memory unconstrained situation, a longer wakeup (possibly a day) might slightly improve performance. In a memory constrained environment, shorter intervals are desirable, but making them very short (such as a few minutes) would cause excessive cycles to be wasted on this timeout thread. StrictFileParsing ----------------- Value: StrictFileParsing Added: SP4 Type: DWORD (Boolean) Default: NoKey (after SP4 non-strict) Function: Set server to parse files strictly. BIND implementations have generally been liberal about allowing non-RFC compliant records in zone files. Among the errors allowed: - Records for names outside of the zone. - CNAME records at names that contain other records (and vice versa). When BIND files with bad data are moved over to a Microsoft DNS server, the server would fail to start, and individuals who were not aware that the explanations were in the event log, were out of luck. Starting with Service Pack 4, the server will, by default, log and ignore zone file errors, so the server can start. If the StrictFileParsing key does not exist or is zero, the server will log and ignore bad data in file and continue to load. If the StrictFileParsing is nonzero, the server will log and fail on zone file errors. Zone Registry Keys ------------------ Several registry parameters determine behavior of the individual zones. Each of these is a registry value under the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \DNS\Zones\ NOTE: The above registry key is one path; it has been wrapped for readability. This key, in turn, contains a registry key for each authoritative zones and, if not root authoritative, one for the cache (key name "."). This section discusses registry parameters that determine behavior specific to individual zones. Each of these registry parameters is found under a registry key for the name of the zone it applies to. NOTE: These registry keys are read only at startup. Some may be reset and the server behavior dynamically changed through the DNS Administrator. But, if manually reset, the DNS server MUST be restarted to pick up the new value. Type ---- Value: Type Added: Windows NT 4.0 Type: DWORD Default: None (Key must exist) Function: Determines zone type. The Type registry key determines type of zone when starting from the registry. Zone types mappings are: 0 cache (root hint) file 1 primary zone 2 secondary zone The Type registry key is read to determine the type of zone on registry startup. If it is deleted or invalid, the server will fail to start. Therefore, do NOT edit this key. To change the zone type, use the DNS Administrator Zone properties, General dialog box. NOTE: If starting from a boot file, this key is ignored and overwritten with zone type specified in the boot file. UseDatabase ----------- Value: UseDatabase Added: Windows NT 4.0 Type: DWORD (Boolean) Default: 0 (Do not use database) Function: None The UseDatabase registrykey is unused. DatabaseFile ------------ Value: DatabaseFile Added: Windows NT 4.0 Type: STRING Default: None (Key must exist) Function: Determines zone's database file. The DatabaseFile registry key gives the name of the zone's database file (if any). When starting from the registry, this key determines the file that is read to load the zone. This key MUST exist for primary zones. Secondary zones may be configured to not load from a zone file. Do not edit this key. To change the zone file, use the DNS Administrator Zone properties, General dialog box. NOTE: If starting from a boot file, this key is ignored and overwritten with zone file specified in the boot file. MasterServers ------------- Value: MasterServers Added: Windows NT 4.0 Type: BINARY Default: None (Key must exist for secondaries) Function: Determines master servers a secondary should contact for zone transfer. Secondaries for a zone must have a list of servers that they can query to receive information to determine current zone version and to receive zone transfers from, if necessary. The MasterServers key is a list of IP addresses of masters for the given zone. The list is not dotted IP strings, but a counted array of raw IP addresses in net byte order. It should be configured through the Zone Properties, General dialog box in the Administrator tool. Editing the registry key is discouraged. NOTES: - When using registry boot, the DNS server reads the MasterServers key for a secondary zone on startup. If the MasterServers key does not exist, or is invalid, the DNS server will not start. - If starting from a boot file, this key is ignored and overwritten with the master IP list specified in the boot file. SecondaryServers ---------------- Value: SecondaryServers Added: Windows NT 4.0 Type: BINARY Default: NoKey (No secondary list) Function: Determines secondary servers for to notify or limit transfers to. The Microsoft DNS server allows specification of a secondary server list. Note that it is a list of secondaries for this zone on this server. It need not be a complete list of secondaries for the zone. Its purpose is to give administrators a fine degree of control over the replication graph for a zone. This list has two functions: - Servers in this list are notified when a new version of the zone is available. - If the SecureSecondaries registry key (see below) is used, zone transfers are refused to servers not in this list. The SecondaryServers key is not a list of dotted IP strings, but a counted array of raw IP addresses in net byte order. It should be configured through the Zone Properties, Notify dialog box in the administrator tool. Editing the registry key is discouraged. Especially, do NOT delete this registry key to attempt to create an empty secondary list. SecureSecondaries ----------------- Value: SecureSecondaries Added: Windows NT 4.0 Type: DWORD (Boolean) Default: NoKey (No secondary security) Function: Sets security on zone transfer requests. The Microsoft DNS server allows limitation of zone transfers to a select list (possibly empty) of servers. This is useful for two reasons: - Keeps information about zones private. Complete zone information can be useful in choosing targets for security attacks. By limiting information, the process of learning about potential targets is more difficult and time consuming, making the barrier against attack incrementally higher. - Saves CPU cycles and prevents denial of service attacks. Zone transfer for a large zone is an expensive operation. Therefore, it is desirable to limit it to requests from servers that require it for a legitimate purpose. If the SecureSecondaries registry key is nonzero, zone transfer is limited to requests from IP addresses given in the SecondaryServers registry key (see above). If the SecondaryServers registry key list is empty, no transfers are sent for this zone. This key may be reset through the Zone Properties, Notify dialog box. Additional query words: ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 Version : :4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.