A. By default, if a client requests name resolution, the client will accept any response with the correct query ID, regardless of where the response is from. This behavior could lead to security problems if a rogue process that deliberately returns incorrect information exists on a system. To force the DNS resolver to match the source IP address of the response with the DNS servers that the DNS resolver queried, perform the following steps:
- Start a registry editor (e.g., regedit.exe) on each client machine.
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry subkey.
- From the Edit menu, select New, DWORD Value.
- Enter the name QueryIpMatching, then press Enter.
- Double-click the new value, set it to 1, then click OK.
- Close the registry editor.
- Reboot the machine for the change to take effect.
1 comment
Hide comments