How can I ensure that the DNS resolver uses only results from queried DNS servers?

A. By default, if a client requests name resolution, the client will accept any response with the correct query ID, regardless of where the response is from. This behavior could lead to security problems if a rogue process that deliberately returns incorrect information exists on a system. To force the DNS resolver to match the source IP address of the response with the DNS servers that the DNS resolver queried, perform the following steps:

  1. Start a registry editor (e.g., regedit.exe) on each client machine.
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry subkey.
  3. From the Edit menu, select New, DWORD Value.
  4. Enter the name QueryIpMatching, then press Enter.
  5. Double-click the new value, set it to 1, then click OK.
  6. Close the registry editor.
  7. Reboot the machine for the change to take effect.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish