Len, >> I'm not sure you can turn off all the cache poisoning vulnerability via the GUI. And I'm pretty sure you can't, <<
I am - and yes you can. >> that's why they have several tech articles on it, about registry hacks. << A "wide" search on "DNS and cache" yielded only ONE tech article (and a second one simply referring back to the FIRST). For your information: a) Microsoft OFTEN documents how to make a change in the registry even if the SAME option can be set via the GUI (as is the case here). You imply that it means the GUI is not comprehensive - in most cases it just means there are TWO ways to accomplish the same registry change (via RegEdit OR via the GUI). b) Microsoft CHANGED the default to YES (secure against cache pollution) since W2K SP3. So you can now safely lay this matter to rest please. Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q241352 and http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316786 Excerpt: A Windows 2000-based DNS server can filter out the responses for these non-secure records. To enable this feature: Start Registry Editor (Regedt32.exe). Locate the following key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters On the Edit menu, click Add Value, and then add the following registry value: Value Name: SecureResponses Data Type: REG_DWORD Value: 1 (To eliminate non-secure data) Quit Registry Editor. By default, this key does not exist and non-secure data is not eliminated from responses. NOTE: On Windows 2000, you can perform the same entry in the GUI. Use the following steps to do this: Open DNS Management Console by clicking Start, Programs, Adminstrative Tools, DNS. Right click on the server name in the left window pane. Choose Properties. Choose the Advanced tab. Place a check in the box "Secure cache against pollution". << Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
