• DefaultRegistrationTTL
  • EnableAdapterDomainNameRegistration
  • DisableDynamicUpdate
  • DisableReplaceAddressesInConflicts
  • DisableReverseAddressRegistrations
  • UpdateSecurityLevel
  • DNS Caching Resolver Service Registry Parameters
  • AdapterTimeoutCacheTime
  • CacheHashTableSize
  • CacheHashTableBucketSize
  • DefaultRegistrationRefreshInterval
  • MaxCacheEntryTtlLimit
  • MaxSOACacheEntryTtlLimit
  • NegativeCacheTime
  • NegativeSOACacheTime
  • NetFailureErrorPopupLimit
  • NetFailureCacheTime
  • Name Resolution Parameters
  • DisjointNameSpace
  • UseDomainNameDevolution
  • Appendix D: Tuning TCP/IP Response to Attack
  • TcpMaxHalfOpenRetried
  • EnablePMTUDiscovery
  • NoNameReleaseOnDemand
  • EnableDeadGWDetect
  • PerformRouterDiscovery
  • Appendix E: Format of the Daytime Service Response String
  • Dynamic DNS Registration Parameters




    Download 0.63 Mb.
    bet18/18
    Sana21.03.2017
    Hajmi0.63 Mb.
    1   ...   10   11   12   13   14   15   16   17   18

    Dynamic DNS Registration Parameters


    These parameters control behavior of the dynamic DNS registration client. If a parameter is not present, the default value listed is used.
    DNSQueryTimeouts

    Key: Tcpip\Parameters

    Value Type: REG_MULTI_SZ—list of timeouts terminated by a zero

    Valid Range: valid list of numbers

    Default: 1 2 2 4 8 0 (format note: after entering each number hit return and terminate the list with zero)

    Description: This parameter can be used to change the DNS query timeouts that the DNS client uses. In a controlled non-Internet or low-delay environment this could be used to decrease the time to failure of the query.
    DefaultRegistrationTTL

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—seconds

    Default: 0x4B0 (1200 decimal, or 20 minutes)

    Valid Range: 0–0xFFFFFFFF

    Description: This parameter can be used to control the TTL value sent with dynamic DNS registrations.
    EnableAdapterDomainNameRegistration

    Key: Tcpip\Parameters\Interfaces\interface

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0 (false)

    Description: This parameter can be used to enable DNS dynamic update registration of a specific adapter's domain name information. This setting is useful when registrations of the adapter address(es) under the adapter's domain name are needed. When this key is set to true and DisableDynamicUpdate is false, the given adapter's address(es) is registered under the specific adapter's domain name and under the system's primary domain name.
    DisableDynamicUpdate

    Key: Tcpip\Parameters, Tcpip\Parameters\Interfaces\interface

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0 (false; dynamic DNS-enabled)

    Description: This parameter can be used to completely disable DNS dynamic update registration. This parameter is both a per-interface parameter and a global parameter, depending upon where the registry key is located. If the value at the Tcpip\Parameters level is set to 1, dynamic update is disabled for the entire system. If the value at the Tcpip\Parameters level is set to 0, dynamic updates can be disabled on a per-adapter basis.
    DisableReplaceAddressesInConflicts

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0 (false)

    Description: This parameter is used to turn off the address registration conflict rule that the last writer wins. By default, a computer does not replace any current records on the DNS server that do not appear to have been owned by it at one time.
    DisableReverseAddressRegistrations

    Key: Tcpip\Parameters\Interfaces\interface

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0 (false; registration of PTR records enabled)

    Description: This parameter can be used to turn off DNS dynamic update reverse address (PTR) record registration. If the DHCP server that configures this computer is running Windows Server 2003, then it is capable of registering the PTR record with the DNS dynamic update protocol. However, if the DHCP server is not capable of performing DNS dynamic update PTR registrations and you do not want to register PTR records with the DNS dynamic update protocol, set this parameter to 1.
    UpdateSecurityLevel

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—flags

    Default: 0

    Valid Range: 0,0x00000010, 0x00000020, 0x00000100

    Description: This parameter can be used to control the security that is used for DNS dynamic updates. It defaults to 0, to try nonsecure update, and if refused, to send Windows Server 2003 secure dynamic updates. Valid values are listed below:

    • 0x00000000—default, nonsecure updates

    • 0x00000010—security OFF

    • 0x00000100—secure ONLY ON

    DNS Caching Resolver Service Registry Parameters


    Windows Server 2003 includes a DNS caching resolver service. This service performs the function of caching DNR answers so that the DNS server does not need to be repeatedly queried for the same information. The service can be stopped using the Service Control Manager MMC snap-in. Registry parameters for this service are located under the \System\CurrentControlSet\Services\Dnscache\Parameters key.
    AdapterTimeoutCacheTime

    Value Type: REG_DWORD—seconds

    Valid Range: 0–0xFFFFFFFF

    Default: 300 (5 minutes)

    Description: The amount of time that a particular adapter on a multihomed machine is disabled when a DNS query attempt fails (times out) for all of the given adapter's DNS servers. For instance, if you have two adapters and the DNS servers on one of the networks are unreachable, mark the adapter as unusable for this time period. (A Plug and Play event or cache time-out forces the resolver to retry this interface and mark it as disabled, if needed.)
    CacheHashTableSize

    Value Type: REG_DWORD—number

    Default: 0xD3 (211 decimal)

    Valid Range: Any prime number greater than 0

    Description: This parameter can be used to control the maximum number of rows in the hash table used by the DNS caching resolver service. It should not be necessary to adjust this parameter.
    CacheHashTableBucketSize

    Value Type: REG_DWORD—number

    Default: 0xa (10 decimal)

    Range: 0–0x32 (50 decimal)

    Description: This parameter can be used to control the maximum number of columns in the hash table used by the DNS caching resolver service. It should not be necessary to adjust this parameter.
    DefaultRegistrationRefreshInterval

    Value Type: REG_DWORD—time in seconds

    Default: 0x15180 (86400 decimal, or 24 hours)

    Range: 0–0xFFFFFFFF

    Description: This parameter can be used to control the dynamic DNS registration refresh interval.
    MaxCacheEntryTtlLimit

    Value Type: REG_DWORD—time in seconds

    Default: 0x15180 (86400 decimal)

    Valid Range: 0–0xFFFFFFFF (suggested value less than one day, to prevent very stale records)

    Description: This parameter can be used to control the maximum cache entry time-to-live (TTL) value. It overrides any value that may have been set on a specific record that is larger.
    MaxSOACacheEntryTtlLimit

    Value Type: REG_DWORD—time, in seconds

    Valid Range: 0–0xFFFFFFFF

    Default: 120 (2 minutes)

    Description: The maximum number of seconds that the resolver cache caches any SOA records. This value overrides any TTL value greater than itself for a specific SOA record that is returned from a DNS query. SOA records are essential for dynamic updates; therefore, they are not cached for long, to ensure that the most up-to-date record data is available for the DNS start of authority.
    NegativeCacheTime

    Value Type: REG_DWORD—time, in seconds

    Default: 0x12c (300 decimal, or 5 minutes)

    Valid Range: 0–0xFFFFFFFF (the suggested value is less one day, to prevent very stale records)

    Description: This parameter can be used to control the cache time for negative records.
    NegativeSOACacheTime

    Value Type: REG_DWORD—time, in seconds

    Default: 0x78 (120 decimal, or 2 minutes)

    Valid Range: 0–0xFFFFFFFF (the suggested value is less than five minutes)

    Description: This parameter can be used to control the cache time for negative Start of Authority (SOA) records. DNS registrations that fail are retried at five and ten minutes, so if this value is set to five minutes or more, retries are answered negatively from cache, instead of from the server, which could be available.
    NetFailureErrorPopupLimit

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0 (false)

    Description: This parameter enables the UI popup to indicate that the DNS resolver was unable to query (reach) the configured DNS servers for a repeated number of query attempts.
    NetFailureCacheTime

    Value Type: REG_DWORD—time, in seconds

    Default: 0x1e (30 decimal)

    Valid Range: 0–0xFFFFFFFF (suggested value is less than five minutes)

    Description: This parameter is used to control the general network failure cache time. It prevents the resolver from querying for a period of time when it has been detected that a time-out error is occurring for queries against all known DNS servers. This avoids slowness (caused by time-outs) when the network does not respond.

    Name Resolution Parameters


    The following list of parameters is used by the Domain Name Resolver service.
    AllowUnqualifiedQuery

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0

    Description: This parameter controls whether or not the Domain Name Resolver queries the Domain Name Server(s) with the host name, followed by a dot (.) only (an unqualified query). For example, if your computer is in mydomain.com and you ping target, by default the DNS is queried for target.mydomain.com only. When this parameter is set to 1, target is also queried.
    DisjointNameSpace

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 1

    Description: This parameter instructs the DNR to treat each interface as a disjoint name space. On a multihomed computer, a query to the DNS server(s) that is/are configured for one interface may result in a name error. This parameter is used to instruct the resolver to try the query against the possible DNS servers that are configured for other interfaces before returning results.
    PrioritizeRecordData

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 1

    Description: This parameter controls whether or not the Domain Name Resolver sorts the addresses that are returned in response to a query for a multihomed host. By default, the DNR sorts addresses that are on the same subnet as one of the interfaces in the querying computer to the top of the list. This is done to give preference to a common-subnet (non-routed) IP address, when possible.
    QueryIpMatching

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0

    Description: This parameter controls whether or not the IP address of the DNS server queried is matched to the IP address of the server that sent the DNS response. This can be used as a primitive security feature to ensure that the resolver is not being fooled by a random query response from some computer other than the intended DNS server.
    UseDomainNameDevolution

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—binary

    Valid Range: 0, 1 (false, true)

    Default: 1 (true)

    Description: This parameter can be used to disable domain name devolution for unqualified DNS queries. Devolution describes the process of attempting to locate a host in the DNS by first appending the domain suffix of the client to the host name, and then querying for the full string. If that query fails, one label is removed at a time, and the query is resubmitted. For example, if a user or application on the computer mycomputer.support.microsoft.com attempts to reach a host named target, the DNR by default tries target.support.microsoft.com, and target.microsoft.com, and possibly target, depending on the value of the AllowUnqualifiedQuery parameter.

    Appendix D: Tuning TCP/IP Response to Attack

    TCP/IP Security Settings


    In addition to the settings that are listed above, the following keys can be altered to assist the system to deal more effectively with an attack. It is important to note that these recommendations by no means makes the system impervious to attack and only focuses on tuning the TCP/IP stack’s response to an attack. The setting of these keys does not address any of the many other components on the system, which could be used to attack the system. As with any change to the registry, the administrator needs to fully understand how these changes affect the default function of the system and whether they are appropriate in their environment.
    SynAttackProtect

    Key: Tcpip\Parameters

    Value Type: REG_DWORD

    Valid Range: 0, 1

    0 (no SYN attack protection)


    1 (reduced retransmission retries and delayed RCE [route cache entry] creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied and a delayed indication to Winsock is made.)

    Note: When the system finds itself under attack the following options on any socket can no longer be enabled: scalable windows (RFC 1323) and per adapter configured TCP parameters (Initial RTT, window size). This is because when protection is functioning the route cache entry is not queried before the SYN-ACK is sent and the Winsock options are not available at this stage of the connection.



    Default: 1 - enabled for Windows Server 2003 Service Pack 1, 0 -disabled for Windows Server 2003 with no service packs installed

    Recommendation: 1

    Description: SYN attack protection involves reducing the amount of retransmissions for the SYN-ACKS, which will reduce the time for which resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made and the connection indication to AFD is delayed until the three-way handshake is completed. Note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded.
    TcpMaxHalfOpen

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—number

    Valid Range: 100–0xFFFF

    Default: 100 (Windows Server 2003, Standard Edition), 500 (Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition)

    Description: This parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen backlog on the port that you want to protect (see backlog parameters in Appendix C for more information). See the SynAttackProtect parameter for more details.
    TcpMaxHalfOpenRetried

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—number

    Valid Range: 80–0xFFFF

    Default: 80 (Windows Server 2003, Standard Edition), 400 (Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition)

    Description: This parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. See the SynAttackProtect parameter for more details.
    EnablePMTUDiscovery

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 1 (true)

    Recommendation: 1

    Description: When this parameter is set to 1 (true) TCP attempts to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet.
    NoNameReleaseOnDemand

    Key: Netbt\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 0 (false)

    Recommendation: 1

    Description: This parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to allow the administrator to protect the machine against malicious name-release attacks.
    EnableDeadGWDetect

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—Boolean

    Valid Range: 0, 1 (false, true)

    Default: 1 (true)

    Recommendation: 0

    Description: When this parameter is set to 1, TCP is allowed to perform dead-gateway detection. With this feature enabled, TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways may be defined in the advanced properties of the TCP/IP protocol. See the “Dead Gateway Detection” section in this paper for details.
    KeepAliveTime

    Key: Tcpip\Parameters

    Value Type: REG_DWORD—time in milliseconds

    Valid Range: 1–0xFFFFFFFF

    Default: 7,200,000 (two hours)

    Recommendation: 300,000

    Description: The parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application.
    PerformRouterDiscovery

    Key: Tcpip\Parameters\Interfaces\interfaceGUID

    Value Type: REG_DWORD

    Valid Range: 0, 1, 2

    0 (disabled)


    1 (enabled)
    2 (enable only if DHCP sends the router discover option)

    Default: 2, DHCP-controlled but off by default.

    Recommendation: 0

    Description: This parameter controls whether Windows Server 2003 attempts to perform router discovery per RFC 1256 on a per-interface basis. See also SolicitationAddressBcast.

    Appendix E: Format of the Daytime Service Response String


    RFC 867 does not specify the format of the response sent by the daytime service. For Windows 2000 and Windows Server 2003, the daytime service sends an ASCII text string containing the current system time and date formatted in a single line as follows:

    TimeString DateString

    with a single ASCII space character separating the time (TimeString) and date (DateString) components. Each of these components is formatted according to the default format for the selected locale of the computer. For example, the default format for “English (United States)” is:



    TimeString = h:mm:ss tt

    DateString = m/dd/yyyy

    in which tt is either "AM" or "PM".

    Here is example output for the English (United States) locale:

    10:23:16 AM 4/11/2003

    The default formats for the date and time for any locale may be viewed or configured from Control Panel-Regional Options (for Windows 2000) or Control Panel-Regional and Language Options (for Windows Server 2003).

    There is no ability to change the format of the daytime service ASCII text string.


    Summary


    The TCP/IP stack in Windows Server 2003 has extensive support for standard features, performance enhancements, and services. Windows Server 2003 TCP/IP consists of the following core protocols: Address Resolution Protocol (ARP), Internet Protocol (IP), Internet Protocol security (IPsec), Internet Group Management Protocol (IGMP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and NetBIOS over TCP/IP (NetBT). Windows TCP/IP applications typically use the Windows Sockets or NetBIOS APIs. Windows Server 2003 TCP/IP includes support for automatic client configuration, media sense, and DNS dynamic update and client-side caching.

    For More Information


    For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/windowsserver2003.

    For more information about IPv6, see the Microsoft Windows IPv6 Web site (http://www.microsoft.com/ipv6)



    1 Specifications and programming information are included in the Microsoft Windows Driver Development Kits (DDKs), available at http://www.microsoft.com/whdc/ddk/default.mspx .

    2 Most NICs have the ability to be placed into a mode in which the NIC does not perform any address filtering on frames that appear on the media. Instead, it passes every frame upwards that passes the cyclic redundancy check (CRC). This feature is used by some protocol analysis software, such as Microsoft Network Monitor.

    3 Adding [1] to the registry parameter TcpMaxDataRetransmissions or TcpMaxConnectRetransmissions approximately doubles the total retransmission time-out period. If it is necessary to configure longer time-outs, these parameters should be increased very gradually.

    4 Instead of sending one TCP segment when starting out, Windows NT/Windows XP TCP starts with two. This avoids the need to wait for the delayed ACK timer to expire on the first send to the target computer, which improves performance for some applications.

    5 See the Microsoft Knowledge Base for redirector registry parameters.

    6 Stevens, Richard. TCP/IP Illustrated, Volume 1: The Protocols. Reading, MA: Addison-Wesley Publishing Co., 1993.

    7 Both specifications are available from the Microsoft Internet site on www.microsoft.com and ftp.microsoft.com.

    8 IP autoconfiguration can be disabled using the IPAutoconfigurationEnabled registry key. The subnet and subnet mask used can be controlled using the IPAutoconfigurationSubnet and IPAutoconfigurationMask registry keys. These keys are described in Appendix A.

    1



    Download 0.63 Mb.
    1   ...   10   11   12   13   14   15   16   17   18




    Download 0.63 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Dynamic DNS Registration Parameters

    Download 0.63 Mb.