"mcintoshs" <> wrote in message
news:CD64141D-8C5F-4928-93BA-...
> On all server 2003 SP2 domain controllers, when I run the netstat -ano
> command, I see that the dns.exe process is listening on hundreds of ports
> between the port range of 49178 to 65533. Is this normal?
>
> If not, how do I address this?
> Thanks,
> Scott
Yep, it is, because of the DNS update from 7/2008. Read the following for an
explanation:
================================================== ================================================== ==
The DNS Exploit patch explained
By Ace Fekay, MCT
Last updated: 9/2008
---
Protection against the Microsoft DNS Cache Poisoning Vulnerability (953230)
The DNS patch released in July, 2008, reserves 2500 ephemeral UDP ports.
It is a security update to prevent spoofing. Attackers know that normally,
without the update, a random ephemeral response ports (service ports), which
is normally UDP 1024 and above. They are the response ports used by all
Windows communications (not just DNS). An attacker may guess/randomize a
port attack at DNS attempting to gain access to create records into the DNS
Cache, by injecting records using specially crafted commands, therefore
poisoning the DNS cache with records of their choosing, which will allow a
remote attacker to redirect legitimate network traffic intended for systems
on the Internet to the attacker's own systems or elsewhere, of their
choosing.
By reserving the port, or creating this socket pool, it reduces the chance
of a randomization attack, which attackers are using against Windows and
other major DNS services, to prevent Cache Poisoning.
When you run a netstat -ab, it will display the 2500 UDP ports that have
been reserved, but not necessarily in use. This is part of the increased
memory consumption that you may. I've noticed the following (your mileage
may vary):
dns.exe Before After
Mem usage 9,758K 36,232K
Peak Mem 10,208K 36,584K
Paged Pool 71K 798K
NP Pool 17K 4,833K
Handles 238 5,217
Threads 20 20
MS08-037: Description of the security update for DNS in Windows Server 2003,
in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748
MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230
How to reserve a range of ephemeral ports on a computer that is running
Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873
You experience issues with UDP-dependent network services after you install
DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188
Some Services May Fail to Start or May Not Work Properly After Installing
MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive...nd-951748.aspx
SBS Services failing after MS08-037 - KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/...nd-951748.aspx
There can also be issues with various applications installed and running on
a DNS server where the RPC Endpoint Mapper has run out of ports to use
because all available ports are being consumed by the app:
It sounds like you're running out of available ports for the RPC endpoint
mapper to use. Take a look at the following article:
839880 Troubleshooting RPC Endpoint Mapper errors using the Windows Server
2003 Support Tools from the product CD
http://support.microsoft.com/default...b;EN-US;839880
Run "netstat -ano" in a command line. It should provide a listing of ports
that are in use as well as the PID of the process that owns that port.
Possibly you're running an application on this server that isn't releasing
ports when it's done with them. You can also extend the available ports
used by RPC but I'd recommend looking into what's consuming them first.
================================================== ================================================== ==
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
http://twitter.com/acefekay
For urgent issues, you may want to contact Microsoft PSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Similar Threads
Linear Mode
