dns.exe 2500 open ports in netstat -ab

Discussion in 'DNS Server' started by ThorstenK, Jul 11, 2008.

  1. ThorstenK

    ThorstenK Guest

    On one Domaincontroller in a child domain i see 2500 open ports from dns.exe.
    No remote address and no status.
    I havent seen that before and its not like that on another DC.
    i already rebooted but it comes back. when i restart DNS Server Service they
    all open imediately.

    netstat -ab
    Proto Localaddress Remoteaddress Status PID
    UDP X-dc-01:61333 *:* 1572
    [dns.exe]
    UDP X-dc-01:52081 *:* 1572
    [dns.exe]
    UDP X-dc-01:60048 *:* 1572
    [dns.exe]
    UDP X-dc-01:62361 *:* 1572
    [dns.exe]

    Any Help appreciated.

    Thanks
     
    ThorstenK, Jul 11, 2008
    #1
    1. Advertisements

  2. In
    What OS? Windows 2003? What service pack level?
    How many users are using this server or in your organization?
    Is this a public server or private only?
    Is the machine fully patched and up to date?
    Edge Firewall in place?
    Antispyware and antivirus have anything to say?

    Possibly install and run something such as TCPView, which is better than
    netstat
    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    Qualys' free scan tool trial
    http://www.qualys.com/forms/trials/freescan/google/?lsid=7002

    Or something more elaborate such as eEye Retina scanner which shows each
    port open and source IP.
    http://www.eeye.com/html/products/retina/index.html

    --
    Regards,
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Infinite Diversities in Infinite Combinations
     
    Ace Fekay [MVP], Jul 12, 2008
    #2
    1. Advertisements

  3. ThorstenK

    Terry Olsen Guest

    I have the same problem. I opened TCPView because I wanted to find out what
    was using a port that I wanted to use. TCPView took a long time to finish
    loading list but when it was done, it showed DNS.EXE as having about 2800
    ports open. I haven't seen this before and I don't know how to fix it. Can
    anyone provide any help on this issue?
     
    Terry Olsen, Jul 12, 2008
    #3
  4. ThorstenK

    Terry Olsen Guest

    Let me correct that. 2500 is the number, not 2800. So it appears I have the
    identical problem as the OP.

     
    Terry Olsen, Jul 12, 2008
    #4
  5. In
    Can you provide responses to the questions I asked the OP that didn't
    respond? I haven't seen this and if an app or some other issue such as an
    old or current vulnerability or a hotfix causing it or some app or service
    either running locally or on the network, would better be diagnosed with
    more information.

    What would really help is an eEye IRIS capture that will tell you exactly
    where they are coming from.

    Ace
     
    Ace Fekay [MVP], Jul 13, 2008
    #5
  6. ThorstenK

    ThorstenK Guest

    sorry for the delay and sorry for forgetting the basic rules on what info to
    provide.

    Win2003 R2 Server SP2
    Domaincontroller
    Customer Site with about 1000 Users and another 2 DCs (which dont have the
    open ports, but i will have to compare the patchlevel)
    should be fully or nearly fully patched
    Server is in private LAN
    there is an enterprise Firewall in place
    nothing from AV
    Its the original dns.exe thread as i checked the PID


     
    ThorstenK, Jul 14, 2008
    #6
  7. In
    See if removing KB951746 helps as it did with tyeh other poster, Shariat in
    this thread.

    Ace
     
    Ace Fekay [MVP], Jul 14, 2008
    #7
  8. In
    I escalated the issue with Microsoft's engineers. Hang in there.

    Also, can someone has the time to run a perfmon on dns.exe and overall
    machine performance as well, to see if it is affecting performance comparing
    with the update installed and not installed? I would appreciate it if you
    have the time to do this.

    Thanks,

    Ace
     
    Ace Fekay [MVP], Jul 15, 2008
    #8
  9. ThorstenK

    ThorstenK Guest

    yes removing it made the ports disappear. but then SNMP didnt work anymore
    and IE couldnt open any internet or internal websites.
    Also like anoher poster we prefer the unknown ports over the known
    vulnerability.
    But seems like a bug in the patch. I think we are all willing to send in
    reports and logs if developement needs them.

    Thanks
    Thorsten
     
    ThorstenK, Jul 17, 2008
    #9
  10. In
    Thorsten,

    If you have reports and logs, email them to me. Use my actual
    and I'll add them to my current submission to
    the Microsoft engineers.

    Ace
     
    Ace Fekay [MVP], Jul 18, 2008
    #10
  11. ThorstenK

    Griff Guest

    We are experiencing the same issue. Is Microsoft working on it? Is there
    anything I can provide to help?
    It is happening on one of our Primary DC's.
    Windows 2003 server with latest patches installed
    Private network with firewall
    50 Dc's with about 1000 nodes across the country
    Nothing reporting from AV
     
    Griff, Jul 18, 2008
    #11
  12. ThorstenK

    Griff Guest

    Thanks Alun!

     
    Griff, Jul 18, 2008
    #12
  13. In
    I'm starting to think it's related to DNS where the system will reserve
    empheral ports and they show up as what you're seeing. Not sure. Haven't
    heard back anything yet. But take a look at this article. This shows how to
    reserve them and the DNS updates may just be doing that. Reserved ports are
    probably showing up as what you're seeing. This is just speculation. I'll
    let you know if I hear anything that I can post.

    Ace
     
    Ace Fekay [MVP], Jul 20, 2008
    #13
  14. In
    Oops, I forgot to post the articles. in addition, I am also speculating this
    will not show as a performance hit, rather it is just displaying which ports
    are reserved, but not necessarily in use. As I said, this is just
    speculation.

    MS08-037: Vulnerabilities in DNS could allow spoofing
    http://support.microsoft.com/default.aspx/kb/953230

    How to reserve a range of ephemeral ports on a computer that is running
    Windows Server 2003 or Windows 2000 Server
    http://support.microsoft.com/kb/812873

    Ace
     
    Ace Fekay [MVP], Jul 22, 2008
    #14
  15. ThorstenK

    ThorstenK Guest

    yeah thanks!

    the good old: "this behavior is by design" :)
     
    ThorstenK, Jul 22, 2008
    #15
  16. update kb951746, dns.exe consumes lots of more memory than i'am used to. 36.332K instead of 7,308K
     
    Sil Grouwstra, Jul 28, 2008
    #16
  17. In
    Thanks. Didn't even realize that one.

    Ace
     
    Ace Fekay [MVP], Jul 29, 2008
    #17
  18. In
    After thinking about it afterwards, the hotfix is reserving 2500 ports to
    eliminate empheral port randomization to eliminate the vulnerability, but in
    reserving the ports, it has to store them somewhere, which of course would
    make sense in the dns.exe process, therefore requiring more RAM in doing
    therefore explains what you are seeing in increased RAM usage.

    Ace
     
    Ace Fekay [MVP], Jul 29, 2008
    #18
  19. ThorstenK

    Alun Jones Guest

    I was beginning to think my post hadn't gone anywhere, because it wasn't
    showing up in Windows Live Mail.

    Alun.
    ~~~~
     
    Alun Jones, Jul 30, 2008
    #19
  20. ThorstenK

    Mango Tango Guest

    worth noting is that the port range you'll see in TCPVIEW is 49xxx and above -- supposedly only related to what you should see with Server 2008 or Vista. Maybe that's part of the problem. We are Win2K3 and have the 2500 ports open too...

    - Mango
     
    Mango Tango, Aug 25, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.