post patch dns activity

Discussion in 'DNS Server' started by r. wales, Jul 21, 2008.

  1. r. wales

    r. wales Guest

    Hello. I have installed the latest patches to my dns server (2K3 server
    standard). While investigating a different issue this morning I ran TCPView
    on this server. I was surprised by the results. It shows hundreds of udp
    connections for the dns service. The connections start around port 49157 and
    go up to port 65511. It doesn't hit every port in between, but enough that I
    don't want to go through it. I know the last patch had something to do with
    port randomization, but should I have this many ports listed or is there
    something else going on? Has anyone else noticed behavior like this?

    Thanks for any light you can shed.
     
    r. wales, Jul 21, 2008
    #1
    1. Advertisements

  2. Read inline please.

    In


    There was an extensive discussion on this in the past week, this is
    apparently expected behavior after applying the patch and resolves a port
    randomization vulnerabilty. It does cause some issue with ZoneAlarm for
    which ZoneAlarm has released an upgrade for, see:
    http://support.microsoft.com/kb/953230


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jul 21, 2008
    #2
    1. Advertisements

  3. r. wales

    r. wales Guest

    Cheers. I knew about the potential issue with ZoneAlarm and about the flaw
    that the patch addresses (much coverage around the industry), but I didn't
    realize what the effect was going to look like. If this is normal and
    expected behavior that is all I need to know. Thanks for getting back to me
    so quickly!
     
    r. wales, Jul 21, 2008
    #3
  4. r. wales

    r. wales Guest

    One other question... we are a small shop, less than 50 workstations/servers
    and do not serve DNS for anything outside of our own network. Should that
    number of ports still be showing up? Or are the ports listed the ports being
    actively used by dns requests? in that case, should my small number of
    machines be generating that much dns traffic?

    Thanks again.
     
    r. wales, Jul 21, 2008
    #4
  5. In
    I've reported these concerns to Microsoft's engineering department. I
    haven't heard back, but I'm starting to think what you are seeing is
    actually the reserved ephemeral ports for dns.exe. I'm not sure and will
    post back once I find out. If I am correct in my assumption, this will not
    cause a performance hit and is just showing you which ports are reserved.

    Don't quote me just yet. This is PURE SPECULATION on my part.

    And what's funny, this post will wind up all over the internet under
    different websites that copy posts out of the newsgroups making their
    readers think they came from their website and will quote me on it. For
    those viewers, please search for my latest posts or look for anything that
    Microsoft may report concerning this issue.

    --
    Regards,
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Infinite Diversities in Infinite Combinations
     
    Ace Fekay [MVP], Jul 22, 2008
    #5
  6. r. wales

    dpashev Guest

    Set
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize
    to lower value.
     
    dpashev, Jul 23, 2008
    #6
  7. In
    Hi dpashev,

    Can you explain to everyone what this entry will do for them and their
    server, as well as if you have a link to explain it too?

    Thank you,

    Ace
     
    Ace Fekay [MVP], Jul 24, 2008
    #7
  8. r. wales

    dpashev Guest

    I set SocketPoolSize - 50.
    See:
    MS08-037: [http://support.microsoft.com/kb/953230]
    DNS Source Port randomization
    As a part of DNS Source Port randomization, Microsoft has reserved ports to
    reduce the source port randomization risk. The default size of the Socket
    Pool on Windows Server 2003 and down-level platforms is 2500. This size is
    configurable by modifying the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize registry subkey.
    ---
    See also:
    http://blogs.technet.com/swi/archive/2008/07/08/ms08-037-more-entropy-in-the-dns-resolver.aspx
    .. . . .
    We modified the DNS client and server resolvers to send requests from a
    random source port. Previously, an attacker would need to only guess the
    correct transaction ID. After applying MS08-037, an attacker will need to
    guess both the transaction ID and source port in order to successfully spoof
    a DNS reply. In short, randomized source ports for DNS transactions adds
    another unique piece of information to DNS transactions, which makes spoofing
    more difficult.

    The default size of the randomized socket pool on Win2k3 and down-level
    platforms is 2500 ports which is configurable by modifying the registry
    value:

    HKLM\System\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize
     
    dpashev, Jul 24, 2008
    #8
  9. r. wales

    ObiWan [MVP] Guest

    Don't quote me just yet. This is PURE SPECULATION on my part.

    [OT?] Ace, about this issue... there's something for you on "connect" ;)
    I'd like to discuss that issue in further details elsewhere... if and
    when
    you'd like to :)

    Uh and btw... happy to e-see you !
     
    ObiWan [MVP], Jul 25, 2008
    #9
  10. Yo! ObiWan, Haven't seen you for,..um,..I think a few years! Good to see
    your name pop up.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jul 25, 2008
    #10
  11. r. wales

    ObiWan [MVP] Guest

    Yo! ObiWan, Haven't seen you for,..um,..
    Hi there Phil !! Nice to e-see you too again !!!

    Well... there's some "rumbling" about DNS
    lately <g> and there are a couple or maybe
    more questions which need to be fixed asap

    ;-)
     
    ObiWan [MVP], Jul 25, 2008
    #11
  12. In
    Same here, it's been quite some time. Nice to see you back.

    I just read your response/feedback to my submission. I'm still digesting it,
    quite a bit of information. Interestingly pointint out too concerning IPSec
    and NAT, etc. What do you think overall in general? Email me privately (not
    here) with your response, please!

    Ace
     
    Ace Fekay [MVP], Jul 27, 2008
    #12
  13. In
    Thank you for posting this. Yes, that is what's going on, however the
    question is will it interfere with performance and other applications?

    Ace
     
    Ace Fekay [MVP], Jul 27, 2008
    #13
  14. r. wales

    ObiWan [MVP] Guest

    privately (not here) with your response, please!

    you've new mail :D
     
    ObiWan [MVP], Jul 28, 2008
    #14
  15. r. wales

    S. Pidgorny Guest

    G'day:
    The answer is no.

    s
     
    S. Pidgorny, Aug 22, 2008
    #15
  16. Thanks.

    Actually we've found it interferes with other services that are dependent on
    UDP ports that DNS reserves. For everyone's benefit to learn more about it,
    the following are some links on it.

    You experience issues with UDP-dependent network services after you install
    DNS Server service security update 953230 (MS08-037)
    http://support.microsoft.com/default.aspx/kb/956188

    Some Services May Fail to Start or May Not Work Properly After Installing
    MS08-037 (951746 and 951748)
    http://blogs.technet.com/sbs/archiv...er-installing-ms08-037-951746-and-951748.aspx

    SBS Services failing after MS08-037 - KB951746 and 951748
    http://msmvps.com/blogs/thenakedmvp...iling-after-ms08-037-kb951746-and-951748.aspx

    Ace
     
    Ace Fekay [MVP Direcrtory Services], Aug 22, 2008
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.