18

This command clears all open UDP ports by DNS.EXE

net stop dns

After restarting the DNS service, DNS.EXE allocates 5000+ ports.

net start dns

It doesn't consume extensive memory or cpu. However I noticed/alarmed many http/smtp/pop3 connection problems to the server because of timeouts. I just examined and found tons of open ports by DNS.EXE. Currports displays UDP local ports from 50000 to 56000, local addresses are :: and remote addresses are empty. Last lines of netstat - a command are below:

UDP    [::]:55976             *:*   
UDP    [::]:55977             *:*   
UDP    [::]:55978             *:*     
UDP    [::]:55979             *:*     
UDP    [::]:55980             *:*     
UDP    [::]:55981             *:*     
UDP    [::]:55982             *:*

I didn't notice these ports before, so I don't know for sure it is ok or not. What do you think? I did restart the server and monitoring/alert mails are NOT continuing.

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
Nime Cloud
  • 466
  • 1
  • 4
  • 17

1 Answers1

27

This is a well-known side effect of the hotfix distributed to address MS08-037, since the hotfix is intended to decrease the predictability of ports used for DNS responses.

You can restrict the amount of ports used by defining a lower Socket Pool Size, as described in this article:

Using dnscmd.exe

  • Open an elevated Command Prompt (Run as Administrator...)
  • Issue dnscmd /Config /SocketPoolSize <value> where <value> is a number between 0 and 10000

Using regedit.exe

  • Open regedit.exe and expand the HKLM hive
  • Navigate to SYSTEM\CurrentControlSet\services\DNS\Parameters
  • If not already present, create a new DWORD value named SocketPoolSize
  • Set a decimal value between 0 and 10000
  • Restart the DNS Server service: net stop dns && net start dns

Be aware that setting the value too low, effectively defeats the purpose of MS08-037

If you're on Windows Server 2008 R2 and just want to make sure that a number of individual UDP endpoints are not used by DNS, you can also specify a list of port ranges to be excluded from use by DNS:

dnscmd /Config /SocketPoolExcludedPortRanges <start>-<end>
Community
  • 1
Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
  • 1
    The command to exclude specific ports is: `dnscmd /config /SocketPoolExcludedPortRanges [start]-[end]`, replacing [start] and [end] with your desired port range. You can also edit the registry value '`SocketPoolExcludedPortRanges`' manually (located in the same registry key as mentioned above). – Harrison Smith Jun 13 '18 at 07:18