sbs 2k3 and dns - driving me crazy

06-15-2009, 02:39 PM

good morning

can anyone please clarify on this matter

base system : w2k3 - sp2 latest updates - sbs 2k3 ( if relevant )

a simple netstat ( active ports actually ) shows dns process
linstening on nearly all UDP ports.
tcp 53 is also listening and dns is responsive.

our infrastructure includes a fedora ds server for replication, running
bind, also for replication. ( if relevant )
i just need to know (for now ) if this behaviour is expected.

thank you and have a nice day
pleite

06-15-2009, 03:38 PM

Good Aftrnoon
thank you for the reply and assistance
well, i don't see any apparent problems. it just startled me that dns
took over a lot of udp ports.
is this is an expected ( under normal conditions ) behaviour, then, well,
nothing to see, move along.

it's just that recently i had a iis breakdown, due to the no ports
available condition ( but these are tcp, i beleive ) and went digging,
thats when i found the dns thing.

thank you in advance
pleite
---------------------------------------
On Mon, 15 Jun 2009 10:57:16 -0400, Ace Fekay [Microsoft Certified
Trainer] wrote:

> "Pedro M. Leite" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> good morning
>>
>> can anyone please clarify on this matter
>>
>> base system : w2k3 - sp2 latest updates - sbs 2k3 ( if relevant )
>>
>> a simple netstat ( active ports actually ) shows dns process linstening
>> on nearly all UDP ports.
>> tcp 53 is also listening and dns is responsive.
>>
>> our infrastructure includes a fedora ds server for replication, running
>> bind, also for replication. ( if relevant ) i just need to know (for
>> now ) if this behaviour is expected.
>>
>> thank you and have a nice day
>> pleite
>
>
> Since this is SBS, I cross-posted it to the SBS group, for specific
> help.
>
> As far as your question or problem, I don't see a problem, or is there?
> DNS with the DNS update from last year (July, 2008) to address a DNS
> cache pollution flaw, gets allocated a range of ephemeral ports (service
> ports). This is normal.
>
> Otherwise, if there is any other issues, such as event log errors, etc,
> please post them.

06-15-2009, 04:17 PM

"Pedro M. Leite" <(E-Mail Removed)> wrote in message
news:e3$(E-Mail Removed)...
> Good Aftrnoon
> thank you for the reply and assistance
> well, i don't see any apparent problems. it just startled me that dns
> took over a lot of udp ports.
> is this is an expected ( under normal conditions ) behaviour, then, well,
> nothing to see, move along.
>
> it's just that recently i had a iis breakdown, due to the no ports
> available condition ( but these are tcp, i beleive ) and went digging,
> thats when i found the dns thing.
>
> thank you in advance
> pleite

Nah, nothing to worry about. It's working as expected. Here is an
explanation of what's going on.
================================================== ================================================== ==
The DNS Exploit patch explained:

Protection against the Microsoft DNS Cache Poisoning Vulnerability (953230)

The DNS patch released in July, 2008, reserves 2500 ephemeral UDP ports.

It is a security update to prevent spoofing. Attackers know that normally,
without the update, a random ephemeral response ports (service ports), which
is normally UDP 1024 and above. They are the response ports used by all
Windows communications (not just DNS). An attacker may guess/randomize a
port attack at DNS attempting to gain access to create records into the DNS
Cache, by injecting records using specially crafted commands, therefore
poisoning the DNS cache with records of their choosing, which will allow a
remote attacker to redirect legitimate network traffic intended for systems
on the Internet to the attacker's own systems or elsewhere, of their
choosing.

By reserving the port, or creating this socket pool, it reduces the chance
of a randomization attack, which attackers are using against Windows and
most other DNS services, to prevent Cache Poisoning.

When you run a netstat -ab, it will display the 2500 UDP ports that have
been reserved, but not necessarily in use. This is part of the increased
memory consumption that you may. I've noticed the following (your mileage
may vary):

dns.exe Before After
Mem usage 9,758K 36,232K
Peak Mem 10,208K 36,584K
Paged Pool 71K 798K
NP Pool 17K 4,833K
Handles 238 5,217
Threads 20 20

MS08-037: Description of the security update for DNS in Windows Server 2003,
in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748

MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230

How to reserve a range of ephemeral ports on a computer that is running
Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873

You experience issues with UDP-dependent network services after you install
DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188

Some Services May Fail to Start or May Not Work Properly After Installing
MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive...nd-951748.aspx

SBS Services failing after MS08-037 - KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/...nd-951748.aspx
================================================== ================================================== ==

Ace

06-16-2009, 09:59 AM

Good Morning
thank you for the additional info.
guess i have to read more ms bulletins.
have a nice day.
pleite

On Mon, 15 Jun 2009 12:17:37 -0400, Ace Fekay [Microsoft Certified
Trainer] wrote:

> "Pedro M. Leite" <(E-Mail Removed)> wrote in message
> news:e3$(E-Mail Removed)...
>> Good Aftrnoon
>> thank you for the reply and assistance well, i don't see any apparent
>> problems. it just startled me that dns took over a lot of udp ports.
>> is this is an expected ( under normal conditions ) behaviour, then,
>> well, nothing to see, move along.
>>
>> it's just that recently i had a iis breakdown, due to the no ports
>> available condition ( but these are tcp, i beleive ) and went digging,
>> thats when i found the dns thing.
>>
>> thank you in advance
>> pleite
>
> Nah, nothing to worry about. It's working as expected. Here is an
> explanation of what's going on.
>
================================================== ================================================== ==
> The DNS Exploit patch explained:
>
> Protection against the Microsoft DNS Cache Poisoning Vulnerability
> (953230)
>
> The DNS patch released in July, 2008, reserves 2500 ephemeral UDP ports.
>
> It is a security update to prevent spoofing. Attackers know that
> normally, without the update, a random ephemeral response ports (service
> ports), which is normally UDP 1024 and above. They are the response
> ports used by all Windows communications (not just DNS). An attacker may
> guess/randomize a port attack at DNS attempting to gain access to create
> records into the DNS Cache, by injecting records using specially crafted
> commands, therefore poisoning the DNS cache with records of their
> choosing, which will allow a remote attacker to redirect legitimate
> network traffic intended for systems on the Internet to the attacker's
> own systems or elsewhere, of their choosing.
>
> By reserving the port, or creating this socket pool, it reduces the
> chance of a randomization attack, which attackers are using against
> Windows and most other DNS services, to prevent Cache Poisoning.
>
> When you run a netstat -ab, it will display the 2500 UDP ports that have
> been reserved, but not necessarily in use. This is part of the increased
> memory consumption that you may. I've noticed the following (your
> mileage may vary):
>
> dns.exe Before After
> Mem usage 9,758K 36,232K
> Peak Mem 10,208K 36,584K
> Paged Pool 71K 798K
> NP Pool 17K 4,833K
> Handles 238 5,217
> Threads 20 20
>
> MS08-037: Description of the security update for DNS in Windows Server
> 2003, in Windows XP, and in Windows 2000 Server (client side): July 8,
> 2008: http://support.microsoft.com/?id=951748
>
> MS08-037: Vulnerabilities in DNS could allow spoofing
> http://support.microsoft.com/default.aspx/kb/953230
>
> How to reserve a range of ephemeral ports on a computer that is running
> Windows Server 2003 or Windows 2000 Server
> http://support.microsoft.com/kb/812873
>
> You experience issues with UDP-dependent network services after you
> install DNS Server service security update 953230 (MS08-037)
> http://support.microsoft.com/default.aspx/kb/956188
>
> Some Services May Fail to Start or May Not Work Properly After
> Installing MS08-037 (951746 and 951748)
> http://blogs.technet.com/sbs/archive...ices-may-fail-
to-start-or-may-not-work-properly-after-installing-ms08-037-951746-
and-951748.aspx
>
> SBS Services failing after MS08-037 - KB951746 and 951748
> http://msmvps.com/blogs/thenakedmvp/.../sbs-services-
failing-after-ms08-037-kb951746-and-951748.aspx
>
================================================== ================================================== ==
>
> Ace

06-16-2009, 01:56 PM

"Pedro M. Leite" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Good Morning
> thank you for the additional info.
> guess i have to read more ms bulletins.
> have a nice day.
> pleite

You are welcome. You have a great day, too.

Ace

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
w2k3 server and dna - driving me crazy	Pedro M. Leite	Windows Networking	0	06-15-2009 09:55 AM
FTP Problem? Nearly works, but is driving me crazy.	David	Windows Networking	3	07-23-2007 02:44 PM
VPN driving me crazy	Homer Jay	Windows Networking	1	09-23-2006 05:16 PM
Driving me crazy!	BB	Wireless Networks	0	08-11-2006 06:58 PM
kppp is driving me crazy	Rhoniel	Linux Networking	8	07-20-2004 03:27 PM