Small Business Susan

Does the issue with DNS ports impact SBS 2008?

http://support.microsoft.com/kb/956188/


http://support.microsoft.com/kb/956189/


This came up on the 2k list and I had to double check why my thoughts were that the DNS port exclusion issue was not an impact on SBS 2008.  The reason is that the DNS randomiztion on 2k8 is different than 2k3.  2k3 will possible grab ports all the way from 1024 (or something really low) up to 65536.  2k8 only randomizes it’s dns ports in the 49152 to 65535 range.  Since most apps don’t ‘talk’ in that range the issue with SBS 2003′s services accidentally getting mangled by DNS grabbing random ports (typically seen as an IPsec service issue), doesn’t occur on SBS 2008.


Ephemeral port allocation occurs in the [49152-65535] port range before you install security update 953230 on Windows Server 2008. This port allocation behavior does not change after you install security update 953230.



2 comments ↓

  • #   Chris Knight on 12.22.08 at 6:06 am     

    Which brings it (SBS2K8) in to line with other modern operating systems.

    Win2K3 and SBS2K3 can use the same ephemeral port range.
    http://support.microsoft.com/kb/812873


  • #   Chris Knight on 12.22.08 at 6:14 am     

    Gah. Serves me right for doing 5 things at once.

    The best approach on Win2K3/SBS2K3 is to install security update 953230 and delete MaxUserPort. That way you get the ephemeral port range set to 49152-65535. What it should have been in the first place. KB 929851 gives the reason why the port range changed.