The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and Ports Reservation Explained
Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
8/9/2010 – Added update links (see the bottom of this blog).
10/5/2010 – Added info about the DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003
10/7/2010 – Added link explaining how to debug the DNS process to determine if a leak is occuring
Protection against the Microsoft DNS Cache Poisoning Vulnerability (953230)
The DNS patch released in July, 2008, reserves 2500 ephemeral UDP service ports.
It is a security update to prevent spoofing. Attackers know that normally, without the update, a random ephemeral response port (service port), which a port is chosen randomly using UDP 1024 and above, is used in response to the querying client resolver. These response or service ports, are used by all Windows communications (not just DNS). An attacker may guess/randomize a port attack at DNS attempting to gain access to create records into the DNS Cache, by injecting records using specially crafted commands, therefore poisoning the DNS cache with records of their choosing, which will allow a remote attacker to redirect legitimate network traffic intended for systems on the Internet to the attacker’s own systems or elsewhere, of their choosing.
By pre-reserving the port, or creating a socket pool, as the DNS patch performs, reduces the chance of a randomization attack, which attackers are using against Windows and other major DNS services, to prevent Cache Poisoning.
DNS Increased Memory Consumption Due To The DNS Patch
When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the increased memory consumption that you may notice. I’ve noticed the following when I’ve looked at Task Manager before and after the DNS patch was installed (your mileage may vary):
dns.exe Before After
Mem usage 9,758K 36,232K
Peak Mem 10,208K 36,584K
Paged Pool 71K 798K
NP Pool 17K 4,833K
Handles 238 5,217
Threads 20 20
If the RPC Endpoint Mapper Runs Out of Ports Due to the Patch
There can also be issues with various applications installed and running on a DNS server where the RPC Endpoint Mapper has run out of ports to use because all available ports are being consumed by the app. If this is the case, it could be that the system is running out of available ports for the RPC endpoint mapper to use.
Run “netstat -ano” in a command line. It should provide a listing of ports that are in use as well as the PID of the process that owns that port. Possibly you’re running an application on this server that isn’t releasing ports when it’s done with them. You can also extend the available ports used by RPC but I’d recommend looking into what’s consuming them first.
Take a look at the following article for more info on the Endpoint mapper:
839880 Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003
If your DNS server is experiencing a large amount of memory being consumed by the DNS process to the point it hangs the DNS service and it stops responding, it may be associated to hotfix 941672. If 941672 was installed on the DNS server,
there is a known memory leak issue in the DNS process associated with this hotfix. The issue has been fixed by installing hotfix patch 975830.
Please read more about it in the following link, where you can also request the hotfix.
The memory usage of the Dns.exe process keeps increasing after you install hotfix 941672 on a computer that is running Windows Server 2003 SP2 and that has the DNS server role installed
Article ID: 975830 – Last Review: October 27, 2009 – Revision: 1.0
DNS Memory Consumption Related Discussion:
If you feel that you need more information to determine if a DNS process leak is occuring, you can enable debug logging, and use the following link in conjunction with the symptoms explained in KB975830 to further analyze the issue. Read the following link for more info.
DNS: Monitoring Server
Windows 2008, 2008 R2, Vista and Windows 7 Emepheral Ports Have Changed
The default emepheral (Random service ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).
Quoted from KB929851 (link posted below):
“To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”
Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (emepheral ports)
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
DNS Server Service Terminates Unexpectedly
Are you seeing the following error?
The DNS Server service terminated with the following error:
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
2500 is the default DNS Socket Pool Size value on Windows server 2008 R2. I suspect that for system steady reason BPA will always suggest to use system default settings, so this is the reason why it popped this prompt.
Meanwhile, could you verify the current value setting of registry key SocketPoolSize where under patch:
Manually modify it to the value you want ,restart computer and check if this issue persist.
For more information please refer to the link below:
DNS Socket Pool – Windows 2008 R2
More info on the Microsoft DNS Cache Poisoning Vulnerability KB953230 patch and the DNS exploit issue is explained in the following links.
US-CERT Vulnerability – Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning.
DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that …
SecureWorks: DNS Cache Poisoning
The old problem of DNS cache poisoning has again reared its ugly head.
There are new attacks, which make DNS cache poisoning trivial to execute against …
DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative …
Cache poisoning attacks – Variants – Prevention and mitigation
MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
MS08-037: Vulnerabilities in DNS could allow spoofing
How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748)
SBS Services failing after MS08-037 – KB951746 and 951748
Additional Updated LInks (added 8/9/2010):
[PDF] Windows DNS Server Cache PoisoningFile Format: PDF/Adobe Acrobat – Quick View
Microsoft Windows DNS Cache Poisoning. 6. ID. If it is not 7, it sends back a CNAME record for the next host name (i.e. a …