"Pedro M. Leite" <ple***@cimbo.com> wrote in message
news:OU0VGcc7JHA.1716@TK2MSFTNGP03.phx.gbl...
> good morning
>
> can anyone please clarify on this matter
>
> base system : w2k3 - sp2 latest updates - sbs 2k3 ( if relevant )
>
> a simple netstat ( active ports actually ) shows dns process
> linstening on nearly all UDP ports.
> tcp 53 is also listening and dns is responsive.
>
> our infrastructure includes a fedora ds server for replication, running
> bind, also for replication. ( if relevant )
> i just need to know (for now ) if this behaviour is expected.
>
> thank you and have a nice day
> pleite

> "Pedro M. Leite" <ple***@cimbo.com> wrote in message
> news:OU0VGcc7JHA.1716@TK2MSFTNGP03.phx.gbl...
>> good morning
>>
>> can anyone please clarify on this matter
>>
>> base system : w2k3 - sp2 latest updates - sbs 2k3 ( if relevant )
>>
>> a simple netstat ( active ports actually ) shows dns process linstening
>> on nearly all UDP ports.
>> tcp 53 is also listening and dns is responsive.
>>
>> our infrastructure includes a fedora ds server for replication, running
>> bind, also for replication. ( if relevant ) i just need to know (for
>> now ) if this behaviour is expected.
>>
>> thank you and have a nice day
>> pleite
>
>
> Since this is SBS, I cross-posted it to the SBS group, for specific
> help.
>
> As far as your question or problem, I don't see a problem, or is there?
> DNS with the DNS update from last year (July, 2008) to address a DNS
> cache pollution flaw, gets allocated a range of ephemeral ports (service
> ports). This is normal.
>
> Otherwise, if there is any other issues, such as event log errors, etc,
> please post them.

"Pedro M. Leite" <ple***@cimbo.com> wrote in message
news:e3$7U9c7JHA.1420@TK2MSFTNGP04.phx.gbl...
> Good Aftrnoon
> thank you for the reply and assistance
> well, i don't see any apparent problems. it just startled me that dns
> took over a lot of udp ports.
> is this is an expected ( under normal conditions ) behaviour, then, well,
> nothing to see, move along.
>
> it's just that recently i had a iis breakdown, due to the no ports
> available condition ( but these are tcp, i beleive ) and went digging,
> thats when i found the dns thing.
>
> thank you in advance
> pleite

> "Pedro M. Leite" <ple***@cimbo.com> wrote in message
> news:e3$7U9c7JHA.1420@TK2MSFTNGP04.phx.gbl...
>> Good Aftrnoon
>> thank you for the reply and assistance well, i don't see any apparent
>> problems. it just startled me that dns took over a lot of udp ports.
>> is this is an expected ( under normal conditions ) behaviour, then,
>> well, nothing to see, move along.
>>
>> it's just that recently i had a iis breakdown, due to the no ports
>> available condition ( but these are tcp, i beleive ) and went digging,
>> thats when i found the dns thing.
>>
>> thank you in advance
>> pleite
>
> Nah, nothing to worry about. It's working as expected. Here is an
> explanation of what's going on.
>
======================================================================================================
> The DNS Exploit patch explained:
>
> Protection against the Microsoft DNS Cache Poisoning Vulnerability
> (953230)
>
> The DNS patch released in July, 2008, reserves 2500 ephemeral UDP ports.
>
> It is a security update to prevent spoofing. Attackers know that
> normally, without the update, a random ephemeral response ports (service
> ports), which is normally UDP 1024 and above. They are the response
> ports used by all Windows communications (not just DNS). An attacker may
> guess/randomize a port attack at DNS attempting to gain access to create
> records into the DNS Cache, by injecting records using specially crafted
> commands, therefore poisoning the DNS cache with records of their
> choosing, which will allow a remote attacker to redirect legitimate
> network traffic intended for systems on the Internet to the attacker's
> own systems or elsewhere, of their choosing.
>
> By reserving the port, or creating this socket pool, it reduces the
> chance of a randomization attack, which attackers are using against
> Windows and most other DNS services, to prevent Cache Poisoning.
>
> When you run a netstat -ab, it will display the 2500 UDP ports that have
> been reserved, but not necessarily in use. This is part of the increased
> memory consumption that you may. I've noticed the following (your
> mileage may vary):
>
> dns.exe      Before      After
> Mem usage     9,758K     36,232K
> Peak Mem     10,208K     36,584K
> Paged Pool       71K        798K
> NP Pool          17K      4,833K
> Handles         238       5,217
> Threads          20          20
>
> MS08-037: Description of the security update for DNS in Windows Server
> 2003, in Windows XP, and in Windows 2000 Server (client side): July 8,
> 2008: http://support.microsoft.com/?id=951748
>
> MS08-037: Vulnerabilities in DNS could allow spoofing
> http://support.microsoft.com/default.aspx/kb/953230
>
> How to reserve a range of ephemeral ports on a computer that is running
> Windows Server 2003 or Windows 2000 Server
> http://support.microsoft.com/kb/812873
>
> You experience issues with UDP-dependent network services after you
> install DNS Server service security update 953230 (MS08-037)
> http://support.microsoft.com/default.aspx/kb/956188
>
> Some Services May Fail to Start or May Not Work Properly After
> Installing MS08-037 (951746 and 951748)
> http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-

>
======================================================================================================
>
> Ace