dns.exe 2500 open ports in netstat -ab

Sponsored Links

On one Domaincontroller in a child domain i see 2500 open ports from dns.exe.
No remote address and no status.
I havent seen that before and its not like that on another DC.
i already rebooted but it comes back. when i restart DNS Server Service they
all open imediately.

netstat -ab
Proto Localaddress Remoteaddress Status PID
UDP X-dc-01:61333 *:* 1572
[dns.exe]
UDP X-dc-01:52081 *:* 1572
[dns.exe]
UDP X-dc-01:60048 *:* 1572
[dns.exe]
UDP X-dc-01:62361 *:* 1572
[dns.exe]

Any Help appreciated.

Thanks

In news:0681E707-A0C5-4815-8C6B-B7DCD50E65D7@microsoft.com,
ThorstenK <ThorstenK@discussions.microsoft.com> typed:
> On one Domaincontroller in a child domain i see 2500 open ports from
> dns.exe. No remote address and no status.
> I havent seen that before and its not like that on another DC.
> i already rebooted but it comes back. when i restart DNS Server
> Service they all open imediately.
>
> netstat -ab
> Proto Localaddress Remoteaddress Status
> PID UDP X-dc-01:61333 *:*
> 1572 [dns.exe]
> UDP X-dc-01:52081 *:*
> 1572 [dns.exe]
> UDP X-dc-01:60048 *:*
> 1572 [dns.exe]
> UDP X-dc-01:62361 *:*
> 1572 [dns.exe]
>
> Any Help appreciated.
>
> Thanks

What OS? Windows 2003? What service pack level?
How many users are using this server or in your organization?
Is this a public server or private only?
Is the machine fully patched and up to date?
Edge Firewall in place?
Antispyware and antivirus have anything to say?

Possibly install and run something such as TCPView, which is better than
netstat
http://technet.microsoft.com/en-us/s.../bb897437.aspx

Qualys' free scan tool trial
http://www.qualys.com/forms/trials/f...gle/?lsid=7002

Or something more elaborate such as eEye Retina scanner which shows each
port open and source IP.
http://www.eeye.com/html/products/retina/index.html

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

I have the same problem. I opened TCPView because I wanted to find out what
was using a port that I wanted to use. TCPView took a long time to finish
loading list but when it was done, it showed DNS.EXE as having about 2800
ports open. I haven't seen this before and I don't know how to fix it. Can
anyone provide any help on this issue?

"ThorstenK" <ThorstenK@discussions.microsoft.com> wrote in message
news:0681E707-A0C5-4815-8C6B-B7DCD50E65D7@microsoft.com...
> On one Domaincontroller in a child domain i see 2500 open ports from
> dns.exe.
> No remote address and no status.
> I havent seen that before and its not like that on another DC.
> i already rebooted but it comes back. when i restart DNS Server Service
> they
> all open imediately.
>
> netstat -ab
> Proto Localaddress Remoteaddress Status PID
> UDP X-dc-01:61333 *:* 1572
> [dns.exe]
> UDP X-dc-01:52081 *:* 1572
> [dns.exe]
> UDP X-dc-01:60048 *:* 1572
> [dns.exe]
> UDP X-dc-01:62361 *:* 1572
> [dns.exe]
>
> Any Help appreciated.
>
> Thanks

Let me correct that. 2500 is the number, not 2800. So it appears I have the
identical problem as the OP.

"Terry Olsen" <tolsen64@hotmail.com> wrote in message
news:OpPdW1C5IHA.1428@TK2MSFTNGP06.phx.gbl...
>I have the same problem. I opened TCPView because I wanted to find out what
>was using a port that I wanted to use. TCPView took a long time to finish
>loading list but when it was done, it showed DNS.EXE as having about 2800
>ports open. I haven't seen this before and I don't know how to fix it. Can
>anyone provide any help on this issue?
>
> "ThorstenK" <ThorstenK@discussions.microsoft.com> wrote in message
> news:0681E707-A0C5-4815-8C6B-B7DCD50E65D7@microsoft.com...
>> On one Domaincontroller in a child domain i see 2500 open ports from
>> dns.exe.
>> No remote address and no status.
>> I havent seen that before and its not like that on another DC.
>> i already rebooted but it comes back. when i restart DNS Server Service
>> they
>> all open imediately.
>>
>> netstat -ab
>> Proto Localaddress Remoteaddress Status PID
>> UDP X-dc-01:61333 *:* 1572
>> [dns.exe]
>> UDP X-dc-01:52081 *:* 1572
>> [dns.exe]
>> UDP X-dc-01:60048 *:* 1572
>> [dns.exe]
>> UDP X-dc-01:62361 *:* 1572
>> [dns.exe]
>>
>> Any Help appreciated.
>>
>> Thanks
>

In news:uaiF23C5IHA.3484@TK2MSFTNGP05.phx.gbl,
Terry Olsen <tolsen64@hotmail.com> typed:
> Let me correct that. 2500 is the number, not 2800. So it appears I
> have the identical problem as the OP.

Can you provide responses to the questions I asked the OP that didn't
respond? I haven't seen this and if an app or some other issue such as an
old or current vulnerability or a hotfix causing it or some app or service
either running locally or on the network, would better be diagnosed with
more information.

What would really help is an eEye IRIS capture that will tell you exactly
where they are coming from.

Ace

On Jul 12, 7:50*am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:0681E707-A0C5-4815-8C6B-B7DCD50E65D7@microsoft.com,
> ThorstenK <Thorst...@discussions.microsoft.com> typed:
>
>
>
>
>
> > On one Domaincontroller in a child domain i see 2500 open ports from
> > dns.exe. No remote address and no status.
> > I havent seen that before and its not like that on another DC.
> > i already rebooted but it comes back. when i restart DNS Server
> > Service they all open imediately.
>
> > netstat -ab
> > *Proto *Localaddress * * * * Remoteaddress * * * * *Status
> > *PID UDP * *X-dc-01:61333 * * * **:*
> > *1572 [dns.exe]
> > *UDP * *X-dc-01:52081 * * * **:*
> > *1572 [dns.exe]
> > *UDP * *X-dc-01:60048 * * * **:*
> > *1572 [dns.exe]
> > *UDP * *X-dc-01:62361 * * * **:*
> > *1572 [dns.exe]
>
> > Any Help appreciated.
>
> > Thanks
>
> What OS? Windows 2003? What service pack level?
> How many users are using this server or in your organization?
> Is this a public server or private only?
> Is the machine fully patched and up to date?
> Edge Firewall in place?
> Antispyware and antivirus have anything to say?
>
> Possibly install and run something such as TCPView, which is better than
> netstathttp://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
>
> Qualys' free scan tool trialhttp://www.qualys.com/forms/trials/freescan/google/?lsid=7002
>
> Or something more elaborate such as eEye Retina scanner *which shows each
> port open and source IP.http://www.eeye.com/html/products/retina/index.html
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> checkhttp://support.microsoft.comfor regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations- Hide quoted text -
>
> - Show quoted text -

Hi
I have the exact same problem.
I have two servers. One x86 one x64. Win2k3 Standard SP2 . Fully
patched. Both public web server, No virus or spyware is detected. No
firewall.
It seems that it is appeared after last DNS patch is installed.

On Jul 13, 10:53*pm, shar...@gmail.com wrote:
> On Jul 12, 7:50*am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
> wrote:
>
>
>
>
>
> > Innews:0681E707-A0C5-4815-8C6B-B7DCD50E65D7@microsoft.com,
> > ThorstenK <Thorst...@discussions.microsoft.com> typed:
>
> > > On one Domaincontroller in a child domain i see 2500 open ports from
> > > dns.exe. No remote address and no status.
> > > I havent seen that before and its not like that on another DC.
> > > i already rebooted but it comes back. when i restart DNS Server
> > > Service they all open imediately.
>
> > > netstat -ab
> > > *Proto *Localaddress * * * * Remoteaddress * * * * *Status
> > > *PID UDP * *X-dc-01:61333 * * * **:*
> > > *1572 [dns.exe]
> > > *UDP * *X-dc-01:52081 * * * **:*
> > > *1572 [dns.exe]
> > > *UDP * *X-dc-01:60048 * * * **:*
> > > *1572 [dns.exe]
> > > *UDP * *X-dc-01:62361 * * * **:*
> > > *1572 [dns.exe]
>
> > > Any Help appreciated.
>
> > > Thanks
>
> > What OS? Windows 2003? What service pack level?
> > How many users are using this server or in your organization?
> > Is this a public server or private only?
> > Is the machine fully patched and up to date?
> > Edge Firewall in place?
> > Antispyware and antivirus have anything to say?
>
> > Possibly install and run something such as TCPView, which is better than
> > netstathttp://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
>
> > Qualys' free scan tool trialhttp://www.qualys.com/forms/trials/freescan/google/?lsid=7002
>
> > Or something more elaborate such as eEye Retina scanner *which shows each
> > port open and source IP.http://www.eeye.com/html/products/retina/index.html
>
> > --
> > Regards,
> > Ace
>
> > This posting is provided "AS-IS" with no warranties or guarantees and
> > confers no rights.
>
> > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> > MVP Microsoft MVP - Directory Services
> > Microsoft Certified Trainer
>
> > For urgent issues, you may want to contact Microsoft PSS directly. Please
> > checkhttp://support.microsoft.comforregional support phone numbers.
>
> > Infinite Diversities in Infinite Combinations- Hide quoted text -
>
> > - Show quoted text -
>
> Hi
> I have the exact same problem.
> I have two servers. One x86 one x64. Win2k3 Standard SP2 . Fully
> patched. Both public web server, No virus or spyware is detected. No
> firewall.
> It seems that it is appeared after last DNS patch is installed.- Hide quoted text -
>
> - Show quoted text -

Uninstalling kb951746 resolves the problem

sorry for the delay and sorry for forgetting the basic rules on what info to
provide.

Win2003 R2 Server SP2
Domaincontroller
Customer Site with about 1000 Users and another 2 DCs (which dont have the
open ports, but i will have to compare the patchlevel)
should be fully or nearly fully patched
Server is in private LAN
there is an enterprise Firewall in place
nothing from AV
Its the original dns.exe thread as i checked the PID


"Ace Fekay [MVP]" wrote:

> In news:0681E707-A0C5-4815-8C6B-B7DCD50E65D7@microsoft.com,
> ThorstenK <ThorstenK@discussions.microsoft.com> typed:
> > On one Domaincontroller in a child domain i see 2500 open ports from
> > dns.exe. No remote address and no status.
> > I havent seen that before and its not like that on another DC.
> > i already rebooted but it comes back. when i restart DNS Server
> > Service they all open imediately.
> >
> > netstat -ab
> > Proto Localaddress Remoteaddress Status
> > PID UDP X-dc-01:61333 *:*
> > 1572 [dns.exe]
> > UDP X-dc-01:52081 *:*
> > 1572 [dns.exe]
> > UDP X-dc-01:60048 *:*
> > 1572 [dns.exe]
> > UDP X-dc-01:62361 *:*
> > 1572 [dns.exe]
> >
> > Any Help appreciated.
> >
> > Thanks
>
> What OS? Windows 2003? What service pack level?
> How many users are using this server or in your organization?
> Is this a public server or private only?
> Is the machine fully patched and up to date?
> Edge Firewall in place?
> Antispyware and antivirus have anything to say?
>
> Possibly install and run something such as TCPView, which is better than
> netstat
> http://technet.microsoft.com/en-us/s.../bb897437.aspx
>
> Qualys' free scan tool trial
> http://www.qualys.com/forms/trials/f...gle/?lsid=7002
>
> Or something more elaborate such as eEye Retina scanner which shows each
> port open and source IP.
> http://www.eeye.com/html/products/retina/index.html
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>
>
>
>
>
>

In news:03482F06-BE77-40F4-8E9B-68269F5AE78F@microsoft.com,
ThorstenK <ThorstenK@discussions.microsoft.com> typed:
> sorry for the delay and sorry for forgetting the basic rules on what
> info to provide.
>
> Win2003 R2 Server SP2
> Domaincontroller
> Customer Site with about 1000 Users and another 2 DCs (which dont
> have the open ports, but i will have to compare the patchlevel)
> should be fully or nearly fully patched
> Server is in private LAN
> there is an enterprise Firewall in place
> nothing from AV
> Its the original dns.exe thread as i checked the PID
>
>

See if removing KB951746 helps as it did with tyeh other poster, Shariat in
this thread.

Ace

In news:uaiF23C5IHA.3484@TK2MSFTNGP05.phx.gbl,
Terry Olsen <tolsen64@hotmail.com> typed:
> Let me correct that. 2500 is the number, not 2800. So it appears I
> have the identical problem as the OP.

I escalated the issue with Microsoft's engineers. Hang in there.

Also, can someone has the time to run a perfmon on dns.exe and overall
machine performance as well, to see if it is affecting performance comparing
with the update installed and not installed? I would appreciate it if you
have the time to do this.

Thanks,

Ace

yes removing it made the ports disappear. but then SNMP didnt work anymore
and IE couldnt open any internet or internal websites.
Also like anoher poster we prefer the unknown ports over the known
vulnerability.
But seems like a bug in the patch. I think we are all willing to send in
reports and logs if developement needs them.

Thanks
Thorsten

"Ace Fekay [MVP]" wrote:

> In news:03482F06-BE77-40F4-8E9B-68269F5AE78F@microsoft.com,
> ThorstenK <ThorstenK@discussions.microsoft.com> typed:
> > sorry for the delay and sorry for forgetting the basic rules on what
> > info to provide.
> >
> > Win2003 R2 Server SP2
> > Domaincontroller
> > Customer Site with about 1000 Users and another 2 DCs (which dont
> > have the open ports, but i will have to compare the patchlevel)
> > should be fully or nearly fully patched
> > Server is in private LAN
> > there is an enterprise Firewall in place
> > nothing from AV
> > Its the original dns.exe thread as i checked the PID
> >
> >
>
> See if removing KB951746 helps as it did with tyeh other poster, Shariat in
> this thread.
>
> Ace
>
>
>
>
>

In news:905CB753-C648-4A60-968E-DE036A96A042@microsoft.com,
ThorstenK <ThorstenK@discussions.microsoft.com> typed:
> yes removing it made the ports disappear. but then SNMP didnt work
> anymore and IE couldnt open any internet or internal websites.
> Also like anoher poster we prefer the unknown ports over the known
> vulnerability.
> But seems like a bug in the patch. I think we are all willing to send
> in reports and logs if developement needs them.
>
> Thanks
> Thorsten

Thorsten,

If you have reports and logs, email them to me. Use my actual
firstnamelastname@hotmail.com and I'll add them to my current submission to
the Microsoft engineers.

Ace

We are experiencing the same issue. Is Microsoft working on it? Is there
anything I can provide to help?
It is happening on one of our Primary DC's.
Windows 2003 server with latest patches installed
Private network with firewall
50 Dc's with about 1000 nodes across the country
Nothing reporting from AV

"Ace Fekay [MVP]" wrote:

> In news:uaiF23C5IHA.3484@TK2MSFTNGP05.phx.gbl,
> Terry Olsen <tolsen64@hotmail.com> typed:
> > Let me correct that. 2500 is the number, not 2800. So it appears I
> > have the identical problem as the OP.
>
> I escalated the issue with Microsoft's engineers. Hang in there.
>
> Also, can someone has the time to run a perfmon on dns.exe and overall
> machine performance as well, to see if it is affecting performance comparing
> with the update installed and not installed? I would appreciate it if you
> have the time to do this.
>
> Thanks,
>
> Ace
>
>
>

Thanks Alun!

"Alun Jones" wrote:

> "ThorstenK" <ThorstenK@discussions.microsoft.com> wrote in message
> news:0681E707-A0C5-4815-8C6B-B7DCD50E65D7@microsoft.com...
> > On one Domaincontroller in a child domain i see 2500 open ports from
> > dns.exe.
> > No remote address and no status.
> > I havent seen that before and its not like that on another DC.
> > i already rebooted but it comes back. when i restart DNS Server Service
> > they
> > all open imediately.
>
> As crazy as it sounds, this is normal behaviour of the patch for MS08-037 -
> http://support.microsoft.com/kb/953230
>
> The DNS server reserves 2500 UDP sockets at random ports - opens and binds
> to them for use later.
>
> There are reports that sometimes these ports conflict with other
> applications that start up after the DNS server.
>
> For such applications, you can set the ReservedPorts registry setting, as
> described in http://support.microsoft.com/kb/812873.
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web: http://www.wftpd.com/
> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>
>

In news:67465228-EFFD-4530-8709-51DEB3FCE5ED@microsoft.com,
Griff <Griff@discussions.microsoft.com> typed:
> We are experiencing the same issue. Is Microsoft working on it? Is
> there anything I can provide to help?
> It is happening on one of our Primary DC's.
> Windows 2003 server with latest patches installed
> Private network with firewall
> 50 Dc's with about 1000 nodes across the country
> Nothing reporting from AV
>
> "Ace Fekay [MVP]" wrote:
>
> > In news:uaiF23C5IHA.3484@TK2MSFTNGP05.phx.gbl,
> > Terry Olsen <tolsen64@hotmail.com> typed:
> > > Let me correct that. 2500 is the number, not 2800. So it appears I
> > > have the identical problem as the OP.
> >
> > I escalated the issue with Microsoft's engineers. Hang in there.
> >
> > Also, can someone has the time to run a perfmon on dns.exe and
> > overall machine performance as well, to see if it is affecting
> > performance comparing with the update installed and not installed?
> > I would appreciate it if you have the time to do this.
> >
> > Thanks,
> >
> > Ace

I'm starting to think it's related to DNS where the system will reserve
empheral ports and they show up as what you're seeing. Not sure. Haven't
heard back anything yet. But take a look at this article. This shows how to
reserve them and the DNS updates may just be doing that. Reserved ports are
probably showing up as what you're seeing. This is just speculation. I'll
let you know if I hear anything that I can post.

Ace