dns.exe 2500 open ports in netstat -ab

[Ace Fekay [MVP]]

In news:[email protected],
Ace Fekay [MVP] <[email protected]> typed:
>
> I'm starting to think it's related to DNS where the system will
> reserve empheral ports and they show up as what you're seeing. Not
> sure. Haven't heard back anything yet. But take a look at this
> article. This shows how to reserve them and the DNS updates may just
> be doing that. Reserved ports are probably showing up as what you're
> seeing. This is just speculation. I'll let you know if I hear
> anything that I can post.
> Ace

Oops, I forgot to post the articles. in addition, I am also speculating this
will not show as a performance hit, rather it is just displaying which ports
are reserved, but not necessarily in use. As I said, this is just
speculation.

MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230

How to reserve a range of ephemeral ports on a computer that is running
Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873

Ace

[ThorstenK]

yeah thanks!

the good old: "this behavior is by design" :)

"Griff" wrote:

> Thanks Alun!
>
> "Alun Jones" wrote:
>
> > "ThorstenK" <[email protected]> wrote in message
> > news:[email protected]...
> > > On one Domaincontroller in a child domain i see 2500 open ports from
> > > dns.exe.
> > > No remote address and no status.
> > > I havent seen that before and its not like that on another DC.
> > > i already rebooted but it comes back. when i restart DNS Server Service
> > > they
> > > all open imediately.
> >
> > As crazy as it sounds, this is normal behaviour of the patch for MS08-037 -
> > http://support.microsoft.com/kb/953230
> >
> > The DNS server reserves 2500 UDP sockets at random ports - opens and binds
> > to them for use later.
> >
> > There are reports that sometimes these ports conflict with other
> > applications that start up after the DNS server.
> >
> > For such applications, you can set the ReservedPorts registry setting, as
> > described in http://support.microsoft.com/kb/812873.
> >
> > Alun.
> > ~~~~
> > --
> > Texas Imperial Software | Web: http://www.wftpd.com/
> > 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> > Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> > Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
> >
> >

[Sil Grouwstra]

update kb951746, dns.exe consumes lots of more memory than i'am used to. 36.332K instead of 7,308K

[Ace Fekay [MVP]]

In news:[email protected],
Sil Grouwstra <Sil Grouwstra> typed:
> update kb951746, dns.exe consumes lots of more memory than i'am used
> to. 36.332K instead of 7,308K

Thanks. Didn't even realize that one.

Ace

[Ace Fekay [MVP]]

In news:[email protected],
Ace Fekay [MVP] <[email protected]> typed:
> In news:[email protected],
> Sil Grouwstra <Sil Grouwstra> typed:
> > update kb951746, dns.exe consumes lots of more memory than i'am used
> > to. 36.332K instead of 7,308K
>
> Thanks. Didn't even realize that one.
>
> Ace

After thinking about it afterwards, the hotfix is reserving 2500 ports to
eliminate empheral port randomization to eliminate the vulnerability, but in
reserving the ports, it has to store them somewhere, which of course would
make sense in the dns.exe process, therefore requiring more RAM in doing
therefore explains what you are seeing in increased RAM usage.

Ace

[Alun Jones]

I was beginning to think my post hadn't gone anywhere, because it wasn't
showing up in Windows Live Mail.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

"ThorstenK" <[email protected]> wrote in message
news:[email protected]...
> yeah thanks!
>
> the good old: "this behavior is by design" :)
>
> "Griff" wrote:
>
>> Thanks Alun!
>>
>> "Alun Jones" wrote:
>>
>> > "ThorstenK" <[email protected]> wrote in message
>> > news:[email protected]...
>> > > On one Domaincontroller in a child domain i see 2500 open ports from
>> > > dns.exe.
>> > > No remote address and no status.
>> > > I havent seen that before and its not like that on another DC.
>> > > i already rebooted but it comes back. when i restart DNS Server
>> > > Service
>> > > they
>> > > all open imediately.
>> >
>> > As crazy as it sounds, this is normal behaviour of the patch for
>> > MS08-037 -
>> > http://support.microsoft.com/kb/953230
>> >
>> > The DNS server reserves 2500 UDP sockets at random ports - opens and
>> > binds
>> > to them for use later.
>> >
>> > There are reports that sometimes these ports conflict with other
>> > applications that start up after the DNS server.
>> >
>> > For such applications, you can set the ReservedPorts registry setting,
>> > as
>> > described in http://support.microsoft.com/kb/812873.
>> >
>> > Alun.
>> > ~~~~
>> > --
>> > Texas Imperial Software | Web: http://www.wftpd.com/
>> > 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
>> > Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
>> > Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD
>> > Explorer.
>> >
>> >

[Mango Tango]

worth noting is that the port range you'll see in TCPVIEW is 49xxx and above -- supposedly only related to what you should see with Server 2008 or Vista. Maybe that's part of the problem. We are Win2K3 and have the 2500 ports open too...

- Mango

[Ace Fekay [MVP Direcrtory Services]]

> worth noting is that the port range you'll see in TCPVIEW is 49xxx
> and above -- supposedly only related to what you should see with
> Server 2008 or Vista. Maybe that's part of the problem. We are Win2K3
> and have the 2500 ports open too...
>
> - Mango


Is it causing any problems with other apps?

Ace