Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The socket pool enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks. The socket pool is enabled with default settings on computers that have installed Security Update MS08-037 (https://go.microsoft.com/fwlink/?LinkID=148634). You can also customize socket pool settings.
A DNS server running Windows Server® 2008 R2, or that has installed security update MS08-037, will use source port randomization to protect against DNS cache poisoning attacks. With source port randomization, the DNS server will randomly pick a source port from a pool of available sockets that it opens when the service starts.
Instead of using a predicable source port when issuing queries, the DNS server uses a random port number selected from this pool, known as the socket pool. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully execute the attack.
This feature will be of interest to IT professionals who manage Active Directory® Domain Services (AD DS) and DNS, as well as to security administrators.
The socket pool is automatically enabled with default settings if you have installed Security Update MS08-037 (https://go.microsoft.com/fwlink/?LinkID=148634). Ports numbers that are reserved for the socket pool depend on the operating system. For more information about the range of port numbers reserved, see Microsoft Knowledge Base article 956188 (https://go.microsoft.com/fwlink/?LinkID=165771).
The default size of the socket pool is 2500. When you configure the socket pool, you can choose a size value from 0 to 10000. The larger the value, the greater protection you will have against DNS spoofing attacks. If you configure a socket pool size of zero, the DNS server will use a single socket for remote DNS queries. If the DNS server is running Windows Server 2008 R2, you can also configure a socket pool exclusion list.
The following registry keys can be used to configure the Socket Pool. However, the recommended method for configuring Socket Pool settings is with the dnscmd.exe command line tool. For more information about configuring the Socket Pool, see Configure the Socket Pool.
Registry settings
| Setting name | Location | Type | Default value | Possible values |
|---|---|---|---|---|
SocketPoolSize |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters |
REG_DWORD |
2500 |
0 to 10000 |
SocketPoolExcludedPortRanges Windows Server 2008 R2 only. |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters |
REG_MULTI_SZ |
N/A |
1 to 65535 Configured as a port range (ex: 4000-5000). To specify a single port, use the same start and end value. |
Tip
To apply changes to settings for the Socket Pool, you must restart the DNS service.
This feature is available in all editions.