DNS: The socket pool should be enabled with recommended settings

Updated: October 15, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Product/Feature

DNS

Severity

Warning

Category

Configuration

Issue

The value of <parameter> in the Windows Registry is configured to a non-recommended value.

The DNS socket pool feature has been disabled or is configured to use a non-recommended value.

Impact

The DNS server is more vulnerable to DNS spoofing attacks.

The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully complete the attack. When you disable the socket pool or configure the socket pool to use a small number of source ports, the DNS server is more vulnerable to attack.

Resolution

Enable the socket pool and configure a recommended value for MaxUserPort.

Configure the socket pool to a size no less than the default value of 2500. You can configure the socket pool to a size value from 0 to 10000. The larger the value, the greater protection you will have against DNS spoofing attacks. If you configure a socket pool size of zero, the DNS server will use a single socket for remote DNS queries. If the DNS server is running Windows Server® 2008 R2, you can also configure a socket pool exclusion list.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure the socket pool size

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd /Config /SocketPoolSize <value>
    
  3. Restart the DNS Server service.

To view the current value of the SocketPoolSize registry key, type the following command and press ENTER:

Dnscmd /Info /SocketPoolSize

Important

To configure the socket pool exclusion list, the DNS server must be running Windows Server 2008 R2.

To configure the socket pool exclusion list

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd /Config /SocketPoolExcludedPortRanges <excluded port ranges>
    
  3. Restart the DNS Server service.

Parameter Description

dnscmd

The command-line tool for managing DNS servers.

/Config

Required. Allows the user to change a value in the Windows Registry.

/SocketPoolSize

Required. Specifies the SocketPoolSize registry key.

<socket pool size>

Optional. Specifies the size of the socket pool in decimal format. If no value is entered, the socket pool size is reset to 0.

/SocketPoolExcludedPortRanges

Optional. Specifies the SocketPoolExcludedPortRanges registry key.

<excluded port ranges>

Optional. Specifies one or more numeric port ranges for which listen sockets will not be opened by the DNS server. Range values must start with a number smaller or equal to the ending value, and are inclusive. To specify a single port, enter the same starting and ending port number. Enter multiple port ranges separated by a space. For example: 4000-5000 34000-34000. Port numbers must be positive integers less than or equal to 65535. You must supply all port ranges in the exclusion list each time you run the command. If no value is entered, the list will be cleared.

Tip

Use the /Info command to view the current value of a registry key, for example: Dnscmd /Info /SocketPoolSize and Dnscmd /Info /SocketPoolExcludedPortRanges.

See Also

Concepts

Configure the Socket Pool