Export (0) Print
Expand All
Expand Minimize

DNS: The socket pool should be enabled with recommended settings

Published: July 7, 2010

Updated: October 15, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Product/Feature

DNS

Severity

Warning

Category

Configuration

The value of <parameter> in the Windows Registry is configured to a non-recommended value.

The DNS socket pool feature has been disabled or is configured to use a non-recommended value.

The DNS server is more vulnerable to DNS spoofing attacks.

The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully complete the attack. When you disable the socket pool or configure the socket pool to use a small number of source ports, the DNS server is more vulnerable to attack.

Enable the socket pool and configure a recommended value for MaxUserPort.

Configure the socket pool to a size no less than the default value of 2500. You can configure the socket pool to a size value from 0 to 10000. The larger the value, the greater protection you will have against DNS spoofing attacks. If you configure a socket pool size of zero, the DNS server will use a single socket for remote DNS queries. If the DNS server is running Windows Server® 2008 R2, you can also configure a socket pool exclusion list.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd /Config /SocketPoolSize <value>
    
  3. Restart the DNS Server service.

To view the current value of the SocketPoolSize registry key, type the following command and press ENTER:

Dnscmd /Info /SocketPoolSize
ImportantImportant
To configure the socket pool exclusion list, the DNS server must be running Windows Server 2008 R2.

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd /Config /SocketPoolExcludedPortRanges <excluded port ranges>
    
  3. Restart the DNS Server service.

 

Parameter Description

dnscmd

The command-line tool for managing DNS servers.

/Config

Required. Allows the user to change a value in the Windows Registry.

/SocketPoolSize

Required. Specifies the SocketPoolSize registry key.

<socket pool size>

Optional. Specifies the size of the socket pool in decimal format. If no value is entered, the socket pool size is reset to 0.

/SocketPoolExcludedPortRanges

Optional. Specifies the SocketPoolExcludedPortRanges registry key.

<excluded port ranges>

Optional. Specifies one or more numeric port ranges for which listen sockets will not be opened by the DNS server. Range values must start with a number smaller or equal to the ending value, and are inclusive. To specify a single port, enter the same starting and ending port number. Enter multiple port ranges separated by a space. For example: 4000-5000 34000-34000. Port numbers must be positive integers less than or equal to 65535. You must supply all port ranges in the exclusion list each time you run the command. If no value is entered, the list will be cleared.

TipTip
Use the /Info command to view the current value of a registry key, for example: Dnscmd /Info /SocketPoolSize and Dnscmd /Info /SocketPoolExcludedPortRanges.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft