DNS Socket Pool

The socket pool enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks. The socket pool is enabled with default settings on computers that have installed Security Update MS08-037 (https://go.microsoft.com/fwlink/?LinkID=148634). You can also customize socket pool settings.

What are the major changes?

A DNS server running Windows Server® 2008 R2, or that has installed security update MS08-037, will use source port randomization to protect against DNS cache poisoning attacks. With source port randomization, the DNS server will randomly pick a source port from a pool of available sockets that it opens when the service starts.

What does Socket Pool do?

Instead of using a predicable source port when issuing queries, the DNS server uses a random port number selected from this pool, known as the socket pool. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully execute the attack.

Who will be interested in this feature?

This feature will be of interest to IT professionals who manage Active Directory® Domain Services (AD DS) and DNS, as well as to security administrators.

Are there any special considerations?

The socket pool is automatically enabled with default settings if you have installed Security Update MS08-037 (https://go.microsoft.com/fwlink/?LinkID=148634). Ports numbers that are reserved for the socket pool depend on the operating system. For more information about the range of port numbers reserved, see Microsoft Knowledge Base article 956188 (https://go.microsoft.com/fwlink/?LinkID=165771).

The default size of the socket pool is 2500. When you configure the socket pool, you can choose a size value from 0 to 10000. The larger the value, the greater protection you will have against DNS spoofing attacks. If you configure a socket pool size of zero, the DNS server will use a single socket for remote DNS queries. If the DNS server is running Windows Server 2008 R2, you can also configure a socket pool exclusion list.

What settings have been added or changed?

The following registry keys can be used to configure the Socket Pool. However, the recommended method for configuring Socket Pool settings is with the dnscmd.exe command line tool. For more information about configuring the Socket Pool, see Configure the Socket Pool.

Registry settings

Setting name Location Type Default value Possible values

SocketPoolSize

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters

REG_DWORD

2500

0 to 10000

SocketPoolExcludedPortRanges

Windows Server 2008 R2 only.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters

REG_MULTI_SZ

N/A

1 to 65535

Configured as a port range (ex: 4000-5000). To specify a single port, use the same start and end value.

Tip

To apply changes to settings for the Socket Pool, you must restart the DNS service.

Which editions include this feature?

This feature is available in all editions.

See Also

Concepts

Deploying a Secure DNS Configuration