Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

View products that this article applies to.


After you install security update 953230 (MS08-037) on a Microsoft Windows-based computer, Domain Name System (DNS) queries that are sent from the computer across a firewall do not use random source ports.

↑ Back to the top


This behavior occurs because Network Address Translation (NAT) devices change the source and destination IP addresses. These devices also frequently change the source port to avoid resource conflicts that might occur when multiple internal hosts try to send traffic by using the same source port. Because many modern firewalls actually stop the outgoing traffic internally and create new external sockets for NAT, the firewalls cannot use identical source ports on the same external IP without creating a conflict. Therefore, the firewalls use the sequential port assignment for the traffic from the NAT. The random ports that are being used by the updated DNS resolver may be seen externally as using sequential port assignments even after security update 953230 is applied to the internal NAT host.

↑ Back to the top


To resolve this issue, use one of the following methods:
  • Create a routed network relationship between the DNS server and the Internet. The capability and methodology for this depends on the firewall technology that is used. This may require that the DNS server be relocated to a different subnet so that the relationship between the server and the Internet no longer uses NAT.
  • If you have a single DNS server, you can implement a split DNS solution in Windows Server 2003 or Windows Server 2008 DNS services. In this scenario, the DNS server must be available from two IP addresses. One IP address is internal and the other is external to the NAT server network. Internal workstations perform queries against the DNS server. If you have installed security update 953230, the DNS server uses port randomization to forward foreign requests to other DNS servers.

    To do this, open the DNS administrative tool, click the server, and then double-click Forwarders. Click the Forwarders tab, and then configure the All Other DNS Domains option. The server will then automatically forward any request for DNS domains that the server does not handle to the servers that are listed in the Selected Domain's Forwarder IP Address list. Add the upstream provider's DNS servers to this list.

    The internal workstations should be configured to use the internal IP address of your DNS server. This can be set manually or by using Dynamic Host Configuration Protocol (DHCP) options.

    Note Using a single DNS server in a split DNS solution gives customers the benefits of DNS port randomization. However, this configuration adds a pathway from the Internet into your enterprise or local network. This configuration could increase the exposure to threats from the Internet.
  • You may also configure a split DNS solution to use two servers instead of one. In this scenario, one of your DNS servers is external to the network that contains your NAT server, and one is internal to the network that contains the NAT server. Configure the internal server as described in the single-DNS server scenario, but list the address of the external DNS server in the Forwarder IP Address list instead of listing the upstream provider. Because the external DNS server resides outside the network that contains the NAT server, port randomization is not interrupted.
  • Contact the firewall vendor to see whether there are updates planned for their firewall product.

↑ Back to the top

More information

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing
812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
956188 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
956187 Microsoft Security Advisory: Increased threat for the DNS spoofing vulnerability
956189 Some services may not start or may not work correctly on a computer that is running Windows SBS after you install the DNS Server security update 953230 (MS08-037)

↑ Back to the top

Keywords: kbexpertiseinter, kbtshoot, KB956190

↑ Back to the top

Article Info
Article ID : 956190
Revision : 2
Created on : 7/25/2008
Published on : 7/25/2008
Exists online : False
Views : 175