Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

DNS queries that pass through an ISA Server 2000 NAT gateway do not use random source ports


View products that this article applies to.

Symptoms

You are using Microsoft Internet Security and Acceleration (ISA) Server 2000 as a network address translation (NAT) gateway. Internal clients send Domain Name System (DNS) queries across this NAT gateway. However, after you install security update 953230 (security bulletin MS08-037) on a client, DNS queries that pass through the ISA Server 2000 NAT gateway from this client do not use random source ports.

↑ Back to the top


Cause

This problem occurs because the NAT gateway may change the source port that is used by an internal client.

For more information about the cause of this problem, see the following Microsoft Knowledge Base article:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

↑ Back to the top


Resolution

To resolve this problem, follow these steps:
  1. Apply the following ISA Server 2000 update from the Microsoft Download Center:

    Update to Mitigate MS08-037 UDP Behavior Across NAT for Microsoft ISA Server 2000

    Download the 956637 package now.
  2. Click Start, click Run, type cmd, and then click OK. At the command prompt, paste the following command, and then press ENTER.
    reg add HKLM\System\CurrentControlSet\Services\Fwsrv\Parameters /v RandomBindRetry  /t REG_DWORD /d 10 /f
Note After you install this update, ISA Server 2000 dynamically allocates random User Datagram Protocol (UDP) ports in new outgoing UDP sessions.

You do not have to restart the ISA Server 2000 computer after you apply this hotfix. However, the update installer will restart the Microsoft Firewall Service (fwsrv) after the update is successfully installed.

↑ Back to the top


Workaround

To work around this problem, use the methods that are discussed in the following Microsoft Knowledge Base article:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you install the update, you can modify the registry to configure the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket. To do this, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then right-click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters
  3. Point to New, and then click DWORD Value.
  4. Type RandomBindRetry.
  5. Double-click RandomBindRetry, and then type a number in the Value data box.

    Note This value defines the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket.
  6. Restart the Microsoft Firewall Service (fwsrv).
Note The value of RandomBindRetry entry ranges from 0 through 10. If you set the value of this entry to 0, the update is disabled. If this entry does not exist, ISA Server 2000 assumes that the value is 10. Do not set RandomBindRetry to a value that is greater than 10.

To set this registry entry to a recommended value, run the following command at a command prompt.
reg add HKLM\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters /v RandomBindRetry /t REG_DWORD /d 10 /f

↑ Back to the top


References

For more information about this problem, visit the following Microsoft Web site:For more information about update 953230, click the following article number to view the article in the Microsoft Knowledge Base:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: KB956637, kbqfe, kbexpertiseinter, atdownload

↑ Back to the top

Article Info
Article ID : 956637
Revision : 1
Created on : 11/11/2008
Published on : 11/11/2008
Exists online : False
Views : 304