Known issues with this security update
MS09-008 is a DNS Server-only patch that supersedes MS08-037. However, MS08-037 consists of two updates, one for the DNS server component (951746) and one for the DNS client component (951748). Therefore, both updates are required for the Windows Servers that are affected. For consistency, the updates have to be installed on the Windows Server that is hosting the DNS server service.
To be clear on the requirements, if you install the MS09-008 (961063) DNS server update, you still have to install the MS08-037 (951748) DNS client update for the server’s DNS client component.
This update sets the size of the DNS event Log file to the default value of 512 KB
After you install the DNS update (KB961063) that is described in Microsoft security bulletin MS09-008 on a computer that is running Windows 2000 or Windows Server 2003, you may find that the DNS event log file size is reset to the default value of 512 KB. To maintain the desired event log file size, you must reset the event log size after this update is installed. Or, you can export the registry value before you install the update and then import the value after the update is installed.
For more information about the
MaxSize REG_DWORD registry entry, visit the following Microsoft webpages:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows
To configure the
MaxSize registry entry, follow these steps:
- Click Start, click Run, type regedit in the Open box, and then click OK.
- Locate and then click the following subkey in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\DNS Server
- Right-click MaxSize, and then click Modify.
- In the Value data box, type the value that you want to use, and then click OK. The default value is 0x80000 (512 KB).
- Exit Registry Editor. You do not have to restart the computer for this change to take effect.
Note On some systems, the
MaxSize registry entry may be found in any of the following locations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\DNS Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System
Resource Consumption Issues
Resource Consumption Issues Windows DNS server systems may see an increase in memory and file handles resource consumption for systems on which the security update that is described in MS08-037 is installed. This is expected behavior because of the SocketPool randomization feature that was implemented to address this security vulnerability on Windows-based servers. The implementation of the DNS server security update reserves a set of ports. One of the ports is selected randomly for each outgoing DNS query. This design decision was made to address performance concerns for DNS servers that handle and originate a significantly larger number of queries than Windows-based clients. The set of reserved ports that the DNS server reserves is known as a "socket pool." By default, the size of the socket pool on Windows-based servers is 2,500 sockets. To configure this size, change the SocketPoolSize registry entry in the following subkey in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize
For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base: 956188 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
For more information, visit the following Microsoft Web page: