Configuring DNS Socket Pools
Let’s review the reasons why you would want to create a pool of ports:
- If DNS goes out to the internet and does recursive queries on behalf of clients.
- And uses common ports like port 53 to get information.
- The question is, what port is the DNS server that replies back using?
- The answer is, it varies it receives a random port from a pool of ports.
- This stops cache attacks or DNS Spoofing **attacks **
**Facts about the DNS Socket Pool: **
- By default, in Windows server 2016 the default pool size is 2500 ports. That means that the DNS server that we are querying or the DNS server that is answering our query is coming back using a single random port out of a possible 2500 ports.
- You can set this anywhere from 0 to 10,000.
- The larger the value the greater the protection against DNS Cache attacks
Let’s take a look at some of the commands, then we’ll demonstrate those commands using Powershell.
-
You can check the pool size by typing the command dnscmd /info /socketpoolsize
-
From PowerShell you can change the pool size by typing
Dnscmd /config /socketpoolsize 5000
- You can exclude certain ranges from the pool as well.
Use the command \- Here we’ll use the command dnscmd /config /socketpoolexcludedportranges 51000-61000.
-
You can view the excluded ranges by using the command dnscmd /info /socketpoolexcludedportranges
-
Why would you exclude ports? Well for example, if you have an application that uses ports 51k to 61k. You could add them to the exclusion list. The DNS server will not bind to those ports and would leave them open for the application to use.
Now let’s go ahead and use PowerShell, in administrator mode and demonstrate the dnscmd command.
-
Check the pool size by running the commanddnscmd /info /socketpoolsize
-
We can increase the pool size and make our DNS server even more secure by typing dn…
No comments yet. Add the first comment to start the discussion.