Let’s review the reasons why you would want to create a pool of ports:  

• If DNS goes out to the internet and does recursive queries on behalf of clients.  
• And uses common ports like port 53 to get information.  
• The question is, what port is the DNS server that replies back using?  
• The answer is, it varies it receives a random port from a pool of ports.
• This stops cache attacks or DNS Spoofing attacks 

Facts about the DNS Socket Pool: 

• By default, in Windows server 2016 the default pool size is 2500 ports.  That means that the DNS server that we are querying or the DNS server that is answering our query is coming back using a single random port out of a possible 2500 ports.
• You can set this anywhere from 0 to 10,000.  
• The larger the value the greater the protection against DNS Cache attacks

Let’s take a look at some of the commands, then we’ll demonstrate those commands using Powershell.

• You can check the pool size by typing the command dnscmd /info /socketpoolsize

• From PowerShell you can change   the pool size by typing

Dnscmd /config /socketpoolsize 5000

• You can exclude certain ranges from the pool as well.  

Use the command  -  Here we’ll use the command dnscmd /config /socketpoolexcludedportranges 51000-61000.  

• You can view the excluded ranges by using the command  dnscmd /info /socketpoolexcludedportranges

• Why would you exclude ports? Well for example, if you have an application that uses ports 51k to 61k. You could add them to the exclusion list. The DNS server will not bind to those ports and would leave them open for the application to use.
  

Now let’s go ahead and use PowerShell, in administrator mode and demonstrate the dnscmd command.

• Check the pool size by running the commanddnscmd /info /socketpoolsize

• We can increase the pool size and make our DNS server even more secure by typing dnscmd /config /socketpoolsize 5000

• Check the pool size and verify that it is set to 5000

Dnscmd /info /socketpoolsize

• Let’s set the pool size back to the defaultsdnscmd /config /socketpoolsize 2500

• Check the pool size and verify that it is set back to the default of 2500  dnscmd /info /socketpoolsize

Now let’s exclude some ports from DNS  

• dnscmd /config /socketpoolexcludedportranges 51000-61000

You can view the excluded ranges by typing the command.dnscmd /Info /SocketPoolExcludedPortRanges

As you can see our excluded ranges are 51,000 to 61,000

So if we had an application that used those ports, the DNS server would not be able to bind to those ports leaving them open for the application to use.

• You must restart the DNS service after the change has been made.

You can use the following Powershell commands to stop, then start the DNS service stop-service DNS start-service DNS

You can verify if the DNS service is running by typing

Get-service -name DNS, press return

Configuring the DNS socket pool is an effective method to minimize cache or DNS spoofing attacks by randomizing the source port used to issue DNS queries to remote DNS servers. Randomizing the source port and the transaction ID makes a cache or DNS spoofing attack less likely to be successful.

Server Academy Members Only

Want to access this lesson? Just sign up for a free Server Academy account and you'll be on your way. Already have an account? Click the Sign Up Free button to get started..

Sign In Sign Up Free