Sign up to access this lesson
Click here to sign up and get access to this lesson!

Saving Progress...
Let’s review the reasons why you would want to create a pool of ports:
- If DNS goes out to the internet and does recursive queries on behalf of clients.
- And uses common ports like port 53 to get information.
- The question is, what port is the DNS server that replies back using?
- The answer is, it varies it receives a random port from a pool of ports.
- This stops cache attacks or DNS Spoofing attacks
Facts about the DNS Socket Pool:
- By default, in Windows server 2016 the default pool size is 2500 ports. That means that the DNS server that we are querying or the DNS server that is answering our query is coming back using a single random port out of a possible 2500 ports.
- You can set this anywhere from 0 to 10,000.
- The larger the value the greater the protection against DNS Cache attacks
Let’s take a look at some of the commands, then we’ll demonstrate those commands using Powershell.
- You can check the pool size by typing the command dnscmd /info /socketpoolsize
- From PowerShell you can change the pool size by typing
Dnscmd /config /socketpoolsize 5000
- You can exclude certain ranges from the pool as well.
Use the command - Here we’ll use the command dnscmd /config /socketpoolexcludedportranges 51000-61000.
- You can view the excluded ranges by using the command dnscmd /info /socketpoolexcludedportranges
- Why would you exclude ports? Well for example, if you have an application that uses ports 51k to 61k. You could add them to the exclusion list. The DNS server will not bind to those ports and would leave them open for the application to use.
Now let’s go ahead and use PowerShell, in administrator mode and demonstrate the dnscmd command.
- Check the pool size by running the commanddnscmd /info /socketpoolsize
- We can increase the pool size and make our DNS server even more secure by typing dnscmd /config /socketpoolsize 5000
- Check the pool size and verify that it is set to 5000
Dnscmd /info /socketpoolsize
- Let’s set the pool size back to the defaultsdnscmd /config /socketpoolsize 2500
- Check the pool size and verify that it is set back to the default of 2500 dnscmd /info /socketpoolsize
Now let’s exclude some ports from DNS
- dnscmd /config /socketpoolexcludedportranges 51000-61000
You can view the excluded ranges by typing the command.dnscmd /Info /SocketPoolExcludedPortRanges
As you can see our excluded ranges are 51,000 to 61,000
So if we had an application that used those ports, the DNS server would not be able to bind to those ports leaving them open for the application to use.
- You must restart the DNS service after the change has been made.
You can use the following Powershell commands to stop, then start the DNS service stop-service DNS start-service DNS
You can verify if the DNS service is running by typing
Get-service -name DNS, press return
Configuring the DNS socket pool is an effective method to minimize cache or DNS spoofing attacks by randomizing the source port used to issue DNS queries to remote DNS servers. Randomizing the source port and the transaction ID makes a cache or DNS spoofing attack less likely to be successful.
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.
CURRICULUM
Course Introduction • 10min
0 / 2 lessons complete
Instructor and Course Introduction
Video | 7 min
What's New in Windows Server 2016 DNS
Free lesson
Video | 3 min
DNS Basics • 56min
0 / 8 lessons complete
What is DNS
Video | 3 min
Installing the DNS Windows Server Role
Video | 6 min
Building DNS Server Quiz
Quiz | 10 Questions
The Hosts File
Video | 4 min
DNS Console Overview
Video | 7 min
Recursive and Iterative Queries
Video | 8 min
DNS Basics LAB
Video | 10 min
DNS Basics Quiz
Quiz | 8 Questions
DNS Resource Records • 45min
0 / 5 lessons complete
DNS Resource Record Types
Video | 3 min
Creating the mytestzone Forward Lookup Zone
Text | 2 min
Creating DNS Resource Records
Video | 4 min
Creating DNS Resource Records Lab
Lab | 30 min
DNS Resource Records Quiz
Quiz | 7 Questions
DNS Zones • 4hr 11min
0 / 12 lessons complete
DNS Zones
Video | 4 min
Creating a Forward and Reverse Lookup Zone
Video | 5 min
Creating a Secondary Zones
Video | 9 min
Stub Zone Creation
Video | 11 min
Active Directory Zone Replication
Video | 12 min
Implementing DNS Forwarding
Video | 8 min
Implementing Conditional DNS Forwarding
Video | 7 min
Forward and Reverse Zone Creation Lab
Lab | 60 min
Creating a Secondary Zone Lab
Lab | 30 min
Conditional Forwarding Lab
Lab | 60 min
Creating a Stub Zone Lab
Lab | 30 min
DNS Zones Quiz
Quiz | 15 Questions
DNS Delegation • 50min
0 / 4 lessons complete
Domain Name System and DNS Delegation
Video | 7 min
Windows 2016 Server and DNS Zone Delegation
Video | 8 min
DNS Delegation Lab
Lab | 30 min
QUIZ - Domain Name System and DNS Delegation
Quiz | 5 Questions
DNS Security Techniques • 36min
0 / 5 lessons complete
DNS Security Techniques Overview
Video | 9 min
Configuring DNS Cache Locking
Video | 5 min
Configuring DNS Socket Pools
Video | 6 min
Configuring Response Rate Limiting
Video | 8 min
DNS Security Techniques Quiz
Quiz | 8 Questions
Advanced DNS Topics • 22min
0 / 5 lessons complete
Overview of Advanced Topics
Video | 1 min
Enabling Round Robin and Netmask Ordering
Video | 5 min
Configuring Recursion
Video | 4 min
IPV4 and IPV6 Root HInts
Video | 6 min
Advanced DNS Topics Quiz
Quiz | 6 Questions
DNS Security (DNSSEC) • 1hr 16min
0 / 6 lessons complete
Windows DNS Security Overview
Video | 7 min
Symmetric vs Asymmetric Encryption
Video | 5 min
Installing DNSSEC on Windows 2016 Server
Video | 12 min
DNSSEC Client Install
Video | 7 min
DNSSEC (DNS Security Lab)
Lab | 30 min
DNSSEC Quiz
Quiz | 15 Questions
DNS Policies • 55min
0 / 6 lessons complete
DNS Policies Background Information
Video | 8 min
Configuring DNS Filtering
Video | 7 min
Configuring Split Brain DNS in an Active Directory Environment
Video | 12 min
Configuring DNS Selective Recursion Policy
Video | 7 min
Configuring a Traffic Management Policy
Video | 11 min
DNS Policies Quiz
Quiz | 10 Questions
PowerShell for DNS • 1hr 27min
0 / 6 lessons complete
PowerShell for DNS Part 1
Video | 2 min
PowerShell for DNS Part 2
Video | 5 min
PowerShell for DNS Part 3
Video | 10 min
PowerShell for DNS Part 4
Video | 5 min
PowerShell for DNS LAB
Lab | 60 min
Powershell for DNS Quiz
Quiz | 5 Questions
Troubleshooting DNS Issues - Troubleshooting Tools • 1hr 39min
0 / 8 lessons complete
Troubleshooting Tools Every IT Pro Must Know
Video | 9 min
The Events Viewer Overview
Video | 6 min
Subscriptions
Video | 9 min
Monitoring and Debug Logging
Video | 9 min
Trouble-Shooting DNS Client Issues
Video | 4 min
Troubleshooting Subscriptions Lab
Lab | 30 min
DNS Troubleshooting Lab
Lab | 30 min
DNS Troubleshooting Quiz
Quiz | 2 Questions