Configuring DNS Socket Pools
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Upgrade your plan to get instant access to this and many more premium courses. Click the Upgrade Plan button below to get started.
Let’s review the reasons why you would want to create a pool of ports:
- If DNS goes out to the internet and does recursive queries on behalf of clients.
- And uses common ports like port 53 to get information.
- The question is, what port is the DNS server that replies back using?
- The answer is, it varies it receives a random port from a pool of ports.
- This stops cache attacks or DNS Spoofing attacks
Facts about the DNS Socket Pool:
- By default, in Windows server 2016 the default pool size is 2500 ports. That means that the DNS server that we are querying or the DNS server that is answering our query is coming back using a single random port out of a possible 2500 ports.
- You can set this anywhere from 0 to 10,000.
- The larger the value the greater the protection against DNS Cache attacks
Let’s take a look at some of the commands, then we’ll demonstrate those commands using Powershell.
- You can check the pool size by typing the command dnscmd /info /socketpoolsize
- From PowerShell you can change the pool size by typing
Dnscmd /config /socketpoolsize 5000
- You can exclude certain ranges from the pool as well.
Use the command - Here we’ll use the command dnscmd /config /socketpoolexcludedportranges 51000-61000.
- You can view the excluded ranges by using the command dnscmd /info /socketpoolexcludedportranges
- Why would you exclude ports? Well for example, if you have an application that uses ports 51k to 61k. You could add them to the exclusion list. The DNS server will not bind to those ports and would leave them open for the application to use.
Now let’s go ahead and use PowerShell, in administrator mode and demonstrate the dnscmd command.
- Check the pool size by running the commanddnscmd /info /socketpoolsize
- We can increase the pool size and make our DNS server even more secure by typing dnscmd /config /socketpoolsize 5000
- Check the pool size and verify that it is set to 5000
Dnscmd /info /socketpoolsize
- Let’s set the pool size back to the defaultsdnscmd /config /socketpoolsize 2500
- Check the pool size and verify that it is set back to the default of 2500 dnscmd /info /socketpoolsize
Now let’s exclude some ports from DNS
- dnscmd /config /socketpoolexcludedportranges 51000-61000
You can view the excluded ranges by typing the command.dnscmd /Info /SocketPoolExcludedPortRanges
As you can see our excluded ranges are 51,000 to 61,000
So if we had an application that used those ports, the DNS server would not be able to bind to those ports leaving them open for the application to use.
- You must restart the DNS service after the change has been made.
You can use the following Powershell commands to stop, then start the DNS service stop-service DNS start-service DNS
You can verify if the DNS service is running by typing
Get-service -name DNS, press return
Configuring the DNS socket pool is an effective method to minimize cache or DNS spoofing attacks by randomizing the source port used to issue DNS queries to remote DNS servers. Randomizing the source port and the transaction ID makes a cache or DNS spoofing attack less likely to be successful.
Server Academy Members Only
Want to access this lesson? Just sign up for a free Server Academy account and you'll be on your way. Already have an account? Click the Sign Up Free button to get started..