Article ID: 956188 - View products that this article applies to.
You may experience issues with UDP-dependent network services after you install the Domain Name System (DNS) Server service security update 953230 (MS08-037) and then restart the computer. After security update 953230 is installed, a service that depends on a UDP port may not start on a computer that is running Windows 2000, Windows Server 2003 and Windows Server 2008. This issue occurs if the service has been allocated to the DNS Server service after security update 953230 is installed.
This issue occurs because the service cannot obtain the port that it requires to function correctly. This issue occurs because of changes to the port allocation in the DNS Service after security update 953230 is installed.
By default, after security update 953230 is installed, the DNS Server service randomly allocates 2,500 ports in the ephemeral port range. This is new behavior that is introduced by this update. A conflict may occur if one of these randomly allocated ports is a port that is used by the conflicting service.
Service conflicts are more likely in multirole servers that offer additional roles including DNS functionality. Because these ports are randomly allocated, these failures can be intermittent.
For example, this conflict can occur in the Windows IPsec Services service. The IPsec Services service uses UDP Port 4500. On DNS servers that also provide IPsec services, port conflicts could prevent the IPsec service from starting.
To work around this issue, reserve the UDP port from the ephemeral port range to make sure that the service that depends on the port can start. For more information about how to reserve ephemeral ports, click the following article number to view the article in the Microsoft Knowledge Base:
812873For more information about UDP network ports that could potentially come into conflict, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/812873/ )How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
832017In the IPsec service example that was mentioned earlier, you could add ports 4500–4500 by using the ReservedPorts registry key.
(http://support.microsoft.com/kb/832017/ )Service overview and network port requirements for the Windows Server system
Detailed causeThe following is a more detailed explanation of the cause of this issue.
DNS server source port randomization and the SocketPool implementationThe implementation of the DNS server security update reserves a set of ports when randomizing queries. This design decision was made to address performance concerns for DNS servers that handle and originate a significantly larger number of queries compared to Windows-based clients. The set of reserved ports by the DNS Server is referred to from here onward as a "socket pool."
The default size of the socket pool on Windows-based servers is 2,500 sockets. This size is configurable by modifying the SocketPoolSize registry entry in the following subkey in the registry:
Note The DNS service must be restarted for the changes to the SocketPoolSize registry entry to take effect.
Windows 2000 and Windows Server 2003
Windows Server 2008
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.