DNS queries that pass through an ISA Server 2000 NAT gateway do not use random source ports

Article ID: 956637 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You are using Microsoft Internet Security and Acceleration (ISA) Server 2000 as a network address translation (NAT) gateway. Internal clients send Domain Name System (DNS) queries across this NAT gateway. However, after you install security update 953230 (security bulletin MS08-037) on a client, DNS queries that pass through the ISA Server 2000 NAT gateway from this client do not use random source ports.
Back to the top | Give Feedback

CAUSE

This problem occurs because the NAT gateway may change the source port that is used by an internal client.

For more information about the cause of this problem, see the following Microsoft Knowledge Base article:
956190
(http://support.microsoft.com/kb/956190/ )
DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, follow these steps:
  1. Apply the following ISA Server 2000 update from the Microsoft Download Center:

    Update to Mitigate MS08-037 UDP Behavior Across NAT for Microsoft ISA Server 2000

    Collapse this imageExpand this image
    Download
    Download the 956637 package now.
    (http://www.microsoft.com/downloads/details.aspx?FamilyId=1455D4E6-A0B5-4583-82F1-EE8239FCA207)
  2. Click Start, click Run, type cmd, and then click OK. At the command prompt, paste the following command, and then press ENTER. 
    reg add HKLM\System\CurrentControlSet\Services\Fwsrv\Parameters /v RandomBindRetry  /t REG_DWORD /d 10 /f
Note After you install this update, ISA Server 2000 dynamically allocates random User Datagram Protocol (UDP) ports in new outgoing UDP sessions.

You do not have to restart the ISA Server 2000 computer after you apply this hotfix. However, the update installer will restart the Microsoft Firewall Service (fwsrv) after the update is successfully installed.
Back to the top | Give Feedback

WORKAROUND

To work around this problem, use the methods that are discussed in the following Microsoft Knowledge Base article:
956190
(http://support.microsoft.com/kb/956190/ )
DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows
After you install the update, you can modify the registry to configure the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket. To do this, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then right-click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters
  3. Point to New, and then click DWORD Value.
  4. Type RandomBindRetry.
  5. Double-click RandomBindRetry, and then type a number in the Value data box.

    Note This value defines the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket.
  6. Restart the Microsoft Firewall Service (fwsrv).
Note The value of RandomBindRetry entry ranges from 0 through 10. If you set the value of this entry to 0, the update is disabled. If this entry does not exist, ISA Server 2000 assumes that the value is 10. Do not set RandomBindRetry to a value that is greater than 10.

To set this registry entry to a recommended value, run the following command at a command prompt.
reg add HKLM\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters /v RandomBindRetry /t REG_DWORD /d 10 /f
Back to the top | Give Feedback

REFERENCES

For more information about this problem, visit the following Microsoft Web site:
http://blogs.technet.com/isablog/archive/2008/08/28/isa-tmg-nat-behavior-and-ms08-037.aspx
(http://blogs.technet.com/isablog/archive/2008/08/28/isa-tmg-nat-behavior-and-ms08-037.aspx)
For more information about update 953230, click the following article number to view the article in the Microsoft Knowledge Base:
953230
(http://support.microsoft.com/kb/953230/ )
MS08-037: Vulnerabilities in DNS could allow spoofing

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/ )
Description of the standard terminology that is used to describe Microsoft software updates
Back to the top | Give Feedback

Properties

Article ID: 956637 - Last Review: November 11, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Keywords: 
atdownload kbexpertiseinter kbqfe KB956637
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top