KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350

Applies to: Windows Server version 2004Windows Server version 1909Windows Server version 1903


On July 14, 2020, Microsoft released a security update for the issue that is described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.

A registry-based workaround can be used to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before they apply the security update in order to enable them to update their systems by using a standard deployment cadence.


Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that's allowed:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 

Value = TcpReceivePacketSize 

Type = DWORD 

Value data = 0xFF00


  • The default (also maximum) Value data = 0xFFFF.
  • If this registry value is pasted or is applied to a server through Group Policy, the value is accepted but will not actually be set to the value that you expect. The value 0x cannot be typed into the Value data box. However, it can be pasted. If you paste the value, you get a decimal value of 4325120.
  • This workaround applies FF00 as the value which has a decimal value of 65280. This value is 255 less than the maximum allowed value of 65,535.
  • You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:

net stop dns && net start dns

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes.