By default, after security update 953230 is installed, the DNS Server service randomly allocates 2,500 ports in the ephemeral port range. This is new behavior that is introduced by this update. A conflict may occur if one of these randomly allocated ports is a port that is used by the conflicting service.
Service conflicts are more likely in multirole servers that offer additional roles including DNS functionality. Because these ports are randomly allocated, these failures can be intermittent.
For example, this conflict can occur in the Windows IPsec Services service. The IPsec Services service uses UDP Port 4500. On DNS servers that also provide IPsec services, port conflicts could prevent the IPsec service from starting.
For more information about how to reserve ephemeral ports, click the following article number to view the article in the Microsoft Knowledge Base:
Detailed causeThe following is a more detailed explanation of the cause of this issue.
DNS server source port randomization and the SocketPool implementationThe implementation of the DNS server security update reserves a set of ports when randomizing queries. This design decision was made to address performance concerns for DNS servers that handle and originate a significantly larger number of queries compared to Windows-based clients. The set of reserved ports by the DNS Server is referred to from here onward as a "socket pool."
The default size of the socket pool on Windows-based servers is 2,500 sockets. This size is configurable by modifying the SocketPoolSize registry entry in the following subkey in the registry:
Windows 2000 and Windows Server 2003
- Ephemeral port allocation and the MaxUserPort registry entry
Ports that are allocated as part of the socket pool are pulled from the set of available ephemeral ports on the server. Ephemeral ports are ephemerally allocated by the TCP/IP stack during "wildcard binds" where the desired originating source port is not specified.
On Windows-based servers, the MaxUserPort registry entry defines the ephemeral port range and defines the highest port number that can be is allocated for ephemeral ports. The MaxUserPort registry entry is in the following subkey in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\For more information about the MaxUserPort registry entry, visit the following Microsoft Web page:
- Effective ephemeral port range when the value of the MaxUserPort registry entry is set explicitly
In Windows Server 2003 or in Windows 2000 Server, the value of the MaxUserPort registry entry defines the ephemeral port range. The range is from 1024 to the value that is defined by the MaxUserPort registry entry.
After you install security update 953230 on Windows Server 2003 and down-level platforms, the following conditions are true:
- If the value of the MaxUserPort registry entry is set, the ports are allocated randomly from the [1024, MaxUserPort] range.
- If the value of the MaxUserPort registry entry is not set, the ports are allocated randomly from the [49152, 65535] range.
Windows Server 2008
- Effective ephemeral port range
Ephemeral port allocation occurs in the [49152-65535] port range before you install security update 953230 on Windows Server 2008. This port allocation behavior does not change after you install security update 953230. To view the current ephemeral port range, run the following command:netsh int <ipv4|ipv6> show dynamicport <tcp|udp>For more information about this security update and for information about any known issues with specific releases of this software, click the following article number to view the article in the Microsoft Knowledge Base:929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
Article ID: 956188 - Last Review: Jun 17, 2014 - Revision: 1