After you install security update 953230 (MS08-037) on a Microsoft Windows-based computer, Domain Name System (DNS) queries that are sent from the computer across a firewall do not use random source ports.
This behavior occurs because Network Address Translation (NAT) devices change the source and destination IP addresses. These devices also frequently change the source port to avoid resource conflicts that might occur when multiple internal hosts try to send traffic by using the same source port.Because many modern firewalls actually stop the outgoing traffic internally and create new external sockets for NAT, the firewalls cannot use identical source ports on the same external IP without creating a conflict. Therefore, the firewalls use the sequential port assignment for the traffic from the NAT. The random ports that are being used by the updated DNS resolver may be seen externally as using sequential port assignments even after security update 953230 is applied to the internal NAT host.
To resolve this issue, use one of the following methods:
Create a routed network relationship between the DNS server and the Internet. The capability and methodology for this depends on the firewall technology that is used. This may require that the DNS server be relocated to a different subnet so that the relationship between the server and the Internet no longer uses NAT.
If you have a single DNS server, you can implement a split DNS solution in Windows Server 2003 or Windows Server 2008 DNS services. In this scenario, the DNS server must be available from two IP addresses. One IP address is internal and the other is external to the NAT server network. Internal workstations perform queries against the DNS server. If you have installed security update 953230, the DNS server uses port randomization to forward foreign requests to other DNS servers.
To do this, open the DNS administrative tool, click the server, and then double-click Forwarders. Click the Forwarders tab, and then configure the All Other DNS Domains option. The server will then automatically forward any request for DNS domains that the server does not handle to the servers that are listed in the Selected Domain's Forwarder IP Address list. Add the upstream provider's DNS servers to this list.
The internal workstations should be configured to use the internal IP address of your DNS server. This can be set manually or by using Dynamic Host Configuration Protocol (DHCP) options.
Note Using a single DNS server in a split DNS solution gives customers the benefits of DNS port randomization. However, this configuration adds a pathway from the Internet into your enterprise or local network. This configuration could increase the exposure to threats from the Internet.
You may also configure a split DNS solution to use two servers instead of one. In this scenario, one of your DNS servers is external to the network that contains your NAT server, and one is internal to the network that contains the NAT server. Configure the internal server as described in the single-DNS server scenario, but list the address of the external DNS server in the Forwarder IP Address list instead of listing the upstream provider. Because the external DNS server resides outside the network that contains the NAT server, port randomization is not interrupted.
Contact the firewall vendor to see whether there are updates planned for their firewall product.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing
812873How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
956188 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
956187 Microsoft Security Advisory: Increased threat for the DNS spoofing vulnerability
956189 Some services may not start or may not work correctly on a computer that is running Windows SBS after you install the DNS Server security update 953230 (MS08-037)
Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Microsoft Windows Server 2003, Standard x64 Edition, Microsoft Windows Server 2003, Enterprise x64 Edition, Microsoft Windows Server 2003, Datacenter x64 Edition, Microsoft Windows XP Professional x64 Edition, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition, Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems, Microsoft Windows Server 2003 Service Pack 2, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows XP Service Pack 3, Microsoft Windows XP Service Pack 2, Microsoft Windows 2000 Server SP4