This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.

This article describes an issue in which a Domain Name System (DNS) server freezes and doesn't respond to DNS requests in Windows Server 2012 R2. A hotfix is available to fix this issue. Before you install this hotfix, see the Prerequisites section.

Cause. This issue occurs because of an issue in the DNS Client service. When the DNS server configuration information is changed on a client, the DNS Client service deletes the DNS host record of the client from the old DNS server and then adds it to the new DNS server.

By default, it takes about 21 seconds for each call to fail. If there are hundreds of zones configured, the time-out for each such connection accumulates, and it takes a long time for the DNS service to restart. Resolution Hotfix information. A supported hotfix is available from Microsoft Support.

You have a Windows Server 2008 R2-based DNS server. The server hosts Windows Internet Name Service (WINS) lookup-enabled zones. Hotfix 2550719 or a later DNS-related hotfix is installed on the server. In this scenario, the server responds slowly to queries, or the DNS service crashes.

This update provides the following functionality on Windows DNS servers: Query logging to enable statistics, billing, troubleshooting, and diagnostics. Change auditing. Resolution. Hotfix information. A supported hotfix is available from Microsoft Support.

You install the Domain Name System (DNS) Server service on a computer that is running Windows Server 2008 R2. You configure the DNS server to use a dynamic IP address. You restart the computer. The DHCP Server is not available or the switch port which the DNS Server is attached to has portfast deactivated.

You install the Domain Name System (DNS) server role on the computer. The DNS Server service is under a heavy load situation. In this scenario, the performance of the DNS Server service decreases with time. To recover from this issue, you have to restart the DNS Server service.

Symptoms. Consider the following scenario in a domain environment: A Windows Server 2008-based DNS server is configured to perform name resolution. The DNS server is configured to use root hints to resolve external domains. A chain of CNAME records is configured on the DNS server.

This issue occurs because the DNS Server service handles multi-label name resolution request incorrectly when the background zone loading feature is used to load the DNS zone. Resolution Hotfix information