This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. The security update addresses the vulnerability by modifying how DNS servers parse requests.

Resolves a reported vulnerability in implementations of DNS in Windows Server 2008, in Windows Server 2003, and in Windows 2000 Server that could allow spoofing.

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. To learn more about the vulnerability, see Microsoft Security Bulletin MS16-071. More Information. Important.

Fixes an issue in which performance keeps decreasing for the DNS Server service in Windows Server 2008 R2 under a heavy load situation.

After you install this security update, a service that depends on a UDP port may not start on a computer that is running Windows 2000, Windows Server 2003, or Windows Server 2008. This issue occurs if the service is allocated to the DNS service after security update 953230 is installed.

Fixes an issue in which the DNS Server service randomly does not resolve external names and returns a "Server Failure" error message if IPv6 is disabled. This issue occurs in Windows Server 2008 R2 and Windows Server 2008.

Cause. For each zone to be loaded, the DNS Server service tries to connect to the domain controller that has the Active Directory domain naming operations master role and waits until the TCP connection attempt times out. By default, it takes about 21 seconds for each call to fail.

This article describes an issue in which a Windows Server 2008 R2 Service Pack 1 (SP1)-based DNS server that has Active Directory–integrated zones fails to load DNS zones. An update is available to fix this issue.

Fixes an issue in which name resolution fails. This issue occurs when the DNSSEC signature is refreshed on a Windows Server 2012 R2 or Windows Server 2012-based DNS server.