Windows Server - dns.exe 2500 open ports in netstat -ab

Asked By Thorsten

11-Jul-08 11:00 AM

On one Domaincontroller in a child domain i see 2500 open ports from dns.exe.
No remote address and no status.
I havent seen that before and its not like that on another DC.
i already rebooted but it comes back. when i restart DNS Server Service they
all open imediately.

netstat -ab
Proto  Localaddress         Remoteaddress          Status           PID
UDP    X-dc-01:61333        *:*                                    1572
[dns.exe]
UDP    X-dc-01:52081        *:*                                    1572
[dns.exe]
UDP    X-dc-01:60048        *:*                                    1572
[dns.exe]
UDP    X-dc-01:62361        *:*                                    1572
[dns.exe]

Any Help appreciated.

Thanks

11-Jul-08 11:50 PM

ThorstenK <ThorstenK@> typed:

What OS? Windows 2003? What service pack level?
How many users are using this server or in your organization?
Is this a public server or private only?
Is the machine fully patched and up to date?
Edge Firewall in place?
Antispyware and antivirus have anything to say?

Possibly install and run something such as TCPView, which is better than
netstat
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Qualys' free scan tool trial
http://www.qualys.com/forms/trials/freescan/google/?lsid=7002

Or something more elaborate such as eEye Retina scanner  which shows each
port open and source IP.
http://www.eeye.com/html/products/retina/index.html

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

12-Jul-08 10:41 AM

I have the same problem. I opened TCPView because I wanted to find out what
was using a port that I wanted to use. TCPView took a long time to finish
loading list but when it was done, it showed DNS.EXE as having about 2800
ports open. I haven't seen this before and I don't know how to fix it. Can
anyone provide any help on this issue?

12-Jul-08 10:45 AM

Let me correct that. 2500 is the number, not 2800. So it appears I have the
identical problem as the OP.

12-Jul-08 08:06 PM

Terry Olsen <tolsen64@hotmail.com> typed:

Can you provide responses to the questions I asked the OP that didn't
respond? I haven't seen this and if an app or some other issue such as an
old or current vulnerability or a hotfix causing it or some app or service
either running locally or on the network, would better be diagnosed with
more information.

What would really help is an eEye IRIS capture that will tell you exactly
where they are coming from.

Ace

16-Jul-08 01:41 AM

On Jul 12, 7:50=A0am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
=A0Status
oogle/?lsid=3D7002
ch
ml

Hi
I have the exact same problem.
I have two servers. One x86 one x64. Win2k3 Standard SP2 . Fully
patched. Both public web server, No virus or spyware is detected. No
firewall.
It seems that it is appeared after last DNS patch is installed.

16-Jul-08 01:41 AM

=A0 =A0Status
n
/google/?lsid=3D7002
each
html
se
ted text -

Uninstalling kb951746 resolves the problem

14-Jul-08 02:25 AM

sorry for the delay and sorry for forgetting the basic rules on what info to
provide.

Win2003 R2 Server SP2
Domaincontroller
Customer Site with about 1000 Users and another 2 DCs (which dont have the
open ports, but i will have to compare the patchlevel)
should be fully or nearly fully patched
Server is in private LAN
there is an enterprise Firewall in place
nothing from AV
Its the original dns.exe thread as i checked the PID

14-Jul-08 07:31 AM

See if removing KB951746 helps as it did with tyeh other poster, Shariat in
this thread.

Ace

14-Jul-08 07:00 PM

Terry Olsen <tolsen64@hotmail.com> typed:

I escalated the issue with Microsoft's engineers. Hang in there.

Also, can someone has the time to run a perfmon on dns.exe and overall
machine performance as well, to see if it is affecting performance comparing
with the update installed and not installed? I would appreciate it if you
have the time to do this.

Thanks,

Ace

17-Jul-08 03:34 AM

yes removing it made the ports disappear. but then SNMP didnt work anymore
and IE couldnt open any internet or internal websites.
Also like anoher poster we prefer the unknown ports over the known
vulnerability.
But seems like a bug in the patch. I think we are all willing to send in
reports and logs if developement needs them.

Thanks
Thorsten

17-Jul-08 11:33 PM

Thorsten,

If you have reports and logs, email them to me. Use my actual
firstnamelastname@hotmail.com and I will add them to my current submission to
the Microsoft engineers.

Ace

18-Jul-08 11:58 AM

We are experiencing the same issue.  Is Microsoft working on it?  Is there
anything I can provide to help?
It is happening on one of our Primary DC's.
Windows 2003 server with latest patches installed
Private network with firewall
50 Dc's with about 1000 nodes across the country
Nothing reporting from AV

18-Jul-08 03:46 PM

Thanks Alun!

20-Jul-08 03:18 AM

Griff <Griff@> typed:

I'm starting to think it's related to DNS where the system will reserve
empheral ports and they show up as what you're seeing. Not sure. Haven't
heard back anything yet. But take a look at this article. This shows how to
reserve them and the DNS updates may just be doing that. Reserved ports are
probably showing up as what you're seeing. This is just speculation. I'll
let you know if I hear anything that I can post.

Ace

21-Jul-08 07:44 PM

Ace Fekay [MVP] <PleaseAskMe@SomeDomain.com> typed:

Oops, I forgot to post the articles. in addition, I am also speculating this
will not show as a performance hit, rather it is just displaying which ports
are reserved, but not necessarily in use. As I said, this is just
speculation.

MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230

How to reserve a range of ephemeral ports on a computer that is running
Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873

Ace

22-Jul-08 04:33 AM

yeah thanks!

the good old: "this behavior is by design" :)

28-Jul-08 11:39 AM

update kb951746, dns.exe consumes lots of more memory than i'am used to. 36.332K instead of 7,308K

30-Jul-08 10:27 AM

I was beginning to think my post hadn't gone anywhere, because it wasn't
showing up in Windows Live Mail.

Alun.
~~~~
--
Texas Imperial Software   | Web: http://www.wftpd.com/
23921 57th Ave SE         | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

25-Aug-08 03:16 PM

worth noting is that the port range you'll see in TCPVIEW is 49xxx and above -- supposedly only related to what you should see with Server 2008 or Vista. Maybe that's part of the problem. We are Win2K3 and have the 2500 ports open too...



- Mango