Configure the Socket Pool

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Source port randomization is a method that can be used to protect against DNS cache poisoning attacks. With source port randomization, the DNS server will randomly pick a source port from a pool of available sockets that it opens when the service starts. Instead of using a predicable source port when issuing queries, the DNS server uses a random port number selected from this pool, known as the socket pool. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully complete the attack.

Note

The socket pool is automatically enabled with default settings if you have installed security update MS08-037: Microsoft Security Bulletin MS08-037 – Important, Vulnerabilities in DNS Could Allow Spoofing (953230) (https://go.microsoft.com/fwlink/?LinkID=148634).
Ports numbers that are reserved for the socket pool depend on the operating system. For more information about the range of port numbers reserved, see Microsoft Knowledge Base article 956188: You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037) (https://go.microsoft.com/fwlink/?LinkId=165771).
Socket pool will increase memory utilization by the DNS server service. The amount of memory used is dependent on the value of SocketPoolSize, the CPU number, and whether or not both IPv4 and IPv6 addressing is enabled. For more information, see Memory allocation for the socket pool.

The default size of the socket pool is 2500. When you configure the socket pool, you can choose a size value from 0 to 10000. The larger the value, the greater protection you will have against DNS spoofing attacks. If you configure a socket pool size of zero, the DNS server will use a single socket for remote DNS queries. If the DNS server is running Windows Server® 2008 R2, you can also configure a socket pool exclusion list.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configuring the socket pool

Tip

The command line utility DnsCmd.exe is the recommended method for configuring the socket pool.

  • Using a command line

  • Using the Windows interface

To configure the socket pool size using a command line

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd /Config /SocketPoolSize <value>
    
  3. Restart the DNS Server service.

To view the current value of the SocketPoolSize registry key, type the following command and press ENTER:

Dnscmd /Info /SocketPoolSize

To configure the socket pool exclusion list using a command line

Important

To configure the socket pool exclusion list, the DNS server must be running Windows Server 2008 R2.

Open an elevated command prompt.
  1. Type the following command, and then press ENTER:

    dnscmd /Config /SocketPoolExcludedPortRanges <excluded port ranges>
    
  2. Restart the DNS Server service.

Parameter Description

dnscmd

The command-line tool for managing DNS servers.

/Config

Required. Allows the user to change a value in the Windows Registry.

/SocketPoolSize

Required. Specifies the SocketPoolSize registry key.

<socket pool size>

Optional. Specifies the size of the socket pool in decimal format. If no value is entered, the socket pool size is reset to 0.

/SocketPoolExcludedPortRanges

Optional. Specifies the SocketPoolExcludedPortRanges registry key.

<excluded port ranges>

Optional. Specifies one or more numeric port ranges for which listen sockets will not be opened by the DNS server. Range values must start with a number smaller or equal to the ending value, and are inclusive. To specify a single port, enter the same starting and ending port number. Enter multiple port ranges separated by a space. For example: 4000-5000 34000-34000. Port numbers must be positive integers less than or equal to 65535. You must supply all port ranges in the exclusion list each time you run the command. If no value is entered, the list will be cleared.

Tip

Use the /Info command to view the current value of a registry key, for example: Dnscmd /Info /SocketPoolSize and Dnscmd /Info /SocketPoolExcludedPortRanges.

To configure the socket pool size using the Windows interface

  1. Click Start, click Run, type regedit.exe, and then press ENTER.

  2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters.

  3. If the SocketPoolSize registry key is not present, right-click Parameters, click New, click DWORD (32-bit) Value, and then type SocketPoolSize for the name of the new registry key.

  4. Double-click the SocketPoolSize registry key.

  5. Under Base, choose Decimal, under Value data type a value from 0 to 10000 for the size of the socket pool, and then click OK.

  6. Close Registry Editor.

  7. Restart the DNS Server service.

To configure the socket pool exclusion list using the Windows interface

Important

To configure the socket pool exclusion list, the DNS server must be running Windows Server 2008 R2.

Click **Start**, click **Run**, type **regedit.exe**, and then press ENTER.
  1. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters.

  2. If the SocketPoolExcludedPortRanges registry key is not present, right-click Parameters, click New, click Multi-String Value, and then type SocketPoolExcludedPortRanges for the name of the new registry key.

  3. Double-click the SocketPoolExcludedPortRanges registry key.

  4. Under Value data, type the list of port ranges using a separate line for each range, and then click OK. Range values must start with a number smaller or equal to the ending value, and are inclusive. Port numbers must be positive integers less than or equal to 65535. To specify a single port, enter the same starting and ending port number. For example: 34000-34000.

  5. Close Registry Editor.

  6. Restart the DNS Server service.

Memory allocation for the socket pool

By default, the DNS server opens a pool of 5000 UDP sockets: 2500 for 1Pv4 and 2500 for IPv6. On Windows Server 2008 R2, approximately 2.5 KB of memory is allocated for each socket, plus 7.2 KB of memory per receive buffer. The number of receive buffers is two on a single or dual processor server, and equal to the number of CPUs if more than two are present. This means that the DNS server service uses approximately 2.5 x 5000 = 18 MB of additional memory for sockets plus 2 x 5000 x 7.2 = 72 MB for buffers or a total of 90 MB of additional memory on a single or dual processor server when socket pool is used with default settings. Memory use is half the amount if only IPv4 is enabled. To calculate the number of CPUs, open Task Manager and click the Performance tab. A CPU Usage History graph is displayed for each CPU.

See Also

Concepts

Checklist: Implementing a Secure DNS Configuration