I noticed my x64 Windows 2003 R2 machines running DNS were listening on
wierd TCP ports. DNS.EXE is the listening process. Restarting DNS changes
the port number. I know DNS uses ephemeral UDP ports, but I can't find
anything that describes the use of TCP in this manner. None of the
Microsoft firewall guides I've seen make allowances for this port to be
used, nor does anything in the security configuration wizard indicate that
inbound TCP connections should be allowed to anything other than 53.

Does anyone know what it's for and how it's used?

Brian

Brian Doré
Office of Information Systems
University of Louisiana at Lafayette

In news:eXGym$6zGHA.3568@TK2MSFTNGP03.phx.gbl,
Brian K. Doré <bkd@louisiana.edu> stated, which I commented on below:
> I noticed my x64 Windows 2003 R2 machines running DNS were listening
> on wierd TCP ports. DNS.EXE is the listening process. Restarting
> DNS changes the port number. I know DNS uses ephemeral UDP ports,
> but I can't find anything that describes the use of TCP in this
> manner. None of the Microsoft firewall guides I've seen make
> allowances for this port to be used, nor does anything in the
> security configuration wizard indicate that inbound TCP connections
> should be allowed to anything other than 53.
> Does anyone know what it's for and how it's used?
>
> Brian
>
> Brian Doré
> Office of Information Systems
> University of Louisiana at Lafayette

That's part of the Windows conenection method. The initial port is 53UDP,
then if over 512 bytes, then it will revert to TCP, unless of course using
Windows 2003 DNS, which supports EDNS0, which allows UDP responses upto 1280
bytes.

But as far as the emphemeral port, that is a Windows conveyance. Any
connection will connect over the initial port of the protocol used, such as
DNS is 53, or NetBIOS is 139, etc, but the client will tell it to respond on
a UDP port above 1023 (1024 and above). If you want to force it to only 53
at all times, you can alter the reg on the DNS server(s). For internal
applications (such as an AD infrastructure), I would just leave it be, but
if you want to control it thru a firewall for external users to use an
internal DNS server that you are possibly hosting public records, you can
force it.

If you want to alter it, in the article below, look for the "Send Port" reg
entry to alter on the server.

813965 - Description of DNS registry entries in Windows 2000 Server, part 3
of 3:
http://support.microsoft.com/default.aspx?kbid=813965

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

Hi Ace,

Thanks for the reply, but I don't know if we are taking about the same
thing.

comments inline.

"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote >

> That's part of the Windows conenection method. The initial port is 53UDP,
> then if over 512 bytes, then it will revert to TCP, unless of course using
> Windows 2003 DNS, which supports EDNS0, which allows UDP responses upto
> 1280 bytes.

Right, but when my name server makes a query to another name server, and the
response size will be over 512 bytes, that server responds via UDP to my
server and then my server originates a TCP connection. (from a ephemeral
local TCP port to a destination of TCP 53 on the server) I understand why
my server listens on a UDP port, but I don't think this explains why my
server is LISTENING on a TCP port. In order for a TCP listening port to be
used, some mechanisim must exist for my server to inform another machine
about the port number it's listening on (RPC perhaps), and another machine
would have to initiate the connection. The TCP listening port is not the
same number as the UDP listening port. I can't find anything that indicates
that another server would initiate a TCP connection to my server in response
to a query, or how a query would indicate which TCP port to respond on. It
was suggested it might be a control port (like what ndc on bind would use)
but my testing shows that running the remote MMC DNS console doesn't use it.

> But as far as the emphemeral port, that is a Windows conveyance. Any
> connection will connect over the initial port of the protocol used, such
> as DNS is 53, or NetBIOS is 139, etc, but the client will tell it to
> respond on a UDP port above 1023 (1024 and above). If you want to force it
> to only 53 at all times, you can alter the reg on the DNS server(s). For
> internal applications (such as an AD infrastructure), I would just leave
> it be, but if you want to control it thru a firewall for external users to
> use an internal DNS server that you are possibly hosting public records,
> you can force it.

Right, but this is only for when my server initiates the connection, the
emphemeral port is the source port and that is how the recipient knows what
port to respond to. In this case my server is LISTENING on a high TCP port
for someone to connect to it.

> If you want to alter it, in the article below, look for the "Send Port"
> reg entry to alter on the server.
>
> 813965 - Description of DNS registry entries in Windows 2000 Server, part
> 3 of 3:
> http://support.microsoft.com/default.aspx?kbid=813965

This appears to affect only the UDP source port my server would use when
making queries.

Does my question make sense or am I misunderstanding about how something
works?

Thanks again for your .

Brian

Brian K. Dori wrote:
> Hi Ace,
>
> Thanks for the reply, but I don't know if we are taking about the same
> thing.
>
> comments inline.
>
> "Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote >
>
>> That's part of the Windows conenection method. The initial port is
>> 53UDP, then if over 512 bytes, then it will revert to TCP, unless of
>> course using Windows 2003 DNS, which supports EDNS0, which allows
>> UDP responses upto 1280 bytes.
>
> Right, but when my name server makes a query to another name server,
> and the response size will be over 512 bytes, that server responds
> via UDP to my server and then my server originates a TCP connection.
> (from a ephemeral local TCP port to a destination of TCP 53 on the
> server) I understand why my server listens on a UDP port, but I
> don't think this explains why my server is LISTENING on a TCP port.
> In order for a TCP listening port to be used, some mechanisim must
> exist for my server to inform another machine about the port number
> it's listening on (RPC perhaps), and another machine would have to
> initiate the connection. The TCP listening port is not the same
> number as the UDP listening port. I can't find anything that
> indicates that another server would initiate a TCP connection to my
> server in response to a query, or how a query would indicate which
> TCP port to respond on. It was suggested it might be a control port
> (like what ndc on bind would use) but my testing shows that running
> the remote MMC DNS console doesn't use it.

DNS listens on both UDP and TCP 53, but when a DNS server sends a query to
another server on port 53, the response comes back on an ephemeral port,
which DNS also listens on.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote:

> DNS listens on both UDP and TCP 53, but when a DNS server sends a query to
> another server on port 53, the response comes back on an ephemeral port,
> which DNS also listens on.

For UDP, I agree. But not for TCP. The status for the ephermeral port
from which a (client) machine originates a TCP connection should never be
listening. The listening status is reservered for the server. In this
case DNS is listening on a high TCP port and a client would have to connect
to it. I want to know in what case a client (another DNS server making a
query would be considered a client) would connect to my server on a TCP port
other that 53, and how does that client know to do so.

Thanks for your input!

Brian

In news:O6OfHdP0GHA.720@TK2MSFTNGP02.phx.gbl,
Brian <win@louisiana.edu> stated, which I commented on below:
> "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote:
>
>> DNS listens on both UDP and TCP 53, but when a DNS server sends a
>> query to another server on port 53, the response comes back on an
>> ephemeral port, which DNS also listens on.
>
> For UDP, I agree. But not for TCP. The status for the ephermeral
> port from which a (client) machine originates a TCP connection should
> never be listening. The listening status is reservered for the
> server. In this case DNS is listening on a high TCP port and a
> client would have to connect to it. I want to know in what case a
> client (another DNS server making a query would be considered a
> client) would connect to my server on a TCP port other that 53, and
> how does that client know to do so.
> Thanks for your input!
>
> Brian

How did you determine that DNS is listening on a TCP port? TCPView, FPort?
What port is it? Random?

Ace