[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Revisiting DNS on Server 2008 - THE OFFICIAL BLOG OF THE SBS "DIVA"
Mon, Dec 22 2008 23:10 bradley

Revisiting DNS on Server 2008

Revisiting DNS on Server 2008

You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037):
http://support.microsoft.com/kb/956188/

Remember I said..

Windows Server 2008

  • Ephemeral port allocation and the MaxUserPort registry entry
    In Windows Server 2008 or in Windows Vista, the value of the MaxUserPort registry entry signifies the number of ephemeral ports. The range is from the [start port, start range + MaxUserPort]. The default start port is port 49152.
  • Effective ephemeral port range
    Ephemeral port allocation occurs in the [49152-65535] port range before you install security update 953230 on Windows Server 2008. This port allocation behavior does not change after you install security update 953230.

So why does it impact SBS 2003 but not SBS 2008?  Specifically it's due to the fact that in Windows 2008 the UDP and TCP dynamic port ranges are handled separately.  Most of the time when we poke holes in firewalls and routers, we're poking the hole in the TCP side of the port.  TCP uses a confirmation process to ensure that the packets get to the place they are supposed to go. 

UDP (as some call them unreliable damn packets in the SANS security course), do not ask for a confirmation back, they just attempt to make the connection.  For some processes, like DNS, it's perfectly acceptable and it's in fact the best way to do it is to have UDP connections. 

On the SBS 2008 the only value that is reserving is UDP ports.  It no longer needs to worry about TCP ports.

And what pray tell is listening/hanging out on UDP port 1433 and 1434?  Guess?

Know what the answer is? 

You got it.. the SQL that is on the SBS 2008.  That's the only thing that native SBS 2008 has to reserve in order to play nice with the way DNS randomizes.  Now, one could argue that if you have a line of business application that needs to listen at a UDP static port you might want to also put that in that box, but keep in mind on SBS 2008 it's not TCP ports that we care about anymore, it's only UDP.  Not many line of business applications demand static UDP ports (given the fact that it's a type of connection that needs no confirmation that it's payload has been received) but just in case you do that's where the port exclusion goes.

In SBS 2008 the dynamic port range for tcp connections starts at port 1025 is 48976 large up to 50,000. 

 For UDP it starts at 49152 and and has a range of 16,384 ports up to 65,536.

 But bottom line SBS 2008 handles it differently.

Filed under:

# re: Revisiting DNS on Server 2008

Tuesday, December 23, 2008 8:18 AM by Chris Knight

For Win2003, the Cable Guy wrote a good article in Dec 2005:

technet.microsoft.com/.../bb878133.aspx

For Win2008, the TCP and UDP ranges can be tuned separately using netsh:

support.microsoft.com/.../929851

My SBS boxen have got MaxUserPort set to 60000 - I haven't knowingly changed it (BPAs maybe?). And unless Microsoft have modified the code around ReservedPorts, it still reserves both TCP and UDP ports.

IMNSHO both of these settings are really poorly explained by Microsoft. There's no canonical source and each instance of describing them uses different terminology.