DNS server listen on hudge amount of UDP ports

Tutek 721 Reputation points
2022-01-11T12:47:55.947+00:00

Hi,
I have such problem, my DNS server 2012 r2 listen on many UDP ports this looks something like:

UDP [::]:60023 :
UDP [::]:60024 :
UDP [::]:60025 :
UDP [::]:60026 :
UDP [::]:60027 :
UDP [::]:60028 :
UDP [::]:60029 :
UDP [::]:60030 :
UDP [::]:60031 :
UDP [::]:60032 :
UDP [::]:60033 :
UDP [::]:60034 :
UDP [::]:60035 :
UDP [::]:60036 :
UDP [::]:60037 :
UDP [::]:60038 :
UDP [::]:60039 :
UDP [::]:60040 :
UDP [::]:60041 :
UDP [::]:60042 :
UDP [::]:60043 :
UDP [::]:60044 :
UDP [::]:60045 :
UDP [::]:60046 :
UDP [::]:60047 :
UDP [::]:60048 :
UDP [::]:60049 :
UDP [::]:60050 :
UDP [::]:60051 :
UDP [::]:60052 :
UDP [::]:60053 :
UDP [::]:60054 :
UDP [::]:60055 :
UDP [::]:60056 :
UDP [::]:60057 :
UDP [::]:60058 :
UDP [::]:60059 :
UDP [::]:60060 :
UDP [::]:60061 :
UDP [::]:60062 :
UDP [::]:60063 :
UDP [::]:60064 :
UDP [::]:60065 :
UDP [::]:60066 :
UDP [::]:60067 :
UDP [::]:60068 :
UDP [::]:60069 :
UDP [::]:60070 :
UDP [::]:60071 :
UDP [::]:60072 :
UDP [::]:60073 :
UDP [::]:60074 :
UDP [::]:60075 :
UDP [::]:60076 :
UDP [::]:60077 :
UDP [::]:60078 :
UDP [::]:60079 :
UDP [::]:60080 :
UDP [::]:60081 :
UDP [::]:60082 :
UDP [::]:60083 :
UDP [::]:60084 :
UDP [::]:60085 :
UDP [::]:60086 :
UDP [::]:60087 :
UDP [::]:60088 :
UDP [::]:60089 :
UDP [::]:60090 :
UDP [::]:60091 :
UDP [::]:60092 :
UDP [::]:60093 :
UDP [::]:60094 :
UDP [::]:60095 :
UDP [::]:60096 :
UDP [::]:60097 :
UDP [::]:60098 :
UDP [::]:60099 :
UDP [::]:60100 :
UDP [::]:60101 :
UDP [::]:60102 :
UDP [::]:60103 :
UDP [::]:60104 :
UDP [::]:60105 :
UDP [::]:60106 :
UDP [::]:60107 :
UDP [::]:60108 :
UDP [::]:60109 :
UDP [::]:60110 :
UDP [::]:60111 :
UDP [::]:60112 :
UDP [::]:60113 :
UDP [::]:60114 :
UDP [::]:60115 :
UDP [::]:60116 :
UDP [::]:60117 :
UDP [::]:60118 :
UDP [::]:60119 :
UDP [::]:60120 :
UDP [::]:60121 :
UDP [::]:60122 :
UDP [::]:60123 :
UDP 0.0.0.0:59517 :
UDP 0.0.0.0:59518 :
UDP 0.0.0.0:59519 :
UDP 0.0.0.0:59520 :
UDP 0.0.0.0:59521 :
UDP 0.0.0.0:59522 :
UDP 0.0.0.0:59523 :
UDP 0.0.0.0:59524 :
UDP 0.0.0.0:59525 :
UDP 0.0.0.0:59526 :
UDP 0.0.0.0:59527 :
UDP 0.0.0.0:59528 :
UDP 0.0.0.0:59529 :
UDP 0.0.0.0:59530 :
UDP 0.0.0.0:59531 :
UDP 0.0.0.0:59532 :
UDP 0.0.0.0:59533 :
UDP 0.0.0.0:59534 :
UDP 0.0.0.0:59535 :
UDP 0.0.0.0:59536 :
UDP 0.0.0.0:59537 :
UDP 0.0.0.0:59538 :
UDP 0.0.0.0:59539 :
UDP 0.0.0.0:59540 :
UDP 0.0.0.0:59541 :
UDP 0.0.0.0:59542 :
UDP 0.0.0.0:59543 :
UDP 0.0.0.0:59544 :
UDP 0.0.0.0:59545 :
UDP 0.0.0.0:59546 :
UDP 0.0.0.0:59547 :
UDP 0.0.0.0:59548 :
UDP 0.0.0.0:59549 :
UDP 0.0.0.0:59550 :
UDP 0.0.0.0:59551 :
UDP 0.0.0.0:59552 :
UDP 0.0.0.0:59553 :
UDP 0.0.0.0:59554 :
UDP 0.0.0.0:59555 :
UDP 0.0.0.0:59556 :
UDP 0.0.0.0:63842 :
My server is patched and AV do not show any malware, my dns is not open to internet. What I can do with this?

Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
{count} votes

6 answers

Sort by: Most helpful
  1. Tutek 721 Reputation points
    2022-01-11T14:34:32.967+00:00

    I found something like this:
    you-experience-issues-with-udp-dependent-network-services-after-you-install-dns-server-service-security-update-953230-ms08-037-ee8a0d5f-c6eb-7020-4c88-455369acf194 https://support.microsoft.com/en-us/topic/you-experience-issues-with-udp-dependent-network-services-after-you-install-dns-server-service-security-update-953230-ms08-037-ee8a0d5f-c6eb-7020-4c88-455369acf194
    "The implementation of the DNS server security update reserves a set of ports when randomizing queries. This design decision was made to address performance concerns for DNS servers that handle and originate a significantly larger number of queries compared to Windows-based clients. The set of reserved ports by the DNS Server is referred to from here onward as a "socket pool."

    The default size of the socket pool on Windows-based servers is 2,500 sockets."

    Could anyone that have domain dns server, enter: netstat -ano and check if you have the same?

    1 person found this answer helpful.

  2. Anonymous
    2022-01-11T14:38:33.783+00:00

    Ok, you didn't mention the operating system used so maybe this one helps.
    https://serverfault.com/questions/558104/dns-exe-allocates-5000-ports-immediately

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  3. Limitless Technology 39,931 Reputation points
    2022-01-11T20:17:53.247+00:00

    Hello @Tutek

    This is a normal behavior. The allocation of an ephemeral port is temporary and only valid for the duration of the communication session. After completion of the session, the port is destroyed and the port number becomes available for reuse, but many implementations simply increment the last used port number until the ephemeral port range is exhausted, when the numbers roll over. Ephemeral ports are also called dynamic ports, because they are used on a per request basis, and are only known by number once allocated.

    Hope this helps with your query,

    --------
    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.
    0 comments No comments

  4. Tutek 721 Reputation points
    2022-01-11T14:20:46.457+00:00

    This is DNS server on domain controller.

    0 comments No comments

  5. Anonymous
    2022-01-11T14:26:10.067+00:00

    Active directory DNS does not use those ports.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements#dns-server

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.