• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

change/set Windows Server 2003 DNS Query Ports

My Primary DNS is handled by my firewall cluster. They handle DNS for everyting, except for my AD integrated zones. My AD Domain Controllers forward requests and perform queries on these firewalls for anything in DNS that they do not know.

It appears, that each one of these domain controllers has settled upon a port that it will use for these queries. Port 1051 for one server, and poert 1065 for the other. My problem is that the way my firewall cluster is configured, one handles the even ports, and the other handles the odd ports. I would like to see my Domain controllers talking to two different nodes of the cluster if possible for some additional redundancy.

So - how do i change the port that DNS queries are made on?
1 Solution
hmm... it is my understanding that DNS uses:

Perform a DNS Lookup
To perform a DNS lookup across a firewall ports 53/tcp and 53/udp must be open. DNS is used for name resolution and supports other services such as the domain controller locator.

Port 1051 is a registered port for OptimaVNET
Port 1065 is a registered port for Syscomlan

Ports:  http://www.iana.org/assignments/port-numbers

If you have a setup like this:

IP of DNS server 1 =
IP of DNS server 2 =
IP of DNS Cluster or Virtual IP =

You can set up your DNS Forwarding like this...

Open the DNS console.  right click your server name, and choose properties from the drop down box.  Click the FORWARDER tab...and enter the following IP address:

For DNS server 1:

For DNS server 2:
"Port 1051 for one server, and poert 1065 for the other"

You are talking simply about the host port that is being used to communicate to port 53 on the DNS server on your firewalls.  They (1051, 1065) are dynamic and will change often, that's just the way TCP/IP works.

Your server is going to make the request so it sends a request to DNSFirewall:53 and it replies back and says ok let's talk, so it negotiates an upper open port on your server (in this case 1051) for the communcations...

Can't get around this...
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

really?  i thought dynamic ports were higher in range?

The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535
I'm talking about local ports for establishing a connection outbound.

For instance, go to cmd line and do a netstat -a -n right now.

You'll see lots of "established" connections probably to websites, etc.  The local IP will have ports assigned as well, because that's the port on the local PC/server that is establishing the connection for you.  Otherwise with only 1 port on your local machine you'd be limited to a single connection to something.

LOL, I kept racking my brain to remember what the heck they are called...ephemeral ports

See this walkthrough:


or just google ephemeral ports
Hey thanks for the information. ...

It looks like, in this case, you really can't control the ephemeral port number for DNS queries.  These are dynamic and may (probably will) change over time.
wow, I was just browsing through and found this.  Thanks for the link THEcleaner =) good tcpip info
LOL, not a problem...

I knew even though I hate Cisco going through their CCNA program would pay off :)
atheluAuthor Commented:
Yes - this is the host port I am talking about. It is just odd that it had held onto these particular ports for so long. Maybe it uses the same ones until a restart or something? I thought it was supposed to pick a new one with each call, but I guess I am wrong.
I'm not positive on that aspect.  I believe it picks the next available port/socket and then uses that until it no longer has the connection.  It's probably using the same one over and over because that is always the next one free/available.

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now