We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


change/set Windows Server 2003 DNS Query Ports

athelu asked
Medium Priority
Last Modified: 2008-01-09
My Primary DNS is handled by my firewall cluster. They handle DNS for everyting, except for my AD integrated zones. My AD Domain Controllers forward requests and perform queries on these firewalls for anything in DNS that they do not know.

It appears, that each one of these domain controllers has settled upon a port that it will use for these queries. Port 1051 for one server, and poert 1065 for the other. My problem is that the way my firewall cluster is configured, one handles the even ports, and the other handles the odd ports. I would like to see my Domain controllers talking to two different nodes of the cluster if possible for some additional redundancy.

So - how do i change the port that DNS queries are made on?
Watch Question

hmm... it is my understanding that DNS uses:

Perform a DNS Lookup
To perform a DNS lookup across a firewall ports 53/tcp and 53/udp must be open. DNS is used for name resolution and supports other services such as the domain controller locator.

Port 1051 is a registered port for OptimaVNET
Port 1065 is a registered port for Syscomlan

Ports:  http://www.iana.org/assignments/port-numbers

If you have a setup like this:

IP of DNS server 1 =
IP of DNS server 2 =
IP of DNS Cluster or Virtual IP =

You can set up your DNS Forwarding like this...

Open the DNS console.  right click your server name, and choose properties from the drop down box.  Click the FORWARDER tab...and enter the following IP address:

For DNS server 1:

For DNS server 2:
"Port 1051 for one server, and poert 1065 for the other"

You are talking simply about the host port that is being used to communicate to port 53 on the DNS server on your firewalls.  They (1051, 1065) are dynamic and will change often, that's just the way TCP/IP works.

Your server is going to make the request so it sends a request to DNSFirewall:53 and it replies back and says ok let's talk, so it negotiates an upper open port on your server (in this case 1051) for the communcations...

Can't get around this...
really?  i thought dynamic ports were higher in range?

The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535
I'm talking about local ports for establishing a connection outbound.

For instance, go to cmd line and do a netstat -a -n right now.

You'll see lots of "established" connections probably to websites, etc.  The local IP will have ports assigned as well, because that's the port on the local PC/server that is establishing the connection for you.  Otherwise with only 1 port on your local machine you'd be limited to a single connection to something.

LOL, I kept racking my brain to remember what the heck they are called...ephemeral ports

See this walkthrough:


or just google ephemeral ports
Hey thanks for the information. ...

It looks like, in this case, you really can't control the ephemeral port number for DNS queries.  These are dynamic and may (probably will) change over time.

wow, I was just browsing through and found this.  Thanks for the link THEcleaner =) good tcpip info
LOL, not a problem...

I knew even though I hate Cisco going through their CCNA program would pay off :)


Yes - this is the host port I am talking about. It is just odd that it had held onto these particular ports for so long. Maybe it uses the same ones until a restart or something? I thought it was supposed to pick a new one with each call, but I guess I am wrong.
I'm not positive on that aspect.  I believe it picks the next available port/socket and then uses that until it no longer has the connection.  It's probably using the same one over and over because that is always the next one free/available.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.