We help IT Professionals succeed at work.

DNS listening on too many ports

Last Modified: 2012-06-27
Running windows 2003 server, active directory controller and DNS server.  While troubleshooting another problem, I noticed the server was listening on ALOT of ports.  Upon further diagonistics using TCPView and netstat, I determined that the Microsoft DNS Server is listening on about 2500 random UDP ports.  I've run a virus scan, nothing came up.  The server is patched and up to date.

I've attached the output of netstat -an - p udp with the dns server running, stopped, then started again.
Watch Question

Chris DentPowerShell Developer
Top Expert 2010


It could potentially be using those to listen for responses to issued queries. Is the DNS Server a busy one?

I'd put a packet sniffer on there to see what all of those are actually doing. WireShark is good for that (and free):




I'll load it up this afternoon and see what it does and get back to you.

Why is it listening on and the 127 loopback address?

Can you provide an IPconfig?

Is this a multihomed server?


Chris,  I'm installing wireshark now.  I couldn't do it yesterday b/c it was in production.  I'm installing it now and will post shortly


here's the output of ipconfig /all.  I also noticed and error and a warning in the DNS Server error log.  I'm uploading them also.

The server has multiple NICs in it, but only is being used.



i've done a wireshark dump and exported the packet summaries, and sanitized.  

it looks to me like there's alot of return traffic coming from other IP:53 to localIP: which would explain a connection, if the server was issuing the query.  However, the server should be doing the replies, and since UDP is stateless, it shouldn't be listening on all those ports.

If you want me to export more packet detail, or a longer dump let me know.  (I filtered the capture for UDP only, which is why you don't see any TCP traffic)

Henrik JohanssonSystems engineer
Top Expert 2008

Shift primary/secondary DNS to use the local DNS server as primary server and the other server as secondary server.
Change the DNS-zones to be stored in AD to get better replication.


Only 1 forward and 1 reverse lookup zone loaded.  both are already stored in active directory.  

DNS points first to 10.x.x.48, then to this machine 10.x.x.6.  Both are AD machines, and run DNS.  I cannot terminal into .48 to see if it's doing the same thing.  

Henrik JohanssonSystems engineer
Top Expert 2008

You have unnecessary DNS-queries from 10.x.x.6 to 10.x.x.48 because of using the remote address as primary server.
On 10.x.x.6, use itself as its primary DNS server and 10.x.x.48 as its secondary DNS server.

As henjoh stated, "change the servers around" 10.x.x.6 should be the primary DNS server. Otherwise, you are going to 10.x.x.48 for this server's DNS queries.
Event ID:      4015

4015 errors is usually a result of this server not having its host A record registered in DNS. Since you are going to 10.x.x.48 for DNS as the PREFERED DNS server, this means the Host A record for your 10.X.X.6 server may not exist on the 10.x.x.48 server.

After changing the preferred DNS server to be itself, you might want to register the Host A record.
To register the Host A on both servers, go to the command prompt and type:
IPconfig /flushDNS
IPconfig /registerDNS
Net stop netlogon
Net start netlogon

Then force replicate from that server to the other server:



Now that we worked those two out, there is still a problem with it trying to do a DNS query on IP address and also the 127 loopback address.

In my opinion, this might be your DHCP server not knowing who your DNS servers are. Even if DHCP is the same server, you might want to configure your DHCP server options to define the default gateway and DNS servers. Doing so would define the path to those servers.

To do this, go into MMC consle, or the DHCP snapin, and expand the snapin to where you see the OPTIONS folder. Enter the options folder and configure your DNS server. Much like prefered DNS servers in the NIC, you also want your server to be the first server for DHCP. Example

DHCP options for DNS servers:
If your server's IP is and the other server is, you want these two servers in this order of precedence for DNS.

I have seen DHCP tell the client to query DNS to see if the IP is in use. This is a part of the DHCPACK package.
Henrik JohanssonSystems engineer
Top Expert 2008

DHCP is using ARP/ping for conflict detection, not DNS. The dynamic registration of DNS-records is done through DHCP client service.

Even if configuring the DNS to use a single IP (dnsmgmt.msc->server properties->Interfaces-tab), it will when checking netdiag bind port 53 to all IPs including
The amount of reserved ports when starting DNS service looks like "as design" to handle performance. The benchmark described at the link below had 1300 dynamic updates/second.
If checking other ports with netstat, you will see that also they are assigned to when the port is in LISTENING state.

Chris DentPowerShell Developer
Top Expert 2010


> However, the server should be doing the replies, and since UDP is stateless, it shouldn't be
> listening on all those ports.

You mean your server doesn't query public name servers?

If your server makes a query against a remote server (as a response to a client requesting recursion) it will open up a UDP Port to listen on matching the source port of the original request.

As you point out, UDP is stateless, therefore opening a port to listen is the only way it's going to see and match up the response. I've yet to find documentation on how long it keeps them open, or how many it just arbitrarily opens, however the behaviour is not abnormal.




I changed the primary lookup server to be the local ip address  I also did nslookup, pointing to both servers, and attempted to resolve the name.  It resolved fine on the first try.  I went ahead and did the flushdns/registerdns and stop/start netlogon anyway.  

the DHCP server is (the other dns/ad server)  it gives out the dns of .48 as primary, and .6 as secondary, and sets up the local domain name correctly.  the dhcp server is set to 'enable dynamic updates' and ' always update dns A and ptr records'


henjoh09 and Chris-Dent,

I agree about the fact that it would have to open a port to listen for a reply when it queries another server, because UDP is stateless.  However, I would think (what's your opinion) that it would listen on an IP Address, not if it was waiting for a reply.  

Also, this is a pretty small network, about 50 users.  upon starting the DNS server, about 2000-2500 ports are opened up within the time it takes me to type 'netstat -an -p udp'.  I don't think it's making that many queries, and why would it open ports to listen for replies, if it didn't make a request?  To prove this, I stopped dns server, started wireshark to listen for udp packets, then started dns server again.  it didn't make a bunch of queries.  (i'll post the results of that wireshark momentarily)

I've checked several other dns servers that I have in similar situations (windows 2003 AD/dns).  none of them are listening on anywhere near that many ports.

additionally, if you're talking about inbound ports, which is what the DNS server is made to do, it only needs to listen on port 53, and will reply from port 53 to the source port of what was requested.  The need for more performance would not require additional ports, it would just open new connections(less) on that same port.


here is the wireshark dump while i was starting dns, as promised.


In the event log, if I click for more information, this is what I get as a result.

I'm going to see what I can troubleshoot with ldap to see if there's any problems.

will also run netdiag /debug
Chris DentPowerShell Developer
Top Expert 2010


> However, I would think (what's your opinion) that it would listen on an IP Address,
> not if it was waiting for a reply

I haven't seen a case where it listens on anything but for those high-numbered UDP Ports. This holds true even if you restrict the interfaces DNS listens on under the server properties.

But you're right, it's too many unless it's an exceptionally high-load system.

Out of interest, one of my DNS servers also suffers from the problem, sitting on a large number of high-numbered UDP Ports.

This only exhibits on version 5.2.3790.4318 of dns.exe. I have another server running 5.2.3790.4171 which doesn't display the issue. Patching it up now to see if it starts ;)

PowerShell Developer
Top Expert 2010
This one is on us!
(Get your first solution completely free - no credit card required)


The version of dns.exe on this machine is 5.2.3790.3161 (Win2003 SP1)

I'm checking other machines that I can get my hands on.

2 machines at:
5.2.3790.4171  (Win 2003 R2 SP2) seems to be working fine.

1 machine at
5.2.3790.3161 (Win 2003 SP1) has same issue
Chris DentPowerShell Developer
Top Expert 2010


Mine are all 2003 R2 SP2, the only difference is the version of dns.exe. The latest version showing the port usage.

Unfortunately, I don't have any version earlier than 4171. I suspect it's not actually a problem, but it is a bit of an oddity. I suspect a fair bit more reading is in order to fully understand why it does it.


I have  had the issue of the new DNS functionality blocking legitimate programs from working.  Port 5160, for example, is used for a licensing server in my network.  My research uncovered this page:


That page describes how to reserve some ports from being used by process that open up random ports.
I found the following link really insightful.


It does not only say what, why but it also tells you how to limit the number of ports.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.