Re: problems with KB951746
- From: "Gary Karasik" <gkarasik@xxxxxxx>
- Date: Fri, 15 Aug 2008 19:24:23 -0700
Also, if this were a firewall issue, I think it would be there all the time,
not just when the system is under load.
--
GaryK
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:I5OdnRWuYKkGijvVnZ2dnUVZ_uqdnZ2d@xxxxxxxxxxxxxx
Gary,
I doubt the patch, or SBS, is the problem here. What I suspect is
happening is that the patch is doing what it is supposed to do. But one
of the things the patch does is cause the source port to be randomized.
If your firewall is not configured to allow DNS traffic from a random
source port then your recursive DNS requests are being stopped at the
firewall...and you'll get the symptoms you describe. It is also possible,
but less likely, that your ISP's DNS servers are misconfigured and are
unable to reply on odd source ports.
So this is where I'd start....look at your network perimeter and see if
you can verify there is a firewall issue.
Then, if you are CONFIDENT that you are okay there and the speed issue
remains, reconfigure SBS (CEICW) and point it to another DNS server that
is known to be patched and working (openDNS is a good option here).
Let me know if that helps,
-Cliff
I'm fairly confident you'll be able to fix the issue from there.
"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:%236rvj2y$IHA.5660@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I can't decide how to proceed with getting this problem solved. Wien the
server-side DNS-vulnerability patch (951746) is installed, all my SBS2K3
systems are exhibiting the same problem: extremely show internet access
when the system is under load, meaning when three or more clients are
trying to access the internet at once.
With the patch uninstalled everything returns to normal. This is not
resolved by reserving ports as one fix suggests.
The problem seems to be that DNS can't resolve quickly when the patch is
installed. Sometimes it is so slow that the system times out. I've tried
different forwarders, different DNS servers, and root hints only. If the
patch is installed, nothing helps.
Someone has posted a message about this in the SBS private forum, but he
isn't getting much help.
My indecision stems from the fact that no symptoms show if there is no
load, so if I call CSS after hours I can't show them any symptoms, and I
don't want to load the patch during a work day because access is so slow
that client work slows to a virtual standstill, the remote branches
connections to Exchange server stop responding, and local clients can't
do any work that involves the internet.
I think I'm just going to have to live with this and hope that MS comes
up with a fix for someone else and I hear about it.
Maybe someone here can suggest an approach, because I'm stumped as to how
to proceed.
--
GaryK
.
- Follow-Ups:
- Re: problems with KB951746
- From: Susan Bradley
- Re: problems with KB951746
- From: Cliff Galiher
- Re: problems with KB951746
- References:
- problems with KB951746
- From: Gary Karasik
- Re: problems with KB951746
- From: Cliff Galiher
- problems with KB951746
- Prev by Date: Re: Change SBS 2003 R1 Std. Product Key
- Next by Date: Re: problems with KB951746
- Previous by thread: Re: problems with KB951746
- Next by thread: Re: problems with KB951746
- Index(es):
Relevant Pages
|
