Recently I received a report from some security software (GFI’s LANguard NSS) that said my domain controller had a backdoor installed on it. This seemed unlikely but I dutifully went in to have a closer look.
Upon examination there appeared to be a number of ports (say 2500 or so) open in the ephemeral port range. After some wrestling with netstat and some help from jahboite on Expert Exchange I was able to figure out that they related to my dns service on that box.
My next question was why dns had so many ports open? Was there a backdoor on the box after all and am I a bad admin? Well, a quick search with the help my dev, co-worker Jonathan found the answer:
http://support.microsoft.com/kb/956188
http://support.microsoft.com/kb/953230
Based on this article, it appears this is a new design decision as of July 2008 which resolved the “Vulnerabilities in DNS could allow spoofing” problem with Windows DNS…
I’ll be e-mailing my GFI now with this information. Hopefully then can make their tool smarter so it can figure this out rather than making me do it…