Anteaus said:
By the sound of things it's probably better NOT to apply these patches to
internal, non-internet-facing DNS servers, as if I read correctly they
could
randomly interfere with other unrelated functions of the server.
I wouldn't say "yes" or "no" to any patch this soon after it's released,
without knowing your environment and the systems that will be patched.
As with all significant behaviour changes, you should test it in your
environment, and follow appropriate workarounds.
It's a good idea, in general, to indicate to the operating system that
certain applications have reserved ports using the ReservedPorts registry
key - whether you apply or don't apply this patch. That way other
applications besides DNS won't try to poach a port that's already in use -
as is shown by the example of BIND DNS servers, an application can quite
easily cause traffic to be directed to a service, if it isn't kept away from
reusing that socket, and ReservedPorts is the Windows way to do that across
multiple applications.
Test the patch in your environment, if you have multiple DNS servers, make
sure it doesn't adversely affect your operations, and then deploy the patch.
Expect another patch to DNS - but it might not be this month, or for a
couple of months. Don't hold off patching because "there might be another
patch", use this as an opportunity to solidify your DNS testing methodology,
so that you can test more quickly with the next patch, whenever that might
occur.
DNS is starting to really show its age.
Alun.
~~~~