Consider the following scenario:

• Lots of IP addresses are assigned to one network adapter on a computer that is running Windows Server 2008 Service Pack 2 (SP2) or Windows Vista Service Pack 2 (SP2).
• Only the primary IP address is used for outgoing traffic.

In this scenario, only the primary IP address should be registered on the DNS servers for outgoing communication purpose. However, all IP addresses are registered on the DNS servers.

The issue causes the following symptoms:

• The communication to the computer is blocked by a firewall. Because all IP addresses are registered on the DNS servers, all these IP addresses seem to be valid IP addresses that can be used to communicate with the computer. However, if only the primary IP address can pass through a firewall, communication that uses all other IP addresses is block by the firewall.
• A large amount of DNS registration traffic and a large amount of update traffic is generated. However, this traffic is unnecessary because these IP addresses are not used for outgoing traffic.

Consider the following scenario:

• You install the Microsoft Remote Server Administration Tools on a computer that is running Windows Vista or Windows Server 2008.
• From this computer, you use the Dnscmd.exe tool or the DNS Management Microsoft Management Console (MMC) snap-in. You use one of these tools to manage a DNS service instance that is hosted on a server that is running Windows 2000 or Windows Server 2003.
• You try to add some secondary servers to the “allowed zone transfer server” list (securelist) of a primary DNS server zone.

In this scenario, the secondary servers are not added to the securelist as expected. Additionally, the symptoms that appear for this problem depend on the number of IP addresses that you try to add to the securelist. The following are the symptoms that may appear:

• If you try to add more than one IP address, the operation fails.
• If you try to add only one IP address of a secondary server, the operation seems to complete successfully. However, the operation adds an address of 1.0.0.0 to the securelist, instead of the expected IP address.

For example, you try to add a “4.1.1.1″ server and a “4.2.2.2″ server to the securelist by using the following command:

dnscmd <server name> /zoneresetsecondaries <zone name> /securelist 4.1.1.1 4.2.2.2

In this case, you receive the following error message:

Command failed: DNS_ERROR_INVALID_IP_ADDRESS 9552

If you try to add only the “4.1.1.1″ server to the securelist by using the following command, an IP address of “1.0.0.0″ is incorrectly added to the securelist instead of the “4.1.1.1″ address:

dnscmd <server name> /zoneresetsecondaries <zone name> /securelist 4.1.1.1

However, in this case, you receive no error message.

This Knowledge Base article contains details about the scenarios that use DNS Devolution functionality that are affected by this update. Windows administrators and support professionals should review this document to determine whether their computing environments are vulnerable to the behavior that is addressed by this update and to make sure that DNS names are successfully resolved after they install this update.

You run the ipconfig command together with the /displaydns switch on a computer that is running Windows Server 2008 or Windows Vista. However, when you do this, the Ipconfig.exe utility crashes.

Note: You use the /displaydns switch to display the cache contents of a local DNS client.

On a Domain Name System (DNS) client computer that is running Windows Vista Service Pack 1 (SP1) or Windows Server 2008, the DNS Client service and the Network Location Awareness (NLA) service crash intermittently.

This problem occurs if the DNS client has the DNS dynamic update protocol registration option enabled when the client performs a DNS registration.

Notes:

• By default, the DNS dynamic update protocol registration option is enabled on DNS clients that run Windows Vista or Windows Server 2008.
• This issue does not occur if the DNS client is running the RTM version of Windows Vista.

By default, Windows Vista and Windows Server 2008 follow RFC 3484 for destination IP address selection, which does not honor DNS round robin.

You use a dial-up or a virtual private network (VPN) connection to connect to a Routing and Remote Access server. However, the list of Domain Name System (DNS) servers that is stored on the Windows Vista or Windows Server 2008-based Dynamic Host Configuration Protocol (DHCP) client computer is in reverse order.

For example, when you connect to the Routing and Remote Access server, the DHCP server sends the DNS IP addresses in the preferred order:

10.200.200.200
10.201.201.201

However, if you view the TCP/IP protocol properties on the client computer, the DNS IP addresses appear in the following order:

10.201.201.201
10.200.200.200

This problem may cause excessive WAN traffic or poor DNS performance.

Description: This security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS clients and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations. Keep reading →

Domain Name System: Stores and associates many types of information with domain names; most importantly, it serves as the phone book for the internet, translating human-friendly domain names and computer hostnames into computer-friendly IP addresses.

When you try to join a Windows Vista-based client computer to a top level domain (TLD) that has a purely numeric suffix, the Windows Vista-based client computer cannot join the domain. Additionally, you receive the following error message:

Computer Name/Domain Changes
An Active Directory Domain Controller for the domain could not be contacted. Ensure that the domain name is typed correctly. If the name is correct, click Details for troubleshooting information.

Note: An example of a purely numeric suffix is “contoso.2003.”

When you click Details, you receive the following error message:

An error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller of the domain domain name.

The error was: “The filename, directory name, or volume label syntax is incorrect.”

(error code 0×0000007B ERROR_INVALID_NAME)

The query was for the SRV record for _ldap._tcp.dc._msdcs.domain name.com

If you try to join the domain by using the NetBIOS name of the domain, you are prompted for domain credentials. In this case, the client computer still cannot join the domain. Additionally, you receive the following error message:

The following error occurred attempting to join the domain NetBIOS name of the domain Logon failure: unknown username or bad password.