You’re going to see a lot of sand flying about a Windows security hole that was plugged yesterday. Here’s what most people need to know about CVE-2020
[See the full post at: FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective]
![]() |
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective
Home » Forums » Newsletter and Homepage topics » FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective
- This topic has 29 replies, 13 voices, and was last updated 4 years, 10 months ago.
AuthorTopicwoody
ManagerJuly 15, 2020 at 5:41 am #2280657Viewing 11 reply threadsAuthorReplies-
Microfix
AskWoody MVPJuly 15, 2020 at 7:06 am #2280671more info on the registry edit from the horses mouth:
https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerabilityWorkaround
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
TcpReceivePacketSize
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Windows - commercial by definition and now function...4 users thanked author for this post.
-
Marcus Weldby
AskWoody PlusJuly 16, 2020 at 9:03 am #2281037I did the TcpReceivePacketSize registry edit on my 2008R2 server, and I also installed KB4565540 on my 2012R2 server. After the reboot I’m not seeing a TcpReceivePacketSize entry on my 2012R2 server, does the KB4565540 update solve the DNS issue a different way?
Thank you.
-
This reply was modified 4 years, 11 months ago by
Marcus Weldby.
-
This reply was modified 4 years, 11 months ago by
-
Marcus Weldby
AskWoody Plus -
anonymous
GuestJuly 22, 2020 at 9:09 am #2282451FAQs in the guidance document recommend removing the registry workaround after a server has been patched, so the patch must solve the underlying issue rather than rely on the temporary packet size restriction.
1 user thanked author for this post.
-
-
-
Microfix
AskWoody MVP
-
-
anonymous
Guest -
dph853
AskWoody Plus -
PKCano
Manager
-
-
anonymous
Guest -
anonymous
Guest
-
-
BKS_CB
AskWoody Plus -
Microfix
AskWoody MVP -
woody
Manager -
BKS_CB
AskWoody Plus -
Microfix
AskWoody MVPJuly 15, 2020 at 10:42 am #2280712If it’s a published microsoft, article I would think so.
0Patch will probably issue something also given the severity of the potential. Perhaps implement the workaround in preperation for 0Patch or Microsoft, whichever lands first.Windows - commercial by definition and now function...
-
-
-
-
Mr. Natural
AskWoody LoungerJuly 15, 2020 at 3:20 pm #2280843All of our DNS servers are 2012r2. I was able to update and reboot one of them today and the rest of them will be updated after hours this evening. I don’t foresee any issues but if I do I will follow up on this post tomorrow. If you don’t hear back then I would say no issues to report with the DNS server patches.
All other updates are on hold of course, for now.
Red Ruffnsore
3 users thanked author for this post.
-
Mr. Natural
AskWoody LoungerJuly 16, 2020 at 7:56 am #2281027I had no issues updating all servers overnight. Including the .net patches and the IE11 update for 2012r2. This includes 2012r2, 2016, and 2019 servers. All dns servers updated.
Disclaimer – your mileage may vary.
Red Ruffnsore
2 users thanked author for this post.
-
-
NetDef
AskWoody_MVPJuly 15, 2020 at 9:25 pm #2280929My team patched many servers early this morning, none had issues. Even our notoriously cranky Server 2016 machines patched quickly and easily this time around.
~ Group "Weekend" ~
2 users thanked author for this post.
-
Tchalms
AskWoody LoungerJuly 18, 2020 at 7:38 pm #2281573For those with Server 2008 R2 ( asking for “a friend” ) I’m wondering about updates from MS.
Can someone please verify what I think I found, or did I make a mistake connecting the dots?
This article:
https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerabilityLed me to this article:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350Which includes a table of articles and updates for every server from 2008 to 2019 and the Core Servers up to 2004.
The links in the table lead to the Microsoft Update Catalog and buttons to download the update.
What is the correct procedure for installing one of these updates?
-
NetDef
AskWoody_MVPJuly 18, 2020 at 9:40 pm #2281590I saw that too, and wish I had an old Server 2008 R2 to play with still. My guess is that it would manually update from the download fine. Uncertain I would want to test on a production server. Then again, if you have a 2008 R2 production server, try it, and it fails . . . it might be the kick needed to upgrade.
Wait a minute . . . I have a HyperV image backup of an old 2008 R2 from a couple years ago from a retired machine. Stand by.
~ Group "Weekend" ~
-
NetDef
AskWoody_MVPJuly 18, 2020 at 10:21 pm #2281600That was a fun ride.
Spun up an orphaned HyperV image of an old Server 2008 R2 application server. I want to emphasize this is a pretty plain-jane server config: It does NOT have any advanced roles like Active Directory / Domain Controller installed. It was a print and application server only. Also of note is I let Windows Update catch it up to January 2020 before the following experiment.
1) Downloaded the MSU via Catalog link for Server 2008 R2 listed at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
2) Tried to install it and failed with this message:
Note: Clicking that blue link in the error took me to a VERY outdated Microsoft page, which subsequently led down a rabbit hole of obsolete downloads for Service Stack editions dating circa 2011 . . . (in other words, don’t bother!)
3) Circled around and found the Server 2008 R2 July 2020 Service stack update for ESU customers at http://www.catalog.update.microsoft.com/Search.aspx?q=KB4565354 and successfully installed that. (Note: I do not have ESU on this machine, nor was ESU simulated per other sources available on this site.)
4) After that step, I was able to successfully install the July 2020 Rollup on this machine.
(It did provide a success message, but that window didn’t include the KB number.)Remember class, this was NOT on a production server – after this test I shut it down and relegated the HyperV image back to storage. All disclaimers apply here.
TL:DR – it appears Microsoft is not blocking this update for Server 2008 R2.
But – it failed on reboot (see next message)
~ Group "Weekend" ~
-
NetDef
AskWoody_MVPJuly 18, 2020 at 10:33 pm #2281606So I had a thought and went to spin that HyperV machine back up to check on something — and it’s a good thing I did! It powered up on the second phase install of the July Rollup and presented me with this:
Once it recovered, the Update history shows:
I suspect either a per-requisite patch after Jan 2020 is missing (in spite of the fact that roll-ups are supposed to include that stuff) OR this patch doesn’t check ESU status until the reboot – which is playing nasty since this is openly available on the Microsoft Catalog.
If I have time will dig deeper in a few days.
~ Group "Weekend" ~
-
-
-
Paul T
AskWoody MVPJuly 19, 2020 at 12:12 am #2281628For those with Server 2008 R2 ( asking for “a friend” )
A reminder: if the server isn’t in an AD network or doesn’t run DNS server it doesn’t need the update.
cheers, Paul
-
Tchalms
AskWoody LoungerJuly 19, 2020 at 3:13 pm #2281757For those with Server 2008 R2 ( asking for “a friend” )
A reminder: if the server isn’t in an AD network or doesn’t run DNS server it doesn’t need the update.
cheers, Paul
PaulT: Yeah, a client has had serious budget troubles and couldn’t do the server upgrade last year … then came Covid. They are running AD and DNS Server. I have done the Registry edit.
NetDef: Thanks for the efforts and info !!
-
whatsyournameagain4
AskWoody Lounger -
Tchalms
AskWoody Lounger
Viewing 11 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
EchoLeak : Zero Click M365 Copilot leak sensitive information
by
Alex5723
35 minutes ago -
24H2 may not be offered June updates
by
Susan Bradley
45 minutes ago -
Acronis : Tracking Chaos RAT’s evolution (Windows, Linux)
by
Alex5723
13 hours, 9 minutes ago -
Turning off OneDrive
by
CWBillow
17 hours, 38 minutes ago -
June 2025 updates are out
by
Susan Bradley
19 minutes ago -
Mozilla shutting Deep Fake Detector
by
Alex5723
1 day, 3 hours ago -
Windows-Maintenance-Tool (.bat)
by
Alex5723
13 hours, 18 minutes ago -
Windows 11 Insider Preview build 26200.5641 released to DEV
by
joep517
1 day, 6 hours ago -
Windows 11 Insider Preview build 26120.4250 (24H2) released to BETA
by
joep517
1 day, 6 hours ago -
Install Office 365 Outlook classic on new Win11 machine
by
WSrcull999
1 day, 6 hours ago -
win 10 to win 11 with cpu/mb replacement
by
aquatarkus
22 hours, 20 minutes ago -
re-install Windows Security
by
CWBillow
1 day, 9 hours ago -
WWDC 2025 Recap: All of Apple’s NEW Features in 10 Minutes!
by
Alex5723
1 day, 13 hours ago -
macOS Tahoe 26
by
Alex5723
1 day, 7 hours ago -
Migrating from win10 to win11, instructions coming?
by
astro46
42 minutes ago -
Device Eligibility for Apple 2026 Operating Systems due this Fall
by
PKCano
22 hours, 11 minutes ago -
Recommended watching : Mountainhead movie
by
Alex5723
22 hours, 55 minutes ago -
End of support for Windows 10
by
Old enough to know better
6 hours, 26 minutes ago -
What goes on inside an LLM
by
Michael Covington
17 hours, 4 minutes ago -
The risk of remote access
by
Susan Bradley
17 minutes ago -
The cruelest month for many Office users
by
Peter Deegan
55 minutes ago -
Tracking protection and trade-offs in Edge
by
Mary Branscombe
1 day, 3 hours ago -
Supreme Court grants DOGE access to confidential Social Security records
by
Alex5723
2 days, 11 hours ago -
EaseUS Partition Master free 19.6
by
Alex5723
1 day, 12 hours ago -
Microsoft : Edge is better than Chrome
by
Alex5723
3 days, 1 hour ago -
The EU launched DNS4EU
by
Alex5723
3 days, 13 hours ago -
Cell Phone vs. Traditional Touchtone Phone over POTS
by
280park
3 days, 4 hours ago -
Lost access to all my networked drives (shares) listed in My Computer
by
lwerman
3 days, 19 hours ago -
Set default size for pasted photo to word
by
Cyn
4 days, 1 hour ago -
Dedoimedo tries 24H2…
by
Cybertooth
3 days, 13 hours ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.