Windows DNS Server Remote Code Execution Vulnerability

Severe/Critical vulnerability in Windows DNS. Severe enough that DHS CISA is classifying it a level 10 (out of 10). A quick workaround is mentioned in the Microsoft link below:

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that’s allowed:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 

Value: TcpReceivePacketSize

Type: DWORD 

Value data: 0xFF00


  • The default (also maximum) Value data = 0xFFFF.
  • The recommended Value data = 0xFF00 (255 bytes less than the maximum).
  • You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:

net stop dns && net start dns

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes.