Unmasking DNS Timeouts: The Hidden Culprit in Azure Virtual Networks

When managing an Azure virtual network (VNet), it is important to understand the intricacies of the various ports and their functions. One often overlooked but important port is UDP port 65330. This article details why awareness of UDP port 65330 is essential. The connection will affect anything using UDP port 65530. However, in this article we will discuss how this affects DNS resolution, an important core service that relies on UDP for communication.

Why UDP port 65330 is important

Azure VNet is designed to facilitate secure and efficient communication between resources. UDP port 65330 is a reserved host port in all Azure VNets. This port is reserved, so any communication attempted on this port will be blocked by the VNet. Azure virtual network FAQs. DNS primarily uses UDP for most of its operations, including name resolution.

UDP port 65330 is a high-numbered ephemeral port and is used by both clients and servers to initiate network connections. DNS servers (and clients) can use these ephemeral ports to establish connections to the Azure DNS provider (168.63.129.16), your own DNS server running on an Azure VM, or another custom DNS solution. DNS name resolution communication attempts to establish a connection to a DNS server (Azure or custom) using dynamic UDP port 65330 as the “source” port.

How will this affect my network communications?

The default UDP port range for Windows operating systems is ports 49152 to 65535, with a total of 16383 UDP parent ports to choose from. When a DNS server or DNS client initiates an outbound DNS request, one of the available UDP source ports is 65330. This means that potentially 1 in 16383 requests will fail because Azure will completely block the request because it uses a UDP port. 65330 – Initiating a connection to the Azure DNS service. Service Overview and Network Port Requirements – Windows Server | microsoft run. This can cause random DNS resolution errors, which can cause communication issues between services in your environment (for example, connecting to Azure private endpoints).

Okay, now what happens?

Failed DNS requests and timeouts can be quite a headache, causing domain name resolution delays and failures. The solution to this is to prevent Windows systems from attempting to use the ephemeral UDP port 65330. This change must be done on all Windows systems (including containers) running in the Azure VNet. Here are steps to alleviate this issue:

Disable port 65330 on Windows systems

You can disable Windows’ ability to initiate network-related requests using port 65330 by running the command below.

netsh int ipv4 add excludedportrange udp 65330 1 persistent

Make sure UDP port 65330 is disabled in Windows.

netsh int ipv4 show excludedportrange udp

When to undo/delete this Windows port reservation (rollback scenario)

netsh int ipv4 delete excludedportrange udp 65330 1 persistent

disclaimer
Sample scripts are not supported by Microsoft standard support programs or services. Sample scripts are provided AS IS without warranty of any kind. FURTHER, MICROSOFT DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. The entire risk arising from the use or performance of the sample scripts and documentation is with you. In no event will Microsoft, its authors, or anyone else involved in writing, producing, or delivering the script be liable for any damages (including, but not limited to, lost business profits, business interruption, or loss of business information). or other monetary losses) resulting from the use or inability to use the Sample Scripts or Documentation, even if Microsoft has been advised of the possibility of such damages.