Silverlight 2 beta 1 and Socket Exception: Access Denied

Michael Schwarz on Sunday, March 9, 2008

Playing around with the sockets [1] in Silverlight 2 beta 1 [2] I found out that it works fine on my local host. When publishing my sample to a real Web server (I mean a Web server that is reachable in the Internet with a domain) I got always a socket exception saying that access is denied [3]. I looked around if I could find any help on that. I thought that there maybe is a restriction in the defaults of Silverlight and that I could find somewhere a configuration similar to the .NET and zones configuration, but I didn't.

Today I got the answer from Wilco Bauwer [4], Microsoft:

This is currently a limitation of the site-of-origin policy.  To prevent DNS rebinding, we need to verify that the IP address returned by the DNS query actually "belongs" to the domain specified; we do this with a reverse DNS lookup.  This dependence on the reverse lookup should go away in the next drop of Silverlight 2.

That means my online sample at returns a IP address that does not correspond with the DNS reverse lookup information. If you want to check the reverse DNS lookup of any IP address you can use nslookup.exe (for detailed information read the Wikipedia article about reverse DNS lookup [5]):

First you have to set the type to query to PTR:

set type=ptr

To lookup for the domain name of a given IP address (the IP address Silverlight gets from resolving the domain used for the socket) you have to reverse the IP address and add "" at the end. This means: the IP Address gets Your nameserver will answer this with the name that is configured for this IP address:

CWindowssystem32cmd.exe - nslookup

In my example I get instead of the used domain Well, simple changing the sample to use [6] fixes this problem.

The next drop of Silverlight 2 will change this dependence. In the meantime, the easiest way to work around this is to reference the .xap file using'http://[ip address]:port/path/to/app.xap. No reverse lookup is needed in this case because Silverlight will simply do an equality test on the IP addresses.