DNS query responses do not travel through a firewall in Windows Server 2003

A Microsoft Windows Server 2003-based computer may not receive DNS query responses through a firewall.

Some queries, such as queries for A records, work as expected. Queries for MX records may fail. Domains with this issue include AOL.com, Qwest.net, and EarthLink.net.

The sender of an e-mail may receive a Non Delivery Reciept (NDR) with the error message that is similar to the following:

This issue may occur if a firewall blocks the transfer of UDP packets that are larger than 512 bytes.

With Extension Mechanisms for DNS (EDNS0) as defined in RFC 2671, "Extension Mechanisms for DNS (EDNS0)," DNS requestors can advertise UDP packet size and transfer packets larger than 512 bytes. By default, some firewalls have security features turned on that block UDP packets that are larger than 512 bytes. As a result, DNS queries may fail.

This problem also may occur on some Cisco PIX Firewall models with software that is earlier than PIX Firewall version 6.3(2). The Cisco PIX Firewall drops DNS packets that are sent to User Datagram Protocol (UDP) port 53 that are larger than the configured maximum length. By default, the maximum length for UDP packets is 512 bytes.

To resolve this issue, use any one of the following methods.

Method 1

Contact the firewall vendor to determine how to permit UDP packets that are larger than 512 bytes through the firewall.

For update instruction and for information about how to resolve this problem, visit the following Cisco Systems Web site:

For information about your hardware manufacturer, visit the following Web site:

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Method 2

Turn off EDNS0 functionality on the Windows Server 2003 server. To do so, at the command prompt, type:

To work around this issue, turn off the EDNS0 feature in Windows Server 2003. To do this, follow these steps:

1. Install the Dnscmd.exe program from the Windows Server 2003 Support Tools. To install the Windows Support Tools, right-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD-ROM, and then click Install. Follow the steps in the Windows Support Tools Setup Wizard to complete the installation of the Windows Support Tools.
2. At a command prompt, type dnscmd /config /enableednsprobes 0 , and then press ENTER.

Note Type a 0 (zero) and not the letter "O" after "enableednsprobes" in this command.

The original DNS restriction for UDP packet size is defined in RFC 1035, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION." For more information about RFC 1035, visit the following Internet Engineering Task Force (IETF) Web site:For more information about RFC 2671 and EDNS0, visit the following Internet Engineering Task Force (IETF) Web site:For more information about EDNS0 support in Windows Server 2003, visit the following Microsoft Web site: The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.