Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

DNS query responses do not travel through a firewall in Windows Server 2003


View products that this article applies to.

Symptoms

A Microsoft Windows Server 2003-based computer may not receive DNS query responses through a firewall.

Some queries, such as queries for A records, work as expected. Queries for MX records may fail. Domains with this issue include AOL.com, Qwest.net, and EarthLink.net.

The sender of an e-mail may receive a Non Delivery Reciept (NDR) with the error message that is similar to the following:
The following recipient(s) could not be reached: user@earthlink.net on (Date Time) There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. <(Domain.com) #5.5.0 smtp;550-EarthLink does not recognize your computer (xx.xx.xxx.xxx) as connecting from an EarthLink connection. If this is in error, please contact technical support.>

↑ Back to the top


Cause

This issue may occur if a firewall blocks the transfer of UDP packets that are larger than 512 bytes.

With Extension Mechanisms for DNS (EDNS0) as defined in RFC 2671, "Extension Mechanisms for DNS (EDNS0)," DNS requestors can advertise UDP packet size and transfer packets larger than 512 bytes. By default, some firewalls have security features turned on that block UDP packets that are larger than 512 bytes. As a result, DNS queries may fail.

This problem also may occur on some Cisco PIX Firewall models with software that is earlier than PIX Firewall version 6.3(2). The Cisco PIX Firewall drops DNS packets that are sent to User Datagram Protocol (UDP) port 53 that are larger than the configured maximum length. By default, the maximum length for UDP packets is 512 bytes.

↑ Back to the top


Resolution

To resolve this issue, use any one of the following methods.

Method 1

Contact the firewall vendor to determine how to permit UDP packets that are larger than 512 bytes through the firewall.

For update instruction and for information about how to resolve this problem, visit the following Cisco Systems Web site:

For information about your hardware manufacturer, visit the following Web site:

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Method 2

Turn off EDNS0 functionality on the Windows Server 2003 server. To do so, at the command prompt, type:
dnscmd Server Name/Config /EnableEDnsProbes 0

↑ Back to the top


Workaround

To work around this issue, turn off the EDNS0 feature in Windows Server 2003. To do this, follow these steps:
  1. Install the Dnscmd.exe program from the Windows Server 2003 Support Tools. To install the Windows Support Tools, right-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD-ROM, and then click Install. Follow the steps in the Windows Support Tools Setup Wizard to complete the installation of the Windows Support Tools.
  2. At a command prompt, type dnscmd /config /enableednsprobes 0 , and then press ENTER.
Note Type a 0 (zero) and not the letter "O" after "enableednsprobes" in this command.

↑ Back to the top


More information

The original DNS restriction for UDP packet size is defined in RFC 1035, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION." For more information about RFC 1035, visit the following Internet Engineering Task Force (IETF) Web site:For more information about RFC 2671 and EDNS0, visit the following Internet Engineering Task Force (IETF) Web site:For more information about EDNS0 support in Windows Server 2003, visit the following Microsoft Web site: The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

↑ Back to the top


Keywords: KB828263, kbprb

↑ Back to the top

Article Info
Article ID : 828263
Revision : 14
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 521