DNS query responses do not travel through a firewall in Windows Server 2003 (828263)
The information in this article applies to:
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
SYMPTOMSA Microsoft Windows Server 2003-based computer may not
receive DNS query responses through a firewall. Some queries, such as
queries for A records, work as expected. Queries for MX records may fail.
Domains with this issue include AOL.com, Qwest.net, and
EarthLink.net. The sender of an e-mail may receive a Non Delivery
Reciept (NDR) with the error message that is similar to the following:
The following recipient(s) could not be reached:
user@earthlink.net on (Date Time) There was a SMTP communication problem with
the recipient's email server. Please contact your system administrator.
<(Domain.com) #5.5.0 smtp;550-EarthLink does not recognize your computer
(xx.xx.xxx.xxx) as connecting from an EarthLink
connection. If this is in error, please contact technical
support.> CAUSEThis issue may occur if a firewall blocks the transfer of
UDP packets that are larger than 512 bytes.
With Extension Mechanisms
for DNS (EDNS0) as defined in RFC 2671, "Extension Mechanisms for DNS (EDNS0),"
DNS requestors can advertise UDP packet size and transfer packets larger than
512 bytes. By default, some firewalls have security features turned on that
block UDP packets that are larger than 512 bytes. As a result, DNS queries may
fail.
This problem also may occur on some Cisco PIX Firewall models
with software that is earlier than PIX Firewall version 6.3(2). The Cisco PIX
Firewall drops DNS packets that are sent to User Datagram Protocol (UDP) port
53 that are larger than the configured maximum length. By default, the maximum
length for UDP packets is 512 bytes.RESOLUTIONTo resolve this issue, use any one of the following methods. Method 1Contact the firewall vendor to determine how to permit UDP packets
that are larger than 512 bytes through the firewall. For update
instruction and for information about how to resolve this problem, visit the
following Cisco Systems Web site: For
information about how to contact a specific firewall vendor, click the
appropriate article number in the following list to view the article in the
Microsoft Knowledge Base: 65416 Hardware and software vendor contact information, A-K
60781 Hardware and software vendor contact information, L-P
60782 Hardware and software vendor contact information, Q-Z Microsoft provides third-party contact information to help you
find technical support. This contact information may change without notice.
Microsoft does not guarantee the accuracy of this third-party contact
information.
Method 2Turn off EDNS0 functionality on the Windows Server 2003 server. To
do so, at the command prompt, type: dnscmd Server Name/Config /EnableEDnsProbes 0 WORKAROUNDTo work around this issue, turn off the EDNS0 feature in
Windows Server 2003. To do this, follow these steps:
- Install the Dnscmd.exe program from the Windows Server 2003
Support Tools. To install the Windows Support Tools, right-click Suptools.msi
in the Support\Tools folder on the Windows Server 2003 CD-ROM, and then click
Install. Follow the steps in the Windows Support Tools Setup Wizard to complete
the installation of the Windows Support Tools.
- At a command prompt, type dnscmd /config
/enableednsprobes 0 , and then press ENTER.
Note Type a 0 (zero) and not the letter "O" after "enableednsprobes"
in this command.
Modification Type: | Major | Last Reviewed: | 2/24/2006 |
---|
Keywords: | kbprb KB828263 kbAudITPRO |
---|
|