Pages

7/10/2004

Windows 2003::DNS


Interesting contribution to MyITForum:

FEATURED ARTICLE:
---------------------------------------------------------------------
Windows Server 2003: The EDNS0 enigma
by Marcus Oh, Contributor myITforum.com

During a migration to Windows Server 2003, we upgraded our root
domain name server (DNS). Although everything appeared fine, we
started receiving complaints about getting to certain sites. Areas of
Yahoo, such as mail.yahoo.com and finance.yahoo.com, seemed to be the
biggest issue. At first, it looked like Yahoo was unresponsive to
queries. However, we found host records to other sites were resolving
properly, but their MX records were not. This meant that e-mail was
not routing!

As a means of troubleshooting, we double-checked all our DNS
configurations. Everything looked fine. As a second step, we gathered
network traces to find out what was going on. The traces showed
packets leaving the root DNS server, destined for Yahoo, but showed
no replies returning.

The problem here is that Windows 2003 enables Extension Mechanisms
for DNS (EDNS0 as defined in RFC 2671), a standard introduced in
1999, by default. EDNSO allows requestors to advertise their EDNS0
capabilities, hence receiving UDP packets larger than 512 bytes.

While this in itself is not problematic, some firewalls do not allow
UDP packets larger than 512 bytes. This explains why the network
traces showed nothing returning! Our DNS servers were sending out
packets advertising themselves as capable of EDNS0, and our firewalls
were dropping the responses. Turning off EDNS0 support allowed all
queries to work as expected.

If you're experiencing the same issue or planning an upgrade of your
own, this command will disable this enabled-by-default feature:

dnscmd ServerName /Config /EnableEDnsProbes 0


Good to know!

No comments: