Help and Support
 

powered byLive Search

DNS query responses do not travel through a firewall in Windows Server 2003

View products that this article applies to.
Article ID:828263
Last Review:October 30, 2006
Revision:10.2
On This Page

SYMPTOMS

A Microsoft Windows Server 2003-based computer may not receive DNS query responses through a firewall.

Some queries, such as queries for A records, work as expected. Queries for MX records may fail. Domains with this issue include AOL.com, Qwest.net, and EarthLink.net.

The sender of an e-mail may receive a Non Delivery Reciept (NDR) with the error message that is similar to the following:
The following recipient(s) could not be reached: user@earthlink.net on (Date Time) There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. <(Domain.com) #5.5.0 smtp;550-EarthLink does not recognize your computer (xx.xx.xxx.xxx) as connecting from an EarthLink connection. If this is in error, please contact technical support.>

Back to the top

CAUSE

This issue may occur if a firewall blocks the transfer of UDP packets that are larger than 512 bytes.

With Extension Mechanisms for DNS (EDNS0) as defined in RFC 2671, "Extension Mechanisms for DNS (EDNS0)," DNS requestors can advertise UDP packet size and transfer packets larger than 512 bytes. By default, some firewalls have security features turned on that block UDP packets that are larger than 512 bytes. As a result, DNS queries may fail.

This problem also may occur on some Cisco PIX Firewall models with software that is earlier than PIX Firewall version 6.3(2). The Cisco PIX Firewall drops DNS packets that are sent to User Datagram Protocol (UDP) port 53 that are larger than the configured maximum length. By default, the maximum length for UDP packets is 512 bytes.

Back to the top

RESOLUTION

To resolve this issue, use any one of the following methods.

Back to the top

Method 1

Contact the firewall vendor to determine how to permit UDP packets that are larger than 512 bytes through the firewall.

For update instruction and for information about how to resolve this problem, visit the following Cisco Systems Web site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html (http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html)


For information about how to contact a specific firewall vendor, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:
65416 (http://support.microsoft.com/kb/65416/) Hardware and software vendor contact information, A-K

60781 (http://support.microsoft.com/kb/60781/) Hardware and software vendor contact information, L-P

60782 (http://support.microsoft.com/kb/60782/) Hardware and software vendor contact information, Q-Z


Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Back to the top

Method 2

Turn off EDNS0 functionality on the Windows Server 2003 server. To do so, at the command prompt, type:
dnscmd Server Name/Config /EnableEDnsProbes 0

Back to the top

WORKAROUND

To work around this issue, turn off the EDNS0 feature in Windows Server 2003. To do this, follow these steps:
1.Install the Dnscmd.exe program from the Windows Server 2003 Support Tools. To install the Windows Support Tools, right-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD-ROM, and then click Install. Follow the steps in the Windows Support Tools Setup Wizard to complete the installation of the Windows Support Tools.
2.At a command prompt, type dnscmd /config /enableednsprobes 0 , and then press ENTER.
Note Type a 0 (zero) and not the letter "O" after "enableednsprobes" in this command.

Back to the top

MORE INFORMATION

The original DNS restriction for UDP packet size is defined in RFC 1035, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION." For more information about RFC 1035, visit the following Internet Engineering Task Force (IETF) Web site:
http://www.ietf.org/rfc/rfc1035.txt (http://www.ietf.org/rfc/rfc1035.txt)
For more information about RFC 2671 and EDNS0, visit the following Internet Engineering Task Force (IETF) Web site:
http://www.ietf.org/rfc/rfc2671.txt (http://www.ietf.org/rfc/rfc2671.txt)
For more information about EDNS0 support in Windows Server 2003, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/d86401b2-8bc8-4364-83b4-edb71a7107041033.mspx (http://technet2.microsoft.com/windowsserver/en/library/d86401b2-8bc8-4364-83b4-edb71a7107041033.mspx)
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Back to the top

APPLIES TO
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

Back to the top

Keywords: 
kbprb KB828263

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.