An external DNS query may cause an error message in Windows Server 2003

When a computer that is running Microsoft Windows Server 2003 makes an external DNS query, you may receive one of the following error messages:

Cause #1

This problem may occur on some Cisco PIX Firewall models with software that is earlier than PIX Firewall version 6.3(2). The Cisco PIX Firewall drops DNS packets sent to User Datagram Protocol (UDP) port 53 that are larger than the configured maximum length. By default, the maximum length for UDP packets is 512 bytes.

Cause #2

This problem may occur if the external DNS server does not support Extension Mechanisms for DNS (EDNS0) or if a firewall exists between your server and the external DNS server. DNS servers that do not support EDNS0 cannot process EDNS0 data, and this behavior causes the query to fail. Some firewalls may drop the EDNS0 packets that are sent by servers that support EDNS0, or may drop UDP packets that are larger than 512 bytes that are sent by servers that support EDNS0.

Workaround #1

To resolve this problem, visit the following Cisco Systems Web site for information and update instructions:

Workaround #2

To work around this problem, turn off EDNS0 support in Windows Server 2003. To do this, follow these steps:

1. Start a command prompt.
2. Type dnscmd /Config /EnableEDnsProbes 0, and then press ENTER.

For more information about Extension Mechanisms for DNS, visit the following Microsoft Web site:For more information about Cisco Systems visit the following Web site: The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products. Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.