After you upgrade your Microsoft Windows 2000-based DNS server to Microsoft Windows Server 2003, DNS queries to some domains may not be resolved successfully.
Back to the top
This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS.
ENDS0 permits the use of larger User Datagram Protocol (UDP) packet sizes.
However, some firewall programs may not permit UDP packets that are larger than 512 bytes.
As a result, these DNS packets may be blocked by the firewall.
Back to the top
To resolve this issue, update the firewall program to recognize and permit UDP packets that are larger than 512 bytes. For additional information about how to do this, contact the manufacturer of your firewall program.
For information about how to contact computer hardware and program vendors, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:
65416 (http://support.microsoft.com/kb/65416/)
Hardware and Software Third-Party Vendor Contact List, A-K
60781 (http://support.microsoft.com/kb/60781/)
Hardware and Software Third-Party Vendor Contact List, L-P
60782 (http://support.microsoft.com/kb/60782/)
Hardware and Software Third-Party Vendor Contact List, Q-Z
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Back to the top
To work around this issue, turn off the EDNS0 feature in Windows Server 2003. To do this, follow these steps:
| 1. | Install the Dnscmd.exe program from the Windows Server 2003 Support Tools. To install the Windows Support Tools, right-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD-ROM, and then click Install. Follow the steps in the Windows Support Tools Setup Wizard to complete the installation of the Windows Support Tools. |
| 2. | At a command prompt, type the following command, and then press ENTER: dnscmd /config /enableednsprobes 0 Note Type a 0 (zero) and not the letter "O" after "enableednsprobes" in this command.
The following information appears:Registry property enableednsprobes successfully reset.
Command completed successfully. |
After you run this command, Windows Server 2003 DNS no longer advertises its EDNS0 capabilities.
As a result, the Windows Server 2003 DNS server will not be sent UDP packets that are larger than 512 bytes.
Back to the top
Some firewalls contain features to check certain parameters of the DNS packet. These firewall features may make sure that the DNS response is smaller than 512 bytes.
If you capture the network traffic for an unsuccessful DNS lookup, you may notice that DNS requests EDNS0. Frames that are similar to the following receive no reply:
Additional records
<Root>: type OPT, class unknown
Name: <Root>
Type: EDNS0 option
UDP payload size: 1280 In this scenario, the firewall may drop all EDNS0-extended UDP frames.
Back to the top
Help and Support
