Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

After you deploy a Windows-based DNS server, DNS queries to some domains may not be resolved successfully.

Cause

This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server DNS.

EDNS0 allows larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not allow UDP packets that are larger than 512 bytes. Therefore, these DNS packets may be blocked by the firewall.

Resolution

To resolve this issue, update the firewall program to recognize and allow UDP packets that are larger than 512 bytes. For more information about how to do this, contact the manufacturer of your firewall program. 

For information about your hardware manufacturer, go the following Microsoft website:

http://support.microsoft.com/gp/vendors/en-usMicrosoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Workaround

To work around this issue, turn off the EDNS0 feature on Windows-based DNS servers. To do this, take the following action:

  • At a command prompt, type the following command, and then press Enter:

    dnscmd /config /enableednsprobes 0Note Type a 0 (zero) and not the letter "O" after "enableednsprobes" in this command.

    The following information appears:Registry property enableednsprobes successfully reset.
    Command completed successfully.

Note Dnscmd.exe is installed on all Windows-based DNS servers except servers that are running Windows Server 2003 or Windows Server 2003 R2. You can install Dnscmd.exe from the Windows Server 2003 Support Tools. To download the Windows Server 2003 Support Tools, click the following Microsoft Download Center link:

http://www.microsoft.com/en-us/download/details.aspx?id=15326

More Information

Some firewalls contain features to check certain parameters of the DNS packet. These firewall features may make sure that the DNS response is smaller than 512 bytes. If you capture the network traffic for an unsuccessful DNS lookup, you may notice that DNS requests EDNS0. Frames that resemble the following do not receive a reply:

Additional records
        <Root>: type OPT, class unknown
            Name: <Root>
            Type: EDNS0 option
            UDP payload size: 1280

In this scenario, the firewall may drop all EDNS0-extended UDP frames.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×