Windows 2003 DNS Problem with Cisco PIX
Firewall Microsoft's Windows 2003 Server now allows UDP packets greater then 512 bytes. When a 2003 server has been asked to lookup the DNS MX records for earthlink.net (as an example), the large number of MX records returned within a single UDP packet is sometimes greater then a 512 byte packet. The Cisco PIX firewall, in versions below v6.3, does not allow/support DNS records greater then 512 bytes, and therefore drops the DNS packet. Other firewalls may do the same thing has it is unusual to see DNS response packets of that size. The DNS MX problem causes email servers to fail in sending messages to any site that includes large numbers of email servers. Earthlink and AOL are examples. RFC2671 allows UDP packets greater than 512 bytes. If your firewall cannot pass these packets, Windows Server DNS does not fall back to TCP, as was the case in previous versions of Windows NT-based operating systems (including Windows 2000). To disable the Extended DNS (EDNS-0) feature, eliminating the UDP packets greater then 512 bytes:
An alternative is to upgrade the firewall software to a version that does support UDP packets of greater then 512 bytes.
|
|
About NPI |
Contact Us |
Services | Tools |
Site Map |
Reseller Programs
Professional Ethics |
Privacy
Copyright 1993-2006 Network Partners, Inc. All rights reserved