Windows 2003 DNS Problem with Cisco PIX Firewall

Microsoft's Windows 2003 Server now allows UDP packets greater then 512 bytes.  When a 2003 server has been asked to lookup the DNS MX records for earthlink.net (as an example), the large number of MX records returned within a single UDP packet is sometimes greater then a 512 byte packet.  The Cisco PIX firewall, in versions below v6.3, does not allow/support DNS records greater then 512 bytes, and therefore drops the DNS packet.  Other firewalls may do the same thing has it is unusual to see DNS response packets of that size.

The DNS MX problem causes email servers to fail in sending messages to any site that includes large numbers of email servers.  Earthlink and AOL are examples.

RFC2671 allows UDP packets greater than 512 bytes.  If your firewall cannot pass these packets, Windows Server DNS does not fall back to TCP, as was the case in previous versions of Windows NT-based operating systems (including Windows 2000).

To disable the Extended DNS (EDNS-0) feature, eliminating the UDP packets greater then 512 bytes:

  1. Install the Windows Server 2003 Support Tools from the CDROM
  2. Open a CMD prompt
  3. Type dnscmd /Config /EnableEDnsProbes 0 and press Enter.

An alternative is to upgrade the firewall software to a version that does support UDP packets of greater then 512 bytes.

 


Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request


Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
VoIP Readiness
Custom Services
NetDocs Documentation
On-Site Training


NetLogger
NetSpector
Technical Reference






 

 


About NPI | Contact Us | Services | Tools | Site Map | Reseller Programs
Professional Ethics | Privacy
Copyright 1993-2006 Network Partners, Inc. All rights reserved