Windows 2003: The EDNS0 enigma

During a migration to Windows 2003 Server, we upgraded our root domain name server (DNS). Although everything appeared fine, we started receiving complaints about getting to certain sites. Areas of Yahoo, such as mail.yahoo.com and finance.yahoo.com, seemed to be the biggest issue. At first, it looked like Yahoo was unresponsive to queries. However, we found host records to other sites were resolving properly, but their MX records were not. This meant that e-mail was not routing!

As a means of troubleshooting, we double-checked all our DNS configurations. Everything looked fine. As a second step, we gathered network traces to find out what was going on. The traces showed packets leaving the root DNS server, destined for Yahoo, but showed no replies returning.

The problem here is that Windows 2003 enables Extension Mechanisms for DNS (EDNS0 as defined in RFC 2671), a standard introduced in 1999, by default. EDNSO allows requestors to advertise their EDNS0 capabilities, hence receiving UDP packets larger than 512 bytes.

While this in itself is not problematic, some firewalls do not allow UDP packets larger than 512 bytes. This explains why the network traces showed nothing returning! Our DNS servers were sending out packets advertising themselves as capable of EDNS0, and our firewalls were dropping the responses. Turning off EDNS0 support allowed all queries to work as expected.

If you're experiencing the same issue or planning an upgrade of your own, this command will disable this enabled-by-default feature:

dnscmd ServerName /Config /EnableEDnsProbes 0

Sources and other information:

• Learn about the Request for Comment on EDNS0
• Read Microsoft's article on how to turn off EDNS0
• Find out about the EDNS0 process

Comments, suggestions and corrections are welcome at: marcus_oh@bellsouth.net.

ABOUT THE AUTHOR: Marcus Oh works for Cox Communications, Inc. in Alpharetta, GA., deploying MOM for 250+ servers, rolling out SMS 2003 and Windows 2003, and supporting the company's directory services infrastructure.

This article first appeared in myITforum, the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems. The centerpiece of myITforum.com is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget network of Web sites. To register for the site and sign up for the myITforum daily newsletter, click here: http://myitforum.techtarget.com/registration/form.asp?user=0.

Rate this Tip To rate tips, you must be a member of SearchWinIT.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.