Ok, here is one I haven't seen before. I have DNS configured in my 2003 AD
Domain on two servers. All of my Domain DNS functions work perfectly, no
problems. My clients get IPs via DHCP, and are pointed at my two internal
DNS servers. Those 2 servers are Windows 2003, and are configured to forward
to my 2 ISP DNS servers. Internet resolution is working fine. I started
noticing an issue on my Exchange server when a few queueus were filling up
undelievered to certain domains such as ibm.com, sprintmail.com, and
earthlink.net. I did nslookup on these domains on the DNS servers, no
problems. However, if I "set type=mx", it will time out, which explains why
the Exchange server can't get the mail server IP for those domains. I did a
a sniff, and saw my DNS server sending packets 1st to the ISP DNS, then to
the root servers asking for the mx. No replies came in from either. Keep in
mind this is only happening on a few Domains so far. I can run nslookup set
type=mx on HUNDREDS of Domains with no problem. Exchage is sending and
receiving mail with to most Domains. So far just the three I mentioned
aren't getting resolved. . Here is the stranger part! If I install DNS for a
test real quick on one of my Windows 2000 servers, and run the same test, no
problem! The ISP DNS immediately returns back an answer. I even gave the 2k
box the same IP as the 2003 DNS box temporarily to make sure some filtering
wasn't happening upstream on a firewall or router. I have 4 2003 servers and
install DNS on the other 2 that weren't already, SAME PROBLEM! So, the issue
seems to be with 2003 only. Why on Earth would MX lookups work fine for most
Domains but not those 3? ( so far ). Remember, I can pull other records ( A,
SoA are retrieved fine ) I am lost on this one. Anyone?

In news:sOFhc.26733$L75.12532@fed1read06,
ec <(E-Mail Removed)> posted a question
Then Kevin replied below:
> Ok, here is one I haven't seen before. I have DNS configured in my
> 2003 AD Domain on two servers. All of my Domain DNS functions work
> perfectly, no problems. My clients get IPs via DHCP, and are pointed
> at my two internal DNS servers. Those 2 servers are Windows 2003, and
> are configured to forward to my 2 ISP DNS servers. Internet
> resolution is working fine. I started noticing an issue on my
> Exchange server when a few queueus were filling up undelievered to
> certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
> did nslookup on these domains on the DNS servers, no problems.
> However, if I "set type=mx", it will time out, which explains why the
> Exchange server can't get the mail server IP for those domains. I did
> a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
> then to the root servers asking for the mx. No replies came in from
> either. Keep in mind this is only happening on a few Domains so far.
> I can run nslookup set type=mx on HUNDREDS of Domains with no
> problem. Exchage is sending and receiving mail with to most Domains.
> So far just the three I mentioned aren't getting resolved. . Here is
> the stranger part! If I install DNS for a test real quick on one of
> my Windows 2000 servers, and run the same test, no problem! The ISP
> DNS immediately returns back an answer. I even gave the 2k box the
> same IP as the 2003 DNS box temporarily to make sure some filtering
> wasn't happening upstream on a firewall or router. I have 4 2003
> servers and install DNS on the other 2 that weren't already, SAME
> PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
> MX lookups work fine for most Domains but not those 3? ( so far ).
> Remember, I can pull other records ( A, SoA are retrieved fine ) I am
> lost on this one. Anyone?

Most likely, it's your firewall, it probably doesn't support EDNS0
extensions (UDP packets over 512 bytes) many firewalls reject these packets.
They tend to be from domains with multiple MX records.
828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default...b;en-us;828731

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

In news:sOFhc.26733$L75.12532@fed1read06,
ec <(E-Mail Removed)> posted their thoughts, then I offered mine
> Ok, here is one I haven't seen before. I have DNS configured in my
> 2003 AD Domain on two servers. All of my Domain DNS functions work
> perfectly, no problems. My clients get IPs via DHCP, and are pointed
> at my two internal DNS servers. Those 2 servers are Windows 2003, and
> are configured to forward to my 2 ISP DNS servers. Internet
> resolution is working fine. I started noticing an issue on my
> Exchange server when a few queueus were filling up undelievered to
> certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
> did nslookup on these domains on the DNS servers, no problems.
> However, if I "set type=mx", it will time out, which explains why the
> Exchange server can't get the mail server IP for those domains. I did
> a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
> then to the root servers asking for the mx. No replies came in from
> either. Keep in mind this is only happening on a few Domains so far.
> I can run nslookup set type=mx on HUNDREDS of Domains with no
> problem. Exchage is sending and receiving mail with to most Domains.
> So far just the three I mentioned aren't getting resolved. . Here is
> the stranger part! If I install DNS for a test real quick on one of
> my Windows 2000 servers, and run the same test, no problem! The ISP
> DNS immediately returns back an answer. I even gave the 2k box the
> same IP as the 2003 DNS box temporarily to make sure some filtering
> wasn't happening upstream on a firewall or router. I have 4 2003
> servers and install DNS on the other 2 that weren't already, SAME
> PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
> MX lookups work fine for most Domains but not those 3? ( so far ).
> Remember, I can pull other records ( A, SoA are retrieved fine ) I am
> lost on this one. Anyone?


You may need to disable EDNS0 support on the new W2k3 servers since not all
routers are upto date to support this feature. Otherwise, update the routers
to their latest IOS.

Here's more info on it:

828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/?id=828263

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003 (and how to disable it):
http://support.microsoft.com/?id=828731

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

"Kevin D. Goodknecht [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news:sOFhc.26733$L75.12532@fed1read06,
> ec <(E-Mail Removed)> posted a question
> Then Kevin replied below:
> > Ok, here is one I haven't seen before. I have DNS configured in my
> > 2003 AD Domain on two servers. All of my Domain DNS functions work
> > perfectly, no problems. My clients get IPs via DHCP, and are pointed
> > at my two internal DNS servers. Those 2 servers are Windows 2003, and
> > are configured to forward to my 2 ISP DNS servers. Internet
> > resolution is working fine. I started noticing an issue on my
> > Exchange server when a few queueus were filling up undelievered to
> > certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
> > did nslookup on these domains on the DNS servers, no problems.
> > However, if I "set type=mx", it will time out, which explains why the
> > Exchange server can't get the mail server IP for those domains. I did
> > a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
> > then to the root servers asking for the mx. No replies came in from
> > either. Keep in mind this is only happening on a few Domains so far.
> > I can run nslookup set type=mx on HUNDREDS of Domains with no
> > problem. Exchage is sending and receiving mail with to most Domains.
> > So far just the three I mentioned aren't getting resolved. . Here is
> > the stranger part! If I install DNS for a test real quick on one of
> > my Windows 2000 servers, and run the same test, no problem! The ISP
> > DNS immediately returns back an answer. I even gave the 2k box the
> > same IP as the 2003 DNS box temporarily to make sure some filtering
> > wasn't happening upstream on a firewall or router. I have 4 2003
> > servers and install DNS on the other 2 that weren't already, SAME
> > PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
> > MX lookups work fine for most Domains but not those 3? ( so far ).
> > Remember, I can pull other records ( A, SoA are retrieved fine ) I am
> > lost on this one. Anyone?
>
> Most likely, it's your firewall, it probably doesn't support EDNS0
> extensions (UDP packets over 512 bytes) many firewalls reject these
packets.
> They tend to be from domains with multiple MX records.
> 828731 - An External DNS Query May Cause an Error Message in Windows
Server
> 2003
> http://support.microsoft.com/default...b;en-us;828731
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================
> --
> When responding to posts, please "Reply to Group" via your
> newsreader so that others may learn and benefit from your issue.
> To respond directly to me remove the nospam. from my email.
> ==========================================
> http://www.lonestaramerica.com/
> ==========================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ==========================================
> Keep a back up of your OE settings and folders with
> OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ==========================================
>
>

I'll check the PIX. However, this works on the Win2000 DNS server on those
Domains. Thanks for the tip.

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> In news:sOFhc.26733$L75.12532@fed1read06,
> ec <(E-Mail Removed)> posted their thoughts, then I offered mine
> > Ok, here is one I haven't seen before. I have DNS configured in my
> > 2003 AD Domain on two servers. All of my Domain DNS functions work
> > perfectly, no problems. My clients get IPs via DHCP, and are pointed
> > at my two internal DNS servers. Those 2 servers are Windows 2003, and
> > are configured to forward to my 2 ISP DNS servers. Internet
> > resolution is working fine. I started noticing an issue on my
> > Exchange server when a few queueus were filling up undelievered to
> > certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
> > did nslookup on these domains on the DNS servers, no problems.
> > However, if I "set type=mx", it will time out, which explains why the
> > Exchange server can't get the mail server IP for those domains. I did
> > a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
> > then to the root servers asking for the mx. No replies came in from
> > either. Keep in mind this is only happening on a few Domains so far.
> > I can run nslookup set type=mx on HUNDREDS of Domains with no
> > problem. Exchage is sending and receiving mail with to most Domains.
> > So far just the three I mentioned aren't getting resolved. . Here is
> > the stranger part! If I install DNS for a test real quick on one of
> > my Windows 2000 servers, and run the same test, no problem! The ISP
> > DNS immediately returns back an answer. I even gave the 2k box the
> > same IP as the 2003 DNS box temporarily to make sure some filtering
> > wasn't happening upstream on a firewall or router. I have 4 2003
> > servers and install DNS on the other 2 that weren't already, SAME
> > PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
> > MX lookups work fine for most Domains but not those 3? ( so far ).
> > Remember, I can pull other records ( A, SoA are retrieved fine ) I am
> > lost on this one. Anyone?
>
>
> You may need to disable EDNS0 support on the new W2k3 servers since not
all
> routers are upto date to support this feature. Otherwise, update the
routers
> to their latest IOS.
>
> Here's more info on it:
>
> 828263 - DNS query responses do not travel through a firewall in Windows
> Server 2003:
> http://support.microsoft.com/?id=828263
>
> 828731 - An External DNS Query May Cause an Error Message in Windows
Server
> 2003 (and how to disable it):
> http://support.microsoft.com/?id=828731
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
> This posting is provided "AS-IS" with no warranties and confers no
> rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================
>
>

You both hit the nail right on the head. I am sure it will work since thats
my exact problem. I'll post again tomorrow after I implement the change. My
PIX 515E runs 6.3 code, but I'll just turn off the feature on the DNS
servers. Why did MS implement this? 2000 worked fine :P Thanks again you
two.

It was a mistake. This will no longer be the default behavior anymore, from
what I hear.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
"ec" <(E-Mail Removed)> wrote in message news:I3Hhc.27077$L75.8501@fed1read06...
>
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
> > In news:sOFhc.26733$L75.12532@fed1read06,
> > ec <(E-Mail Removed)> posted their thoughts, then I offered mine
> > > Ok, here is one I haven't seen before. I have DNS configured in my
> > > 2003 AD Domain on two servers. All of my Domain DNS functions work
> > > perfectly, no problems. My clients get IPs via DHCP, and are pointed
> > > at my two internal DNS servers. Those 2 servers are Windows 2003, and
> > > are configured to forward to my 2 ISP DNS servers. Internet
> > > resolution is working fine. I started noticing an issue on my
> > > Exchange server when a few queueus were filling up undelievered to
> > > certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
> > > did nslookup on these domains on the DNS servers, no problems.
> > > However, if I "set type=mx", it will time out, which explains why the
> > > Exchange server can't get the mail server IP for those domains. I did
> > > a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
> > > then to the root servers asking for the mx. No replies came in from
> > > either. Keep in mind this is only happening on a few Domains so far.
> > > I can run nslookup set type=mx on HUNDREDS of Domains with no
> > > problem. Exchage is sending and receiving mail with to most Domains.
> > > So far just the three I mentioned aren't getting resolved. . Here is
> > > the stranger part! If I install DNS for a test real quick on one of
> > > my Windows 2000 servers, and run the same test, no problem! The ISP
> > > DNS immediately returns back an answer. I even gave the 2k box the
> > > same IP as the 2003 DNS box temporarily to make sure some filtering
> > > wasn't happening upstream on a firewall or router. I have 4 2003
> > > servers and install DNS on the other 2 that weren't already, SAME
> > > PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
> > > MX lookups work fine for most Domains but not those 3? ( so far ).
> > > Remember, I can pull other records ( A, SoA are retrieved fine ) I am
> > > lost on this one. Anyone?
> >
> >
> > You may need to disable EDNS0 support on the new W2k3 servers since not
> all
> > routers are upto date to support this feature. Otherwise, update the
> routers
> > to their latest IOS.
> >
> > Here's more info on it:
> >
> > 828263 - DNS query responses do not travel through a firewall in Windows
> > Server 2003:
> > http://support.microsoft.com/?id=828263
> >
> > 828731 - An External DNS Query May Cause an Error Message in Windows
> Server
> > 2003 (and how to disable it):
> > http://support.microsoft.com/?id=828731
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies to the newsgroup so all can benefit.
> > This posting is provided "AS-IS" with no warranties and confers no
> > rights.
> >
> > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > Microsoft Windows MVP - Active Directory
> >
> > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> > pig. --
> > =================================
> >
> >
>
> You both hit the nail right on the head. I am sure it will work since
thats
> my exact problem. I'll post again tomorrow after I implement the change.
My
> PIX 515E runs 6.3 code, but I'll just turn off the feature on the DNS
> servers. Why did MS implement this? 2000 worked fine :P Thanks again you
> two.
>
>

"Kevin D. Goodknecht [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news:sOFhc.26733$L75.12532@fed1read06,
> ec <(E-Mail Removed)> posted a question
> Then Kevin replied below:
> > Ok, here is one I haven't seen before. I have DNS configured in my
> > 2003 AD Domain on two servers. All of my Domain DNS functions work
> > perfectly, no problems. My clients get IPs via DHCP, and are pointed
> > at my two internal DNS servers. Those 2 servers are Windows 2003, and
> > are configured to forward to my 2 ISP DNS servers. Internet
> > resolution is working fine. I started noticing an issue on my
> > Exchange server when a few queueus were filling up undelievered to
> > certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
> > did nslookup on these domains on the DNS servers, no problems.
> > However, if I "set type=mx", it will time out, which explains why the
> > Exchange server can't get the mail server IP for those domains. I did
> > a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
> > then to the root servers asking for the mx. No replies came in from
> > either. Keep in mind this is only happening on a few Domains so far.
> > I can run nslookup set type=mx on HUNDREDS of Domains with no
> > problem. Exchage is sending and receiving mail with to most Domains.
> > So far just the three I mentioned aren't getting resolved. . Here is
> > the stranger part! If I install DNS for a test real quick on one of
> > my Windows 2000 servers, and run the same test, no problem! The ISP
> > DNS immediately returns back an answer. I even gave the 2k box the
> > same IP as the 2003 DNS box temporarily to make sure some filtering
> > wasn't happening upstream on a firewall or router. I have 4 2003
> > servers and install DNS on the other 2 that weren't already, SAME
> > PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
> > MX lookups work fine for most Domains but not those 3? ( so far ).
> > Remember, I can pull other records ( A, SoA are retrieved fine ) I am
> > lost on this one. Anyone?
>
> Most likely, it's your firewall, it probably doesn't support EDNS0
> extensions (UDP packets over 512 bytes) many firewalls reject these
packets.
> They tend to be from domains with multiple MX records.
> 828731 - An External DNS Query May Cause an Error Message in Windows
Server
> 2003
> http://support.microsoft.com/default...b;en-us;828731
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================
> --
> When responding to posts, please "Reply to Group" via your
> newsreader so that others may learn and benefit from your issue.
> To respond directly to me remove the nospam. from my email.
> ==========================================
> http://www.lonestaramerica.com/
> ==========================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ==========================================
> Keep a back up of your OE settings and folders with
> OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ==========================================
>
>

One other question... if the packet is FROM those Domains with large amounts
of MX records... why does it work with that setting turned off? What "extra
data" am I missing?

In news:OKCo0%(E-Mail Removed),
Deji Akomolafe <(E-Mail Removed)> posted their thoughts, then
I offered mine
> It was a mistake. This will no longer be the default behavior
> anymore, from what I hear.
>
>
> Dèjì Akómöláfé, MCSE MCSA MCP+I


As I heard as well.

Just to add, it was meant for efficiency.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================