2003 DNS Server issue that isn't present using 2000 DNS Server

[ec]

Ok, here is one I haven't seen before. I have DNS configured in my 2003 AD
Domain on two servers. All of my Domain DNS functions work perfectly, no
problems. My clients get IPs via DHCP, and are pointed at my two internal
DNS servers. Those 2 servers are Windows 2003, and are configured to forward
to my 2 ISP DNS servers. Internet resolution is working fine. I started
noticing an issue on my Exchange server when a few queueus were filling up
undelievered to certain domains such as ibm.com, sprintmail.com, and
earthlink.net. I did nslookup on these domains on the DNS servers, no
problems. However, if I "set type=mx", it will time out, which explains why
the Exchange server can't get the mail server IP for those domains. I did a
a sniff, and saw my DNS server sending packets 1st to the ISP DNS, then to
the root servers asking for the mx. No replies came in from either. Keep in
mind this is only happening on a few Domains so far. I can run nslookup set
type=mx on HUNDREDS of Domains with no problem. Exchage is sending and
receiving mail with to most Domains. So far just the three I mentioned
aren't getting resolved. . Here is the stranger part! If I install DNS for a
test real quick on one of my Windows 2000 servers, and run the same test, no
problem! The ISP DNS immediately returns back an answer. I even gave the 2k
box the same IP as the 2003 DNS box temporarily to make sure some filtering
wasn't happening upstream on a firewall or router. I have 4 2003 servers and
install DNS on the other 2 that weren't already, SAME PROBLEM! So, the issue
seems to be with 2003 only. Why on Earth would MX lookups work fine for most
Domains but not those 3? ( so far ). Remember, I can pull other records ( A,
SoA are retrieved fine ) I am lost on this one. Anyone?

 

[Kevin D. Goodknecht [MVP]]

In

Ok, here is one I haven't seen before. I have DNS configured in my
2003 AD Domain on two servers. All of my Domain DNS functions work
perfectly, no problems. My clients get IPs via DHCP, and are pointed
at my two internal DNS servers. Those 2 servers are Windows 2003, and
are configured to forward to my 2 ISP DNS servers. Internet
resolution is working fine. I started noticing an issue on my
Exchange server when a few queueus were filling up undelievered to
certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
did nslookup on these domains on the DNS servers, no problems.
However, if I "set type=mx", it will time out, which explains why the
Exchange server can't get the mail server IP for those domains. I did
a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
then to the root servers asking for the mx. No replies came in from
either. Keep in mind this is only happening on a few Domains so far.
I can run nslookup set type=mx on HUNDREDS of Domains with no
problem. Exchage is sending and receiving mail with to most Domains.
So far just the three I mentioned aren't getting resolved. . Here is
the stranger part! If I install DNS for a test real quick on one of
my Windows 2000 servers, and run the same test, no problem! The ISP
DNS immediately returns back an answer. I even gave the 2k box the
same IP as the 2003 DNS box temporarily to make sure some filtering
wasn't happening upstream on a firewall or router. I have 4 2003
servers and install DNS on the other 2 that weren't already, SAME
PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
MX lookups work fine for most Domains but not those 3? ( so far ).
Remember, I can pull other records ( A, SoA are retrieved fine ) I am
lost on this one. Anyone?

Most likely, it's your firewall, it probably doesn't support EDNS0
extensions (UDP packets over 512 bytes) many firewalls reject these packets.
They tend to be from domains with multiple MX records.
828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731

 

[Ace Fekay [MVP]]

In

Ok, here is one I haven't seen before. I have DNS configured in my
2003 AD Domain on two servers. All of my Domain DNS functions work
perfectly, no problems. My clients get IPs via DHCP, and are pointed
at my two internal DNS servers. Those 2 servers are Windows 2003, and
are configured to forward to my 2 ISP DNS servers. Internet
resolution is working fine. I started noticing an issue on my
Exchange server when a few queueus were filling up undelievered to
certain domains such as ibm.com, sprintmail.com, and earthlink.net. I
did nslookup on these domains on the DNS servers, no problems.
However, if I "set type=mx", it will time out, which explains why the
Exchange server can't get the mail server IP for those domains. I did
a a sniff, and saw my DNS server sending packets 1st to the ISP DNS,
then to the root servers asking for the mx. No replies came in from
either. Keep in mind this is only happening on a few Domains so far.
I can run nslookup set type=mx on HUNDREDS of Domains with no
problem. Exchage is sending and receiving mail with to most Domains.
So far just the three I mentioned aren't getting resolved. . Here is
the stranger part! If I install DNS for a test real quick on one of
my Windows 2000 servers, and run the same test, no problem! The ISP
DNS immediately returns back an answer. I even gave the 2k box the
same IP as the 2003 DNS box temporarily to make sure some filtering
wasn't happening upstream on a firewall or router. I have 4 2003
servers and install DNS on the other 2 that weren't already, SAME
PROBLEM! So, the issue seems to be with 2003 only. Why on Earth would
MX lookups work fine for most Domains but not those 3? ( so far ).
Remember, I can pull other records ( A, SoA are retrieved fine ) I am
lost on this one. Anyone?

You may need to disable EDNS0 support on the new W2k3 servers since not all
routers are upto date to support this feature. Otherwise, update the routers
to their latest IOS.

Here's more info on it:

828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/?id=828263

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003 (and how to disable it):
http://support.microsoft.com/?id=828731

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[ec]

In

Most likely, it's your firewall, it probably doesn't support EDNS0
extensions (UDP packets over 512 bytes) many firewalls reject these packets.
They tend to be from domains with multiple MX records.
828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731

I'll check the PIX. However, this works on the Win2000 DNS server on those
Domains. Thanks for the tip.

 

[ec]

"Ace Fekay [MVP]"

In


You may need to disable EDNS0 support on the new W2k3 servers since not all
routers are upto date to support this feature. Otherwise, update the routers
to their latest IOS.

Here's more info on it:

828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/?id=828263

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003 (and how to disable it):
http://support.microsoft.com/?id=828731

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

You both hit the nail right on the head. I am sure it will work since thats
my exact problem. I'll post again tomorrow after I implement the change. My
PIX 515E runs 6.3 code, but I'll just turn off the feature on the DNS
servers. Why did MS implement this? 2000 worked fine Thanks again you
two.

 

[Deji Akomolafe]

It was a mistake. This will no longer be the default behavior anymore, from
what I hear.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[ec]

In

Most likely, it's your firewall, it probably doesn't support EDNS0
extensions (UDP packets over 512 bytes) many firewalls reject these packets.
They tend to be from domains with multiple MX records.
828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731

One other question... if the packet is FROM those Domains with large amounts
of MX records... why does it work with that setting turned off? What "extra
data" am I missing?

 

[Ace Fekay [MVP]]

In

It was a mistake. This will no longer be the default behavior
anymore, from what I hear.


Dèjì Akómöláfé, MCSE MCSA MCP+I

As I heard as well.

Just to add, it was meant for efficiency.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================