Firewalls and DNS query responses may not mix

When DNS queries are passed through a firewall, the firewall may inspect the DNS query packets, which are UDP transmissions, and may block them if they are larger than 512 bytes. This is a standard security feature among many firewalls. However, RFC 2671, "Extensions Mechanisms for DNS (EDNS0)," allows for DNS requestors to work with UDP packets larger than 512 bytes. Since some ISPs use this feature, returned DNS queries for those ISPs -- specifically, queries for MX records -- may be blocked if the firewall is set to stop outsized UDP packets.

The problem usually shows up in the form of an Non-Delivery Report with the following format:

'user@earthlink.net' on 4/1/2004 3:00 PM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<exchange.otherdomain.com #5.5.0 smtp;550-- EarthLink does not recognize your computer (xx.xx.xx.xx) as connecting from an EarthLink connection. If this is in error, please contact technical support.>

Because of this, administrators are inclined to believe that the problem may lie with their Exchange configuration, and never suspect DNS as the culprit.

There are two ways to get around the problem. One is to modify the firewall to allow large UDP packets. If the firewall is a hardware product, a firmware upgrade may fix the issue. But if it's software, the manufacturer may have issued a patch for it.

If the above fails, another way to avoid the problem is to disable use of EDNS0 in Windows 2003. This can be done at the command prompt by typing:

dnscmd <server_name>/Config /EnableEDnsProbes 0

where <server_name> is the internal name or address for the server in question. (To re-enable EDNS0, substitute a 1 for the 0 in the above line.) Note that turning EDNS0 support off only disables its use outbound (i.e., it only prevents your server from making EDNS0 requests to other DNS servers). If another server requests EDNS0 from your server, your server will continue to use it. Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Server Administration Tips Microsoft Exchange Server mailbox recovery using database portability Plan an Exchange 2007 standby continuous replication (SCR) deployment Set up messaging records management (MRM) in Exchange Server 2007 How Microsoft's new support policy for virtualized Exchange will affect you Why too much memory can hurt Exchange Server 2007 performance Microsoft Exchange Server backup method pros and cons Migrating .PST files to an Exchange Server information store Virtualizing Exchange Server 2007 with Microsoft's Hyper-V Configure SMTP connection limits in Exchange Server 2003 and SBS Five Microsoft Exchange Server backup worst practices Microsoft Exchange Server 2003 Microsoft Exchange Server mailbox recovery using database portability Recovering an Exchange Server 2003 store on a disaster recovery box Creating disk space for an Exchange Server 2003 priv1.edb database How to lock down an SMTP relay to prevent spam in Exchange Server 2003 Tool helps identify inbound Exchange Server email flow issues Configure SMTP relay restrictions in Exchange Server 2003 to stop spam Microsoft Exchange Server backup method pros and cons Why can't I send Exchange email from a BlackBerry 7100i mobile device? Tools to bulk modify Active Directory users in Exchange Server 2003 Tools and methods for disabling IMAP and POP in Exchange Server 2003 Microsoft Exchange Server 2003 Research Microsoft Exchange Server Non-Delivery Reports (NDRs) A network connection problem or an offline server prevented delivery of the message Third-party tools that modify NDRs for oversized email SMTP 550 relay error when sending large attachments Not receiving email messages that have file attachments How to strip email attachments from Exchange NDR failure notifications Exchange Server error message: 'A non-delivery report with a status code of 5.4.0 was generated for recipient' How to select the mailbox account that sends Exchange NDRs 'You do not have permission to send to this recipient' errors AQADMCLI: Command-line SMTP queue management for Exchange Server Troubleshoot 'Send As' permission errors RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bounce e-mail  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.