Firewalls and DNS query responses may not mix

When DNS queries are passed through a firewall, the firewall may inspect the DNS query packets, which are UDP transmissions, and may block them if they are larger than 512 bytes. This is a standard security feature among many firewalls. However, RFC 2671, "Extensions Mechanisms for DNS (EDNS0)," allows for DNS requestors to work with UDP packets larger than 512 bytes. Since some ISPs use this feature, returned DNS queries for those ISPs -- specifically, queries for MX records -- may be blocked if the firewall is set to stop outsized UDP packets.

The problem usually shows up in the form of an Non-Delivery Report with the following format:

'user@earthlink.net' on 4/1/2004 3:00 PM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<exchange.otherdomain.com #5.5.0 smtp;550-- EarthLink does not recognize your computer (xx.xx.xx.xx) as connecting from an EarthLink connection. If this is in error, please contact technical support.>

Because of this, administrators are inclined to believe that the problem may lie with their Exchange configuration, and never suspect DNS as the culprit.

There are two ways to get around the problem. One is to modify the firewall to allow large UDP packets. If the firewall is a hardware product, a firmware upgrade may fix the issue. But if it's software, the manufacturer may have issued a patch for it.

If the above fails, another way to avoid the problem is to disable use of EDNS0 in Windows 2003. This can be done at the command prompt by typing:

dnscmd <server_name>/Config /EnableEDnsProbes 0

where <server_name> is the internal name or address for the server in question. (To re-enable EDNS0, substitute a 1 for the 0 in the above line.) Note that turning EDNS0 support off only disables its use outbound (i.e., it only prevents your server from making EDNS0 requests to other DNS servers). If another server requests EDNS0 from your server, your server will continue to use it. Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Microsoft Exchange Server 2003 Show hidden email addresses in a GAL on Exchange Server 2003 Remove Exchange 2003 objects from AD to install Exchange 2010 Leapfrogging from Exchange 2003 to Exchange 2010 Top 5 Exchange ActiveSync tips Exchange Mailbag: POP3 settings and Outlook issues Migrating to Exchange 2007 with correct permissions Problems receiving email from outside a Exchange Server 2003 domain Exchange admins: Is it time to rethink your email address policy? Exchange Server 2003 collects email from only specific POP3 domains Changing email address formats in Exchange Server 2003 Microsoft Exchange Server 2003 Research ISA Server and Firewalls for Microsoft Exchange Server Top 5 Exchange mobile tips of 2008 Microsoft Exchange Server security dos and don'ts Windows SBS and Exchange Server security configuration best practices Why Exchange ActiveSync fails with NAT firewalls Deploying ISA Server as a firewall for Exchange Server mobile devices Adjust your firewall to avoid Exchange 2007 Direct Push failures OWA stops working from external network connection Enhance OWA logon security using Microsoft ISA Server Firewall problems with Exchange Server 2007 email attachments How and why to disable certain ESMTP verbs RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary reverse proxy server  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.