Good afternoon everyone! I am going to dig into a quick short write up on DNS and one if its specifications. Im going to try and put this into the simplest terms, to avoid any confusion. A while back i was troubleshooting a clients network and was seeing some DNS issues within the infrastructure. Some of the bigger DNS queries generating from this network where unsuccessful thus causing some network issues to clients. so what is EDNS0? It is an extension mechanism for DNS that is supported in the Windows environment, this functionality allows UDP packets sizes to grow over their size of 512 bytes and where the issue comes in is with firewalls seeing this larger UDP traffic and blocking it. Your firewall will need to see any UDP traffic larger than 512 bytes and allow it through, that is the resolution. A quick workaround on the windows system is to disable this functionality and allow the packet to be converted to a TCP packet, therefore DNS Server will handle the conversion and traffic will pass through successfully. You might see some performance drops by disabling that because it will take longer to convert the packet rather than have it grow to the size needed. Check with your firewall manufacturer and get specific on support for this mechanism and how to properly configure. A quick workaround on the Microsoft DNS system is to take the below action :
To work around this issue, turn off the EDNS0 feature on Windows-based DNS servers. To do this, take the following action:
At a command prompt, type the following command, and then press Enter:
dnscmd /config /enableednsprobes 0
Note Type a 0 (zero) and not the letter "O" after "enableednsprobes" in this command.
The following information appears:
Registry property enableednsprobes successfully reset.
Command completed successfully.
So you might ask why don't we just let the packet grow bigger? well DNS likes to utilize UDP packets because of their tiny size and can be transmitted quicker. Picture all the internet traffic and all the DNS quieres happening with all the website searches....with EDNS you have that compatibility with legacy systems and current DNS systems and allow for the proper and fast DNS exchanges. Most newer systems utilize EDNS, so it is not good practice to disable this feature and allow the technology to function properly with its peers that support it, as mentioned earlier it is more of a workaround, allow your firewall to accept EDNS support.
http://support.microsoft.com/kb/832223
No comments:
Post a Comment