fixup protocol dns causing issues with DNS Win2k3

NPT_2 · ‎05-25-2004

I have the default fixup protocol dns maximum-length 512 set on a pix firewall. This has run for years this way without issue, that is until we put in a new 2003 server and decide to use it as a dns server. The issue is that Win2003 DNS now uses dns packets over 512 bytes and the firewall set to a max of 512 is causing MX Lookup failures of certain domains such aol.com and earthlink.com, somehow the dns or our email servers rather than going to the next dns server decide to use the A record instead, so all email to aol.com or earthlink.com tries to go to their webserver instead of email server. According to microsoft knowledge base article 828263 I need to have the firewall set to allow packets over this size. My question is should I eliminate the packet size limit in the fixup statement? Or should I increase the number? Or is there a newer version of code that addresses this issue. At worst we are maybe a couple versions out of date on the pix. What are your thoughts?

nkhawaja · ‎05-25-2004

Hi,

increase the packet size limit.

Thanks

Nadeem

ehirsel · ‎05-26-2004

I would disable dns extensions by running this command at the win 2003 server:

dnscmd Server Name/Config /EnableEDnsProbes 0

The same MS KB article that you mentioned stated that this is another way of solving the problem.

I suggest turning it off, because even if you get your firewall to allow the larger udp packets, there may be other firewalls or gateways in between teh requestor and client that may wind up blocking the larger tahn 512 byte dns packet, if they do not understand the EDNS0 protocol.