Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1735
Views
0
Helpful
1
Replies

Recommended setting for EDNS?

lmcgraw
Level 1
Level 1

‎11-01-2004 10:10 AM - edited ‎03-09-2019 09:17 AM

We're migrating to Server 2K3 and ran into the EDNS issue. I'm running a mockup network with DNS running on an NT box and a 2K3 box. Our production network is runing DNS on an NT box and a 2000 box. I upgraded our 515E to v6.3.4 and made the recommended "fixup protocol dns mximum-length 4096". That fixed the outside DNS issue on the 2K3 box, but I'm getting erroneous name resolution to selected sites (yahoo, google, nascar) coming from the NT box. I've already contacted our ISP to see if the problem is on their end.

Does anyone know what the minimum size EDNS packets can be? Going from 512 to 4096 seems like an awfully large jump. Just wondering if someone has "tweaked" this setting. I still need to run DNS on the NT box for at least another six months and the boss is unwilling to disable EDNS advertisement in the 2K3 boxes just yet

Thanx

Linz

Labels:
0 Helpful
1 Reply 1

Patrick Iseli
Level 7
Level 7

‎11-04-2004 07:02 PM

I have seen a few mails passing in the Security Focus NewsGroup, that might be helpful.

Please give me feedback.

An external DNS query may cause an error message in Windows Server. SEE:http://support.microsoft.com/?id=828731

Windows 2003 supports so called EDNS-0. This extension to DNS allows requests larger than 484 bytes (512 byte packet) to be transported in UDP DNS packets.

The PIX firewall does not allow this type of traffic by default, as it is classified an anomaly.

There are two solutions to this problem:

(1) On the Windows 2003 machine which is sending out the DNS packets, you can run dnscmd /Config /EnableEDnsProbes 0. This will make sure that this machine uses TCP for its 484+ byte DNS queries. (You will need the Windows support tools for this - suptools.msi)

(2) On the PIX firewall, change the DNS inspection configuration by running "fixup protocol dns maximum-length 1500". This will allow UDP DNS query packets of up to 1500 bytes. Do keep in mind that, when using non-ethernet network infrastructure, the EDNS0 limit is actually 4096 bytes, so you may need a higher value.

Thanks to Maarten Van Horenbeeck that published that on the Security focus newsgroup.

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents