Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, March 9, 2009 2:05 PM
I am getting this error constantly in my logs. Every DNS server I've tried is experiencing this issue. Domain Controllers/member servers, server 2003/2008/2008r2, on site and offsite. We are using Operations Manager as well which queries all the DNS servers every few minutes like this: nslookup -querytype=ns www.microsoft.com dnsserver.here. It is also sporadic; about 50% of the time the query actually comes back ok.
I have already looked around for an answer but nothing has helped. There are no forwarders configured on any of the servers; just using root hints. And the supposed bad packets always come from known good dns servers. (220.73.220.4, 12.183.125.5, 204.2.178.133)
I have also used netmon to examine one of the packets which the dns server flagged as bad and I do not see anything wrong with it. It looks identical to a good response.
Any suggestions?
All replies (9)
Tuesday, March 10, 2009 8:21 AM ✅Answered | 1 vote
Few things i would like to suggest,
- Check following registry key and value set for it,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\DisableAutoReverseZones
Accordig to KB 198410, it should have non-zero value.
Packet was forwarded to non-recursive DNS server. I will recommend to switch to forwarders for few days to check if that helps.
Server is quering for DNAME record, which is not supported. Reponses containing DNAME (rrtype - 0x0027) record.
4. Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
dnscmd /Config /EnableEDnsProbes 0
Hope this helps.
Thursday, June 11, 2009 8:00 PM
I had the same Problem since i upgraded to server 2008 R2.
dnscmd /Config /EnableEDnsProbes 0 worked for me.
Are there any disadvantages if I use this configuration ?
Saturday, October 10, 2009 1:17 AM
Few things i would like to suggest,
- Check following registry key and value set for it,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\DisableAutoReverseZonesAccordig to KB 198410, it should have non-zero value.
(Emphasis hadded by me)
Huh? Did you read the KB article? (head in hands, shaking head in wonder)
The correct statement is: According to KB-198410, it should have a zero value if the key exists.
For those that have not seen it - here it is:
================ Quote KB-198410
DisableAutoReverseZones
Value: DisableAutoReverseZones
Added: Windows NT 4.0
Type: DWORD (Boolean)
Default: NoKey (Create automatic reverse-lookup zones)
Function: Determine whether server automatically creates standard
reverse lookup zones.
Every DNS server should (according to RFC) be authoritative for three reverse lookup zones:
- 0.in-addr.arpa.
- 127.in-addr.arpa.
- 255.in-addr.arpa
The reason for this is that clients sometimes query for standard IP addresses such as 0.0.0.0, 127.0.0.1 (loopback), and 255.255.255.255 (broadcast). By being authoritative for the zones corresponding to these queries, the DNS server avoids unnecessary recursions to the root servers on these queries.
If the DisableAutoReverseZones key does not exist or is zero, the Microsoft DNS server will automatically create these zones with the correct entries (none except for a PTR for 127.0.0.1 to localhost).
If DisableAutoReverseZones is nonzero, the server does NOT create these zones.
===================== End Quote
Note: Bold face emphasis also provided by me.
Points to note:
- The RFC (requirements) for DNS server operation highly recommend ("should"), that your DNS servers be authoritative for the three local-loop IP addresses.
- The KB article recommends this because it will help eliminate unnecessary DNS traffic
- Note that the default for this is that there is not even a key created - ergo these zones are always created - as they should be.
- There may - in certain, extremely unusual, situations - be a need to turn this off, but for the life of me, I'll be darned if I can imagine what it is.
I sure hope you folks actually *CHECKED* the KB entry before modifying your registry. . . .
What say ye?
Jim
Saturday, December 10, 2011 7:58 AM
Dear Shilpesh,
I can't find DisableAutoReverseZones in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters. Something's wrong with my Server?
Tks,
NTQ
Saturday, December 10, 2011 5:50 PM
I had the same Problem since i upgraded to server 2008 R2.
dnscmd /Config /EnableEDnsProbes 0 worked for me.
Are there any disadvantages if I use this configuration ?
I know this thread is over two years old, but I thought in case anyone else comes across it in a search that I would explain what EDNS0 and the implications of disabling it on your server.
Yes, there are disavantages, because EDNS0 is almost a requirement anymore with zones that have a large amount of data. EDNS0 extends the original DNS RFC limiting UDP query packets to 500 bytes. EDNS0 allows to extend it to 4000 or more.
As far as disabling EDNS0, I wouild recommend not to. It makes the resolution process more efficient. DNS queries are initially over UDP. If the domain response has large amounts of data that's beyond 512 bytes, it will revert to TCP in order to get the whole response. Therefore, the change up in protocol introduces a delay, because it has to reformulate and send the request again. EDNS0 overcomes this by allowing larger than UDP 512 bytes. When the IETF came out with the EDNS0 implementation in the late 90's,it was slow getting adopted by many in the industry. Windows 2003 was the first Windows version offering the feature. ENDS0 larger UDP query packet support makes resolution more efficient instead of having to change up the request protocol to TCP and resending it.
However, some firewalls and perimeter security devices look at it as a spoof. If EDNS0 is not enabled on the firewall or if the firewall does not support it, then it can be an issue. It's used internally too, where some responses may be larger than 512 bytes, therefore disabling it can cause issues in some cases. More than likely, the issue with not being able to resolve large domain response is more than likely at the firewall, and it really should be addressed at the firewall.
My feeling is if you reverse the command (change the 0 to a 1), then configure a forwarder to say, 4.2.2.2, the problem will go away. Apparently the problem is in your permiter firewall not allowing EDNS0, doesn't support it, or needs a firmware update. Forwarders bypass firewalls that don't support EDNS0 or have not yet been configured to allow it. For example, with a Cisco PIX or ASA, you'll need to run the following to enable it (using a 4000 byte limit):
fixup protocol dns 4000
Re-enable EDNS0 on the server (change the 0 to a 1). Then run this quick command to test if there's an EDNS0 restriction in your firewall:
nslookup -type=TXT rs.dns-oarc.net
Look for the part in the response that says, " ...DNS reply size limit is at least xxxx." The xxxx is what it will support. If it's under 512, then it is blocking EDNS0 or the Forwarder you are using is blocking or not allowing/configured to use EDNS0.
What is EDNS0? (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Saturday, December 10, 2011 5:53 PM
Dear Shilpesh,
I can't find DisableAutoReverseZones in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters. Something's wrong with my Server?
Tks,
NTQ
Thien Su,
What sort of problems are you experiencing that is warranting you to alter this setting? I would suggest to start a new thread under your name with the problems you are seeing, provide some configuration info or examples, and we can better help with your specific errors or issues.
Regards,
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, April 4, 2012 5:01 PM
it seems DisableAutoReverseZones if it's there you need to set to 0.
fixup protocol dns 4000 doesn't work with my asa 8.2. I use fixup protocol dns instead. it accept and nslookup -type=TXT rs.dns-oarc.net works fine now.
Thanks.
Wednesday, April 4, 2012 7:07 PM
use Cisco asa cli :
fixup protocol dns maximum-length 4000
fixed my DNS issue.
Monday, February 25, 2013 10:50 PM
This entry is not in my registry.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\DisableAutoReverseZones