Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, March 18, 2011 9:50 AM
Hello!
I´m afraid I´m in deep water here but I would like to understand the following to be able to fix some issues:
If a 2008R2 wich has EDNS enabled by default sends a request through a 2008R2 forwarder with EnableEDNSProbes=0 set, what happens with the response? Will the forwarder send a traditional request or will it forward the EDNS request, with the potential of receiving an answer larger than 512bytes?
Which UDP payload size does 2008 R2, respectively 2008 (with EDNS enabled) advertise in the OPT record and can it be changed?
Sincereley
Peter
All replies (9)
Saturday, March 19, 2011 2:12 AM
1. If a 2008R2 wich has EDNS enabled by default sends a request through a 2008R2 forwarder with EnableEDNSProbes=0 set, what happens with the response? Will the forwarder send a traditional request or will it forward the EDNS request, with the potential of receiving an answer larger than 512bytes?
If EDNS0 is disabled on the nameserver that a query is sent to, it may not fully resolve zone data if the zone data is larger than 512 bytes.
2. Which UDP payload size does 2008 R2, respectively 2008 (with EDNS enabled) advertise in the OPT record and can it be changed?
Peter, I'm not sure what you mean by "payload." If your question is regarding what is the size of an EDNS0 packet, it's typically up to 1280 bytes. Can that be changed? Not sure. If there is no registery entry for it, and I can't recall if there is, then it would have to be done in the DNS APIs, which is a whole different ballgame. However, I believe it's set based on the RFC implementation, that all DNS servers that support EDNS0 follow.
Curious, why was it disabled on that machine?
FYI, I have some info on EDNS0 in my blog. I hope you find it helpful:
What is EDNS0? (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, March 21, 2011 10:21 AM
Hello again and thank you for replying!
I´ll try to define my situation a little more. This is the setup:
STEP 1: Internal DC/DNS 2008R2 unconditional forwarding to STEP 2 (no Root Hints)
STEP 2: DMZ DNS (2008R2 with EnableEDNSProbes=0) unconditional forwarding to STEP 3 or 4
STEP 3: ISP DNS (brand and config unknown)
STEP 4: Root Hints (if ISP DNS:es timeout, 3 sec)
I´m not sure why EDNS0 is disabled in DMZ DNS, my guess is that it is an unsuccessful attempt to fix the 512 byte problem, because even if it is disabled we get responses stuck in the firewall.
I need to tell the firewall guy what packetlenght he should accept instead of 512 bytes. As I understand it, this is decided on our side. When internal clients lookup names, the requests are defined with an OPT-record advertising the maximum UDP packet size.
I´ve read a little more and found out that the default value is 1280 bytes and that it really can be changed (at least in 2003) in "MaximumUdpPacketSize" in key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]
I don´t see a point in changing it if it follows some kind of best practice (1280 is mentioned briefly in 4.5.1. in RFC 2671), I just needed to know the value.
These were the sources:
http://technet.microsoft.com/en-us/library/cc785769(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc783893(WS.10).aspx
Even though I haven´t been able to examine the firewall logs, my interpretation of the situation is this:
- EDNS0 requests are sent from Internal DNS to DMZ DNS.
- Because of "EnableEDNSProbes=0" traditional requests (w/o OPT-record) are sent from DMZ DNS to ISP or Rootservers.
- When the response returns it is sent in EDNS0-format from DMZ-servers back to Internal DNS and jammed if larger than 512bytes.
As an immediate remedy packetlength was changed to 2048bytes.
My next step is probably to enable EDNS0 on DMZ-servers and lower the packetlength to 1280 bytes and monitor the firewall.
Am I on the right track here and will 1280 bytes do it or will the actual packets be larger due to some kind of overhead do you think?
Thanks again for your interest!
/Peter
Monday, March 21, 2011 2:12 PM
SOunds like you're on the right track. The 1280 length is generally standard practice, if not RFC recommended. To determine if RFC recommended, I would have to read through the RFC docs, but I can say that I've set all of my customer's Cisco ASA firewalls to 1280 bytes, and haven't heard a peep from them in the past 3 or 4 years.
And on a server, I would just enable it using EnableEDNSProbes=1, and not mess with the registry settings to change sizes. I haven't yet needed to touch the registry settings on any DC/DNS in any of my customer sites to make this work. From your description of the issue, it apparently seems like it's in the perimeter firewall that's causing the problem, meaning the DMZ's perimeter firewall is not allowing EDNS0. I would suggest telling the network team to use 1280 bytes.
This can be set in most firewalls, but it depends on the name brand, model number, and IOS level. If it's an older IOS level, it may not support the feature and would require updating the IOS. If you can post this info, I'll see what I can do to find out more for you and your network team.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, April 1, 2011 8:36 AM
Hi again!
It turned out I was not on the right track. After enabling EDNS0 on DMZ-servers we saw lots of large responses, much larger than 1280bytes.
Then I found this article: http://support.microsoft.com/kb/2028240
It implies that "Windows Server 2008 R2 uses a default packet size of 4000 bytes by default.", wich I suppose refers to the UDP OPT-record?
This could explain our experience, however, it also states: "In summary, there’s no real need for EDNS if you're not using DNSSEC. Microsoft suggests that you leave EDNS disabled."
We are not using DNSSEC for the moment, but I will investigate this issue further, any inputs are welcome.
/Peter
Friday, April 1, 2011 2:27 PM
Nice article, thanks for posting it. I used 1280 for a number of years without issues, but I believe I based that on a Cisco doc or article I looked at over 5 or 6 years ago.
The OPT record is sent from the querying DNS server when it sends out a query to another DNS server, where the packet tells the other DNS server that it supports UDP and what its max supported packet size is. So if it's 4000 bytes, the OPT record will indicate that. Here's another nice article explaining the OPT record:
Using Extension Mechanisms for DNS (EDNS0)
http://technet.microsoft.com/en-us/library/cc785769(WS.10).aspx
You could follow the article's recommendation to disable it, but IMHO, I think you may have problems resolving certain websites that have a large amount of zone data, as I've seen from other posters in the forums over the years. If you choose to give it a shot, please report back your findings.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, May 10, 2012 3:13 PM
Hello again!
A little follow-up a year later:
Have anybody found any more official documentation regarding 2008R2 and MaximumUdpPacketSize, like an updated DNS Technical Reference?
The only document I´ve found is this "FAST PUBLISH"-one and it briefly says 4000 bytes:
http://support.microsoft.com/kb/2028240
This article say 1280 bytes (but its not R2):
http://technet.microsoft.com/en-us/library/dd197418(v=ws.10).aspx
Have the size gone up from 2008 to 2008R2 from 1280 to 4000?
We experience that without specifying the "MaximumUdpPacketSize" we get responses larger than 1280bytes, but it would be nice to read about it somewhere.
Sincerely
Peter
Thursday, May 10, 2012 5:00 PM
The first article you posted I posted in the post right before yours.
In the second article, you may have missed the part that says under the "MaximumUdpPacketSize" section:
"The registry entry MaximumUdpPacketSize specifies the maximum UDP packet size advertised by the DNS server. The default value is 1,280 bytes."
As I mentioned, I usually set it for 4000, which works fine for all my customers, small, medium and large enterprises.
.
Is there anything you are concerned with regarding the size?
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, May 10, 2012 5:53 PM
Hi Ace!
What! No, I did :)
Regarding concerns, well not really, but one can for example wonder if its really 4000 bytes or 4096? These things should be documented more properly, you should´nt be forced to reverse engineer things to figure them out. I would like to find a real guide that spells things out about MS DNS, so that I can put this behind me so to speak.
I´ve found a neat function in Cisco inspection which really solves the problem no matter what configuration you have on the inside.
message-length maximum client auto
message-length maximum 512
Can be read about here http://www.cisco.com/web/about/security/intelligence/dnssec.html
/Peter
Thursday, May 10, 2012 8:12 PM
Ahh, ok, you did. Apologies!
.
It's actually 4000. If you want to make it 4096, cool, go for it. I'm sure there may be some domains out there that have that sort of data in a query, possibly such as hotmail.com (run an nslookup, set q=mx, then hotmail.com to see what I mean).
What I forgot to post in addendum to that quote from that article, is the following:
"The value must be between 512 and 16,384 in decimal format (200 and 4,000 in hexadecimal format). "
So if you want to make it higher, it will work, but I see the client "auto" setting should work, too.
.
I usually set that in my Cisco devices to 4000.
For PIX:
fixup protocol dns maximum-length 4000
For ASA:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
.
Either way will work. The point is EDNS0 should be allowed for large UDP packets.
.
Cheers!
.
.
Late edit:
I just checked two of my customer sites, and I had it previosly set to 4096 on both of them. :-) Cheers!
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This post is provided AS-IS with no warranties or guarantees and confers no rights.