Problem solve Get help with specific problems with your technologies, process and projects.

Firewalls and DNS query responses may not mix

DNS query response size limits may cause e-mail rejections from some domains. Here is a tip that offers solutions.

If you use Windows Server 2003 and Exchange 2003, you may run into a problem when attempting to resolve certain Domain Name System (DNS) query responses through a firewall. Usually the problem appears when you try to send e-mail to certain domains, such as Earthlink.net or AOL.com.

When DNS queries are passed through a firewall, the firewall may inspect the DNS query packets, which are UDP transmissions, and may block them if they are larger than 512 bytes. This is a standard security feature among many firewalls. However, RFC 2671, "Extensions Mechanisms for DNS (EDNS0)," allows for DNS requestors to work with UDP packets larger than 512 bytes. Since some ISPs use this feature, returned DNS queries for those ISPs -- specifically, queries for MX records -- may be blocked if the firewall is set to stop outsized UDP packets.

The problem usually shows up in the form of an Non-Delivery Report with the following format:

'user@earthlink.net' on 4/1/2004 3:00 PM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<exchange.otherdomain.com #5.5.0 smtp;550-- EarthLink does not recognize your computer (xx.xx.xx.xx) as connecting from an EarthLink connection. If this is in error, please contact technical support.>

Because of this, administrators are inclined to believe that the problem may lie with their Exchange configuration, and never suspect DNS as the culprit.

There are two ways to get around the problem. One is to modify the firewall to allow large UDP packets. If the firewall is a hardware product, a firmware upgrade may fix the issue. But if it's software, the manufacturer may have issued a patch for it.

If the above fails, another way to avoid the problem is to disable use of EDNS0 in Windows 2003. This can be done at the command prompt by typing:

dnscmd <server_name>/Config /EnableEDnsProbes 0

where <server_name> is the internal name or address for the server in question. (To re-enable EDNS0, substitute a 1 for the 0 in the above line.) Note that turning EDNS0 support off only disables its use outbound (i.e., it only prevents your server from making EDNS0 requests to other DNS servers). If another server requests EDNS0 from your server, your server will continue to use it. Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.

Dig Deeper on Legacy Exchange Server versions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close