EDNS0 (Extension mechanisms for DNS)

EDNS0 (Extension mechanisms for DNS)


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer


Published 10/11/2010
Updated 6/27/2011 – Added link.
Updated 6/20/2012 –


 


Preface


Windows 2003 and newer operating systems support EDNS0 Extension mechanisms for DNS). The first set of EDNS0 extensions were published in 1999 by the Internet Engineering Task Force as RFC 2671


EDNS0 supports a UDP query response larger than 512 bytes. Using the legacy method, UDP was used only as long as the DNS query was under 512 bytes. Over 512bytes, it changed it to TCP. With EDNS0, it allows UPD responses up to the full 1500 bytes bypassing the extra process step required to change to TCP, hence increasing efficiency.


 


Here’s a quick test to see if it is disabled or not:


Here’s a quick nslookup command to test if there’s an EDNS0 restriction in your firewall:
nslookup -type=TXT rs.dns-oarc.net


Or if you want to test a specific DNS server for EDNS0 support, whether an internal or external DNS server, use the following method:


c:\>nslookup
> server 4.2.2.2 <—- you can change this IP to whatever DNS server you want to test for EDSN0 support
> set q=txt
> rs.dns-oarc.net


Look for the part in the response that says, ” …DNS reply size limit is at least xxxx.” The xxxx is what it will support. If it’s under 512, then it is blocking EDNS0 or the Forwarder you are using is blocking or not allowing/configured to use EDNS0.


 


Should I disable it because my firewall doesn’t support it?


Good question. Of course the proper answer is no, and upgrade either ther firewall IOS or firewall itself so it supports EDNS0 traffic. Older firewalls that do not support it, or newer ones that do support it but hasn’t been enabled to allow this type of traffic, will look at it as a DNS attack.


It’s recommended to upgrade your router/firewall to support the new industry standard, but as a workaround, you can disable this feature in Windows 2003 by using dnscmd (available by installing the support tools from the Windows 2003 CDROM):


dnscmd /config /enableednsprobes 0


I would rather enable it on the firewall or upgrade the firewall, instead of having to disable it on each individual DNS server. Or you can also simply configure a Forwarder to your ISP, which will bypass your legacy firewall’s lack of EDNS0 support. However if stricly using Root Hints, the recommendation is to upgrade the firewall.


 


Cisco PIX and ASA EDNS0 support


The Cisco PIX and ASA models, which I am familiar with, do support EDNS0, however it’s not enabled by default out of the box. You’ll need to run a command to enable it, or enabled it within the PDM GUI. In the following examples, using a command line while telnetted into an ASA, I’ve set the maximum-length to 1280 bytes, because 1280 bytes was based on the recommendation in the original IETF draft.  However, if using DNSSEC, you’ll need to bump it higher.


To support proper resolution and to support DNSSEC, set the max UDP size to 4096:


fixup protocol dns maximum-length 4096
fixup protocol dns 4096


Cisco ASA 55xx series (assuming using the latest IOS 8.3.2ED and newer)
   Configuration
     Firewall
       Advanced
         Objects
           Inspect Maps
             DNS
               If a “preset_dns_map policy doesn’t exist
                   click on Add
                   type in preset_dns_map
                   Next to “Security Level,” click the Details button
                  Select the Filter tab
                   Change “Maximum Packet Length” from 512 to 4096
                   Click OK
                   File, “save Running Configuration to Flash (also suggest to save it to TFTP)
               If a “preset_dns_map policy does exist
                   Right-Click “preset_dns_map”
                   Choose “Edit”
                   Next to “Security Level,” click the Details button
                  Select the Filter tab
                   Change “Maximum Packet Length” from 512 to 4096
                   Click OK
                   File, “save Running Configuration to Flash (also suggest to save it to TFTP)            
 


Or


For ASA 55xx series up to 8.3 (8.3 and newer is different)
 policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum 4096
 
And To increase the response size length:
Policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map


 


For ASA 55xx series with 8.4 and newer:
policy-map type inspect dns EDNS0
 parameters
  message-length maximum 4096


policy-map global-policy
 class global-class
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect http
  inspect dns EDNS0 dynamic-filter-snoop
  inspect esmtp


.


For more information on Cisco’s IOS commands, please read the following link:
Preparing for DNSSEC: Best Practices, Recommendations, and Tips for Successful Implementation
http://www.cisco.com/web/about/security/intelligence/dnssec.html  


Cisco PIX / ASA and DNSSEC problem approaching on May 5th?
(This link has info on the ASA and PIX commands for EDNS0):
https://supportforums.cisco.com/thread/2013390


 


More info on DNSSEC and EDNS0:


Windows client and server operating system compatibility with DNSSEC enabled root servers.
“Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported. Windows Server 2008 R2 uses a default packet size of 4096 bytes by default. “
http://support.microsoft.com/kb/2028240


In my opinion, it should be set to 4096.


 


I have problems accessing or resolving Yahoo, AOL, Hotmail and a number of other sites


The reason why Yahoo, AOL and other domains have resolution issues is because some of these domain have a huge amount of data, therefore the response is larger than 512 bytes, and the firewall or router does not support EDNS0.


The solution is to enable EDNS0 support in the edge firewall. If it doesn’t support it or the IOS can’t be upgraded to support it, the must be replaced. A Forwarder can overcome the EDNS0 limitation.


 


DNS not able to resolve some domains such as .UK.


If DNS is not able to resolve TLDs such as .uk, there is a work around. The easiest work around is to use Forwarders. There are other workarounds, but I would suggest Forwarders as the easiest, but there are many pros and cons with Forwarders, and some of the cons indicate many corporate SLAs do not allow.


Can’t access any .co.uk sites from our Windows network (using Windows 2008 DNS).
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24214068.html


2008 DNS Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/essentialbusinessserver/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx


Windows Server 2008 DNS Servers may fail to resolve queries for …Feb 25, 2009 … When name resolution is provided by root hints, Windows Server 2008 DNS may … domains like .co.uk, .cn, and .br, but is not limited to these domains. …
http://support.microsoft.com/kb/968372


 


Upgrading to Windows 2008 R2?


Also, when upgrading to Windows 2008 R2, it will not revert to TCP, which eliminates the issue when attempting a query. The only fix for this is to either disable EDNS0, or use a Forwarder to an ISP. I suggest using a Forwarder because I do not agree to disable EDNS0 just to make it work for the few DNS servers out there that do not support EDNS0. EDNS0 has been around since 1998, and if no one has bothered to update their name server to support the latest industry standards, I do not feel that we should disable a service to accomodate those servers, as well as that EDNS0 was designed to improve resolution efficiency, as well as some security enhancements. Simply creating a Forwarder will take care of the problem. More info on 2008 R2 in the following link, but like I said, I do not agree with disabling the feature on the server.


Windows Server 2008 R2 DNS Issues
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx


There are more articles cited in the Related Links section below with more information on EDNS0.


 


How to use NSLOOKUP to test EDNS0


You can test is EDNS0 is working or not by using nslookup with the set vc option, which forces TCP only. This will also tell you if the response goes thru as TCP and not UDP.


For an example query, you can use nslookup to query for Yahoo’s MX records. You will be able to see how large the response is. If you count each line, (each line is 80 bytes), it’s more than 512 bytes. If you see a 10 line response when using the set vc switch, but don’t when you run nslookup by default, then it’s clearly an EDNS0 issue.


ENDNS0 packet sizes


Keep in mind, non-EDNS0 is limited to UDP packets of 512 bytes. Nslookup and queries in general, default to UDP, and Windows 2003 defaults to using UDP & EDNS0.


Keep in mind, EDNS0 uses UDP packets sizes up to 1280 bytes by default. If the response doesn’t have your answer in that size of a response, then the query you’re looking for probably doesn’t exist.


nslookup
> set q=mx  (this change the query type to search for Mail Exchanger (MX) records)
>microsoft.com


Does a response return or does it error out?
If it errors out, try yahoo.com. If that errors out too, try the following commands:


> set vc       (the “set vc” switch forces nslookup to useTCP)


> yahoo.com
Server:  london.nwtraders.msft
Address:  192.168.5.200


Non-authoritative answer:
yahoo.com       MX preference = 1, mail exchanger = mx2.mail.yahoo
yahoo.com       MX preference = 1, mail exchanger = mx3.mail.yahoo
yahoo.com       MX preference = 5, mail exchanger = mx4.mail.yahoo
yahoo.com       MX preference = 1, mail exchanger = mx1.mail.yahoo


yahoo.com       nameserver = ns5.yahoo.com
yahoo.com       nameserver = ns1.yahoo.com
yahoo.com       nameserver = ns2.yahoo.com
yahoo.com       nameserver = ns3.yahoo.com
yahoo.com       nameserver = ns4.yahoo.com
mx2.mail.yahoo.com      internet address = 67.28.114.35
mx2.mail.yahoo.com      internet address = 67.28.114.36
mx2.mail.yahoo.com      internet address = 4.79.181.13
mx2.mail.yahoo.com      internet address = 64.156.215.8
mx3.mail.yahoo.com      internet address = 64.156.215.5
mx3.mail.yahoo.com      internet address = 64.156.215.6
mx3.mail.yahoo.com      internet address = 4.79.181.12
mx3.mail.yahoo.com      internet address = 64.156.215.18
mx4.mail.yahoo.com      internet address = 66.218.86.156
mx4.mail.yahoo.com      internet address = 67.28.113.19
mx4.mail.yahoo.com      internet address = 68.142.202.11
mx4.mail.yahoo.com      internet address = 68.142.202.12
mx1.mail.yahoo.com      internet address = 67.28.113.11
mx1.mail.yahoo.com      internet address = 4.79.181.14
mx1.mail.yahoo.com      internet address = 4.79.181.15
mx1.mail.yahoo.com      internet address = 67.28.113.10
ns5.yahoo.com   internet address = 216.109.116.17
ns1.yahoo.com   internet address = 66.218.71.63
ns2.yahoo.com   internet address = 66.163.169.170
ns3.yahoo.com   internet address = 217.12.4.104
ns4.yahoo.com   internet address = 63.250.206.138
>


If you see the above response with the set vc and not before it or only a partial set before using the set vc switch, then it is clearly an EDNS0 issue on the router.


The set vc switch tells it to use TCP instead of UDP. If it works with the vc switch, and not without it, then it is an EDNS0 block. I provided hotmail.com as an example because it’s response is definitely greater than 512 bytes. You can also not set it to ‘mx’ and leave it default when you invoke nslookup, and then try aol.com, microsoft.com, yahoo.com, as some examples with large responses.


 


Related Links


EDNS: What is all about?
By Chris Spanougakis, MCT, MVP DS
http://spanougakis.wordpress.com/2011/05/01/edns-what-is-all-about-2/


An External DNS Query May Cause an Error Message in Windows Server 2003:
http://support.microsoft.com/?id=828731


Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS Server to Windows Server 2003:
http://support.microsoft.com/?id=832223


Using Extension Mechanisms for DNS (EDNS0)
“The OPT record is sent from the querying DNS server when it sends out a query to another DNS server, where the packet tells the other DNS server that it supports UDP and what its max supported packet size is.”
http://technet.microsoft.com/en-us/library/cc785769(WS.10).aspx


.


In summary: Don’t disable it.


Questions, comments, corrections, and suggestions are welcomed!
Ace Fekay

Leave a Reply