EDNS0 (Extension mechanisms for DNS)
Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
Published 10/11/2010
Updated 6/27/2011 – Added link.
Updated 6/20/2012 –
Preface
Windows 2003 and newer operating systems support EDNS0 Extension mechanisms for DNS). The first set of EDNS0 extensions were published in 1999 by the Internet Engineering Task Force as RFC 2671.
EDNS0 supports a UDP query response larger than 512 bytes. Using the legacy method, UDP was used only as long as the DNS query was under 512 bytes. Over 512bytes, it changed it to TCP. With EDNS0, it allows UPD responses up to the full 1500 bytes bypassing the extra process step required to change to TCP, hence increasing efficiency.
Here’s a quick test to see if it is disabled or not:
Here’s a quick nslookup command to test if there’s an EDNS0 restriction in your firewall:
nslookup -type=TXT rs.dns-oarc.net
Or if you want to test a specific DNS server for EDNS0 support, whether an internal or external DNS server, use the following method:
c:\>nslookup
> server 4.2.2.2 <—- you can change this IP to whatever DNS server you want to test for EDSN0 support
> set q=txt
> rs.dns-oarc.net
Look for the part in the response that says, ” …DNS reply size limit is at least xxxx.” The xxxx is what it will support. If it’s under 512, then it is blocking EDNS0 or the Forwarder you are using is blocking or not allowing/configured to use EDNS0.
Should I disable it because my firewall doesn’t support it?
Good question. Of course the proper answer is no, and upgrade either ther firewall IOS or firewall itself so it supports EDNS0 traffic. Older firewalls that do not support it, or newer ones that do support it but hasn’t been enabled to allow this type of traffic, will look at it as a DNS attack.
It’s recommended to upgrade your router/firewall to support the new industry standard, but as a workaround, you can disable this feature in Windows 2003 by using dnscmd (available by installing the support tools from the Windows 2003 CDROM):
dnscmd /config /enableednsprobes 0
I would rather enable it on the firewall or upgrade the firewall, instead of having to disable it on each individual DNS server. Or you can also simply configure a Forwarder to your ISP, which will bypass your legacy firewall’s lack of EDNS0 support. However if stricly using Root Hints, the recommendation is to upgrade the firewall.
Cisco PIX and ASA EDNS0 support
The Cisco PIX and ASA models, which I am familiar with, do support EDNS0, however it’s not enabled by default out of the box. You’ll need to run a command to enable it, or enabled it within the PDM GUI. In the following examples, using a command line while telnetted into an ASA, I’ve set the maximum-length to 1280 bytes, because 1280 bytes was based on the recommendation in the original IETF draft. However, if using DNSSEC, you’ll need to bump it higher.
To support proper resolution and to support DNSSEC, set the max UDP size to 4096:
fixup protocol dns maximum-length 4096
fixup protocol dns 4096
Cisco ASA 55xx series (assuming using the latest IOS 8.3.2ED and newer)
Configuration
Firewall
Advanced
Objects
Inspect Maps
DNS
If a “preset_dns_map policy doesn’t exist
click on Add
type in preset_dns_map
Next to “Security Level,” click the Details button
Select the Filter tab
Change “Maximum Packet Length” from 512 to 4096
Click OK
File, “save Running Configuration to Flash (also suggest to save it to TFTP)
If a “preset_dns_map policy does exist
Right-Click “preset_dns_map”
Choose “Edit”
Next to “Security Level,” click the Details button
Select the Filter tab
Change “Maximum Packet Length” from 512 to 4096
Click OK
File, “save Running Configuration to Flash (also suggest to save it to TFTP)
Or
For ASA 55xx series up to 8.3 (8.3 and newer is different)
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
And To increase the response size length:
Policy-map global_policy
class inspection_default
inspect dns preset_dns_map
For ASA 55xx series with 8.4 and newer:
policy-map type inspect dns EDNS0
parameters
message-length maximum 4096
policy-map global-policy
class global-class
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect http
inspect dns EDNS0 dynamic-filter-snoop
inspect esmtp
.
For more information on Cisco’s IOS commands, please read the following link:
Preparing for DNSSEC: Best Practices, Recommendations, and Tips for Successful Implementation
http://www.cisco.com/web/about/security/intelligence/dnssec.html
Cisco PIX / ASA and DNSSEC problem approaching on May 5th?
(This link has info on the ASA and PIX commands for EDNS0):
https://supportforums.cisco.com/thread/2013390
More info on DNSSEC and EDNS0:
Windows client and server operating system compatibility with DNSSEC enabled root servers.
“Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported. Windows Server 2008 R2 uses a default packet size of 4096 bytes by default. “
http://support.microsoft.com/kb/2028240
In my opinion, it should be set to 4096.
I have problems accessing or resolving Yahoo, AOL, Hotmail and a number of other sites
The reason why Yahoo, AOL and other domains have resolution issues is because some of these domain have a huge amount of data, therefore the response is larger than 512 bytes, and the firewall or router does not support EDNS0.
The solution is to enable EDNS0 support in the edge firewall. If it doesn’t support it or the IOS can’t be upgraded to support it, the must be replaced. A Forwarder can overcome the EDNS0 limitation.
DNS not able to resolve some domains such as .UK.
If DNS is not able to resolve TLDs such as .uk, there is a work around. The easiest work around is to use Forwarders. There are other workarounds, but I would suggest Forwarders as the easiest, but there are many pros and cons with Forwarders, and some of the cons indicate many corporate SLAs do not allow.
Can’t access any .co.uk sites from our Windows network (using Windows 2008 DNS).
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24214068.html
2008 DNS Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/essentialbusinessserver/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
Windows Server 2008 DNS Servers may fail to resolve queries for …Feb 25, 2009 … When name resolution is provided by root hints, Windows Server 2008 DNS may … domains like .co.uk, .cn, and .br, but is not limited to these domains. …
http://support.microsoft.com/kb/968372
Upgrading to Windows 2008 R2?
Also, when upgrading to Windows 2008 R2, it will not revert to TCP, which eliminates the issue when attempting a query. The only fix for this is to either disable EDNS0, or use a Forwarder to an ISP. I suggest using a Forwarder because I do not agree to disable EDNS0 just to make it work for the few DNS servers out there that do not support EDNS0. EDNS0 has been around since 1998, and if no one has bothered to update their name server to support the latest industry standards, I do not feel that we should disable a service to accomodate those servers, as well as that EDNS0 was designed to improve resolution efficiency, as well as some security enhancements. Simply creating a Forwarder will take care of the problem. More info on 2008 R2 in the following link, but like I said, I do not agree with disabling the feature on the server.
Windows Server 2008 R2 DNS Issues
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx
There are more articles cited in the Related Links section below with more information on EDNS0.
How to use NSLOOKUP to test EDNS0
You can test is EDNS0 is working or not by using nslookup with the set vc option, which forces TCP only. This will also tell you if the response goes thru as TCP and not UDP.
For an example query, you can use nslookup to query for Yahoo’s MX records. You will be able to see how large the response is. If you count each line, (each line is 80 bytes), it’s more than 512 bytes. If you see a 10 line response when using the set vc switch, but don’t when you run nslookup by default, then it’s clearly an EDNS0 issue.
ENDNS0 packet sizes
Keep in mind, non-EDNS0 is limited to UDP packets of 512 bytes. Nslookup and queries in general, default to UDP, and Windows 2003 defaults to using UDP & EDNS0.
Keep in mind, EDNS0 uses UDP packets sizes up to 1280 bytes by default. If the response doesn’t have your answer in that size of a response, then the query you’re looking for probably doesn’t exist.
nslookup
> set q=mx (this change the query type to search for Mail Exchanger (MX) records)
>microsoft.com
Does a response return or does it error out?
If it errors out, try yahoo.com. If that errors out too, try the following commands:
> set vc (the “set vc” switch forces nslookup to useTCP)
> yahoo.com
Server: london.nwtraders.msft
Address: 192.168.5.200
Non-authoritative answer:
yahoo.com MX preference = 1, mail exchanger = mx2.mail.yahoo
yahoo.com MX preference = 1, mail exchanger = mx3.mail.yahoo
yahoo.com MX preference = 5, mail exchanger = mx4.mail.yahoo
yahoo.com MX preference = 1, mail exchanger = mx1.mail.yahoo
yahoo.com nameserver = ns5.yahoo.com
yahoo.com nameserver = ns1.yahoo.com
yahoo.com nameserver = ns2.yahoo.com
yahoo.com nameserver = ns3.yahoo.com
yahoo.com nameserver = ns4.yahoo.com
mx2.mail.yahoo.com internet address = 67.28.114.35
mx2.mail.yahoo.com internet address = 67.28.114.36
mx2.mail.yahoo.com internet address = 4.79.181.13
mx2.mail.yahoo.com internet address = 64.156.215.8
mx3.mail.yahoo.com internet address = 64.156.215.5
mx3.mail.yahoo.com internet address = 64.156.215.6
mx3.mail.yahoo.com internet address = 4.79.181.12
mx3.mail.yahoo.com internet address = 64.156.215.18
mx4.mail.yahoo.com internet address = 66.218.86.156
mx4.mail.yahoo.com internet address = 67.28.113.19
mx4.mail.yahoo.com internet address = 68.142.202.11
mx4.mail.yahoo.com internet address = 68.142.202.12
mx1.mail.yahoo.com internet address = 67.28.113.11
mx1.mail.yahoo.com internet address = 4.79.181.14
mx1.mail.yahoo.com internet address = 4.79.181.15
mx1.mail.yahoo.com internet address = 67.28.113.10
ns5.yahoo.com internet address = 216.109.116.17
ns1.yahoo.com internet address = 66.218.71.63
ns2.yahoo.com internet address = 66.163.169.170
ns3.yahoo.com internet address = 217.12.4.104
ns4.yahoo.com internet address = 63.250.206.138
>
If you see the above response with the set vc and not before it or only a partial set before using the set vc switch, then it is clearly an EDNS0 issue on the router.
The set vc switch tells it to use TCP instead of UDP. If it works with the vc switch, and not without it, then it is an EDNS0 block. I provided hotmail.com as an example because it’s response is definitely greater than 512 bytes. You can also not set it to ‘mx’ and leave it default when you invoke nslookup, and then try aol.com, microsoft.com, yahoo.com, as some examples with large responses.
Related Links
EDNS: What is all about?
By Chris Spanougakis, MCT, MVP DS
http://spanougakis.wordpress.com/2011/05/01/edns-what-is-all-about-2/
An External DNS Query May Cause an Error Message in Windows Server 2003:
http://support.microsoft.com/?id=828731
Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS Server to Windows Server 2003:
http://support.microsoft.com/?id=832223
Using Extension Mechanisms for DNS (EDNS0)
“The OPT record is sent from the querying DNS server when it sends out a query to another DNS server, where the packet tells the other DNS server that it supports UDP and what its max supported packet size is.”
http://technet.microsoft.com/en-us/library/cc785769(WS.10).aspx
.
In summary: Don’t disable it.
Questions, comments, corrections, and suggestions are welcomed!
Ace Fekay