EDNS0 (Extension mechanisms for DNS)

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Published 10/11/2010
Updated 6/27/2011 – Added link.
Updated 6/20/2012 –

Preface

Windows 2003 and newer operating systems support EDNS0 Extension mechanisms for DNS). The first set of EDNS0 extensions were published in 1999 by the Internet Engineering Task Force as RFC 2671.

EDNS0 supports a UDP query response larger than 512 bytes. Using the legacy method, UDP was used only as long as the DNS query was under 512 bytes. Over 512bytes, it changed it to TCP. With EDNS0, it allows UPD responses up to the full 1500 bytes bypassing the extra process step required to change to TCP, hence increasing efficiency.

Here’s a quick test to see if it is disabled or not:

Here’s a quick nslookup command to test if there’s an EDNS0 restriction in your firewall:
nslookup -type=TXT rs.dns-oarc.net

Or if you want to test a specific DNS server for EDNS0 support, whether an internal or external DNS server, use the following method:

c:\>nslookup
> server 4.2.2.2 <—- you can change this IP to whatever DNS server you want to test for EDSN0 support
> set q=txt
> rs.dns-oarc.net

Look for the part in the response that says, ” …DNS reply size limit is at least xxxx.” The xxxx is what it will support. If it’s under 512, then it is blocking EDNS0 or the Forwarder you are using is blocking or not allowing/configured to use EDNS0.

Should I disable it because my firewall doesn’t support it?

Good question. Of course the proper answer is no, and upgrade either ther firewall IOS or firewall itself so it supports EDNS0 traffic. Older firewalls that do not support it, or newer ones that do support it but hasn’t been enabled to allow this type of traffic, will look at it as a DNS attack.

It’s recommended to upgrade your router/firewall to support the new industry standard, but as a workaround, you can disable this feature in Windows 2003 by using dnscmd (available by installing the support tools from the Windows 2003 CDROM):

dnscmd /config /enableednsprobes 0

I would rather enable it on the firewall or upgrade the firewall, instead of having to disable it on each individual DNS server. Or you can also simply configure a Forwarder to your ISP, which will bypass your legacy firewall’s lack of EDNS0 support. However if stricly using Root Hints, the recommendation is to upgrade the firewall.

Cisco PIX and ASA EDNS0 support

The Cisco PIX and ASA models, which I am familiar with, do support EDNS0, however it’s not enabled by default out of the box. You’ll need to run a command to enable it, or enabled it within the PDM GUI. In the following examples, using a command line while telnetted into an ASA, I’ve set the maximum-length to 1280 bytes, because 1280 bytes was based on the recommendation in the original IETF draft. However, if using DNSSEC, you’ll need to bump it higher.

To support proper resolution and to support DNSSEC, set the max UDP size to 4096:

fixup protocol dns maximum-length 4096
fixup protocol dns 4096

Cisco ASA 55xx series (assuming using the latest IOS 8.3.2ED and newer)
   Configuration
     Firewall
       Advanced
         Objects
           Inspect Maps
             DNS
               If a “preset_dns_map policy doesn’t exist
                   click on Add
                   type in preset_dns_map
                   Next to “Security Level,” click the Details button
                  Select the Filter tab
                   Change “Maximum Packet Length” from 512 to 4096
                   Click OK
                   File, “save Running Configuration to Flash (also suggest to save it to TFTP)
               If a “preset_dns_map policy does exist
                   Right-Click “preset_dns_map”
                   Choose “Edit”
                   Next to “Security Level,” click the Details button
                  Select the Filter tab
                   Change “Maximum Packet Length” from 512 to 4096
                   Click OK
                   File, “save Running Configuration to Flash (also suggest to save it to TFTP)

For ASA 55xx series up to 8.3 (8.3 and newer is different)
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096

And To increase the response size length:
Policy-map global_policy
class inspection_default
inspect dns preset_dns_map

For ASA 55xx series with 8.4 and newer:
policy-map type inspect dns EDNS0
parameters
message-length maximum 4096

policy-map global-policy
class global-class
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect http
inspect dns EDNS0 dynamic-filter-snoop
inspect esmtp

For more information on Cisco’s IOS commands, please read the following link:
Preparing for DNSSEC: Best Practices, Recommendations, and Tips for Successful Implementation
http://www.cisco.com/web/about/security/intelligence/dnssec.html

Cisco PIX / ASA and DNSSEC problem approaching on May 5th?
(This link has info on the ASA and PIX commands for EDNS0):
https://supportforums.cisco.com/thread/2013390

More info on DNSSEC and EDNS0:

Windows client and server operating system compatibility with DNSSEC enabled root servers.
“Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported. Windows Server 2008 R2 uses a default packet size of 4096 bytes by default. “
http://support.microsoft.com/kb/2028240

In my opinion, it should be set to 4096.

I have problems accessing or resolving Yahoo, AOL, Hotmail and a number of other sites

The reason why Yahoo, AOL and other domains have resolution issues is because some of these domain have a huge amount of data, therefore the response is larger than 512 bytes, and the firewall or router does not support EDNS0.

The solution is to enable EDNS0 support in the edge firewall. If it doesn’t support it or the IOS can’t be upgraded to support it, the must be replaced. A Forwarder can overcome the EDNS0 limitation.

DNS not able to resolve some domains such as .UK.

If DNS is not able to resolve TLDs such as .uk, there is a work around. The easiest work around is to use Forwarders. There are other workarounds, but I would suggest Forwarders as the easiest, but there are many pros and cons with Forwarders, and some of the cons indicate many corporate SLAs do not allow.

Can’t access any .co.uk sites from our Windows network (using Windows 2008 DNS).
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24214068.html

2008 DNS Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/essentialbusinessserver/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx

Windows Server 2008 DNS Servers may fail to resolve queries for …Feb 25, 2009 … When name resolution is provided by root hints, Windows Server 2008 DNS may … domains like .co.uk, .cn, and .br, but is not limited to these domains. …
http://support.microsoft.com/kb/968372

Upgrading to Windows 2008 R2?

Also, when upgrading to Windows 2008 R2, it will not revert to TCP, which eliminates the issue when attempting a query. The only fix for this is to either disable EDNS0, or use a Forwarder to an ISP. I suggest using a Forwarder because I do not agree to disable EDNS0 just to make it work for the few DNS servers out there that do not support EDNS0. EDNS0 has been around since 1998, and if no one has bothered to update their name server to support the latest industry standards, I do not feel that we should disable a service to accomodate those servers, as well as that EDNS0 was designed to improve resolution efficiency, as well as some security enhancements. Simply creating a Forwarder will take care of the problem. More info on 2008 R2 in the following link, but like I said, I do not agree with disabling the feature on the server.

Windows Server 2008 R2 DNS Issues
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

There are more articles cited in the Related Links section below with more information on EDNS0.

How to use NSLOOKUP to test EDNS0

You can test is EDNS0 is working or not by using nslookup with the set vc option, which forces TCP only. This will also tell you if the response goes thru as TCP and not UDP.

For an example query, you can use nslookup to query for Yahoo’s MX records. You will be able to see how large the response is. If you count each line, (each line is 80 bytes), it’s more than 512 bytes. If you see a 10 line response when using the set vc switch, but don’t when you run nslookup by default, then it’s clearly an EDNS0 issue.

ENDNS0 packet sizes

Keep in mind, non-EDNS0 is limited to UDP packets of 512 bytes. Nslookup and queries in general, default to UDP, and Windows 2003 defaults to using UDP & EDNS0.

Keep in mind, EDNS0 uses UDP packets sizes up to 1280 bytes by default. If the response doesn’t have your answer in that size of a response, then the query you’re looking for probably doesn’t exist.

nslookup
> set q=mx (this change the query type to search for Mail Exchanger (MX) records)
>microsoft.com

Does a response return or does it error out?
If it errors out, try yahoo.com. If that errors out too, try the following commands:

> set vc (the “set vc” switch forces nslookup to useTCP)

> yahoo.com
Server: london.nwtraders.msft
Address: 192.168.5.200

Non-authoritative answer:
yahoo.com       MX preference = 1, mail exchanger = mx2.mail.yahoo
yahoo.com       MX preference = 1, mail exchanger = mx3.mail.yahoo
yahoo.com       MX preference = 5, mail exchanger = mx4.mail.yahoo
yahoo.com       MX preference = 1, mail exchanger = mx1.mail.yahoo

yahoo.com       nameserver = ns5.yahoo.com
yahoo.com       nameserver = ns1.yahoo.com
yahoo.com       nameserver = ns2.yahoo.com
yahoo.com       nameserver = ns3.yahoo.com
yahoo.com       nameserver = ns4.yahoo.com
mx2.mail.yahoo.com      internet address = 67.28.114.35
mx2.mail.yahoo.com      internet address = 67.28.114.36
mx2.mail.yahoo.com      internet address = 4.79.181.13
mx2.mail.yahoo.com      internet address = 64.156.215.8
mx3.mail.yahoo.com      internet address = 64.156.215.5
mx3.mail.yahoo.com      internet address = 64.156.215.6
mx3.mail.yahoo.com      internet address = 4.79.181.12
mx3.mail.yahoo.com      internet address = 64.156.215.18
mx4.mail.yahoo.com      internet address = 66.218.86.156
mx4.mail.yahoo.com      internet address = 67.28.113.19
mx4.mail.yahoo.com      internet address = 68.142.202.11
mx4.mail.yahoo.com      internet address = 68.142.202.12
mx1.mail.yahoo.com      internet address = 67.28.113.11
mx1.mail.yahoo.com      internet address = 4.79.181.14
mx1.mail.yahoo.com      internet address = 4.79.181.15
mx1.mail.yahoo.com      internet address = 67.28.113.10
ns5.yahoo.com   internet address = 216.109.116.17
ns1.yahoo.com   internet address = 66.218.71.63
ns2.yahoo.com   internet address = 66.163.169.170
ns3.yahoo.com   internet address = 217.12.4.104
ns4.yahoo.com   internet address = 63.250.206.138
>

If you see the above response with the set vc and not before it or only a partial set before using the set vc switch, then it is clearly an EDNS0 issue on the router.

The set vc switch tells it to use TCP instead of UDP. If it works with the vc switch, and not without it, then it is an EDNS0 block. I provided hotmail.com as an example because it’s response is definitely greater than 512 bytes. You can also not set it to ‘mx’ and leave it default when you invoke nslookup, and then try aol.com, microsoft.com, yahoo.com, as some examples with large responses.

In summary: Don’t disable it.

Questions, comments, corrections, and suggestions are welcomed!
Ace Fekay