Email or Routing Issues with Mixed-Windows 2000/2003 Domains? Does Your Firewall Support EDNS? by Mr. Tweak

Mr. Tweak - Windows Network & Admin Tweaks

Windows network, systems, and software Administration Tips & Tricks

return to MrTweak.com Front Page

MrTweak.com categories

IT & Software related links

author

Entire site by Mike Bijon. I was IT manager at a major regional accounting firm in Southern California, now I'm a Technologist and Development Manager at Team One an advertising firm. Information and opinions on this site do not necessarily reflect the opinions of my employer or clients. Read my personal site, Moogle1, for "opinionated" articles about search, internet business, and life on the web.

RSS site feeds:

favorite website links

Most Recent Articles on MrTweak.com

Free Trial of Exchange Server 2007, Hosted by Microsoft and Unisys
Stop Expiration of HP Inkjet Printer Cartridges
Dugg or Slashdotted: Why Shared Web Hosting is a Scam
MrTweak.com Server Transfer - Excuse Any Downtime

0 comments Email or Routing Issues with Mixed-Windows 2000/2003 Domains? Does Your Firewall Support EDNS?
Posted Network and Internet Configuration, Windows Servers, Windows 2003 Server on Saturday, February 25th, 2006.

While upgrading Windows 2003 servers to the new R2 feature pack, we brought a newly-imaged Windows 2000 test server into the main domain as a backup while one or more Windows 2003 servers were upgrading. About 2 days after we started the upgrades we noticed some unexpected email non-delivery (NDR) messages. The email wasn’t being delivered because the target domain wan’t found even after 2-days or retries by our Exchange servers. Yet the NDR’s primarily happened with email sent to major domains (like yahoo.com, aol.com, gmail.com, etc.) and a majority of messages to those domains were delivered successfully. Initially I expected that our own or our ISP’s DNS servers were being attacked. A type of attack know as DNS cache poisoning is used to either deny outbound services or even to redirect traffic to the attacker’s own systems (usually in hopes of searching it for personal or financial data).

After a good deal of time dealing with our ISP and getting nowhere, one of our sysAdmins found an obscure note that Windows 2003’s DNS server supports Extended DNS (EDNS - UDP packets of more than 512 bytes) by default. Windows 2000 server doesn’t support EDNS (also, some older routers or severely hardened firewalls refuse to pass UDP packets over 512 bytes) and the recently installed Windows 2000 server was acting as a backup DNS server for our WAN. The sysAdmin removed the Windows 2000 DNS services and the NDR’s stopped immediately.

In this case we had actually caused our own problem by adding an older system to backup “non-essential” domain services. With Windows 2003 installed throughout the domain we were advertising that we could handle EDNS, but the Windows 2000 server couldn’t handle it. The few email messages that, by chance, repeatedly requested DNS info from the Windows 2000 server failed to be delivered to domains that had probably cached our EDNS usage.

Note: It’s also possible to disable EDNS on Windows 2003 server to make them compatible with older router and firewall systems that don’t support large UDP packets, or with firewall policies that don’t allow those large UDP packets. Just run “dnscmd /Config /EnableEDnsProbes 0” at the command line (click for details).

Article tagged: Windows+Server, 2000+server, 2003+server, windows, 2000, 2003, DNS, EDNS, DNS+server, Exchange, message, mail, routing, failure, NDR, non-delivery

Comment on this post below

You can leave a response, or trackback from your own site.