Re: Can't Resolve Certain internet DNS names

From: "hamm3r" <hammer@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 11 Jul 2005 12:35:49 -0400

This information pointed me to the resolution thank you!
Our firewall was already using 1500 MTU, but the Checkpoint SmartDefense
rule was blocking it as though it was an illegal, non RFC compliant packet.

Why are some websites using non-RFC compliant packets for DNS?
Am I jepordizing our network by allowing such packets?

Here is a description of the rule I had to turn off to resolve this problem:

"SmartDefense is able to recognize an illegal DNS packet. This ability
enables SmartDefense to catch potentially harmful packets before they enter
the network.

SmartDefense enables a system administrator to enforce TCP and UDP
protocols. Only legal DNS packets sent over TCP or UDP will be able to enter
the network. In this case, all DNS port connections over UDP and TCP will be
monitored to verify that every DNS packet attempting to enter the network is
legal (that is, RFC compliant)."

Thanks again for being so speedy and accurate!

"Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in message
news:u$VVcaihFHA.2072@xxxxxxxxxxxxxxxxxxxxxxx
> In news:GhvAe.29231$SQ1.5816@xxxxxxxx,
> hamm3r <hammer@xxxxxxxxxxxxxxxxxxxxxxx> posted this:
>> I posted this over in microsoft.public.windows.networking a few days
>> ago, but got no responses.
>> I hadn't realiazed there was a dedicated dns newsgroup for windows.
>>
>> Hopefully someone can help me, because I cannot figure out my next
>> troubleshooting step.
>>
>> It seems as though ~99% of our internet hosts resolve with no
>> problem, but there are some that will not resolve and I can't figure
>> out why. We are using DNS Server on Windows 2003 Server Standard with
>> all of the lastes service packs.
>>
>> We are not using forwarders but are using the root hints servers for
>> all internet resolution. All DNS servers are pointing only to
>> themselves for DNS resolution.
>>
>> ******* Here is an example for a working resolution done from an
>> external host:
>>
>> #> nslookup www.businessdirect.att.com
>> Server: 217.160.251.251
>> Address: 217.160.251.251#53
>>
>> Non-authoritative answer:
>> www.businessdirect.att.com canonical name = cp.eia.att.com.
>> Name: cp.eia.att.com
>> Address: 192.20.5.62
>> *******Here is a nonworking nslookup from inside our network:
>>
>> #> nslookup www.businessdirect.att.com
>> Server: 10.101.25.22
>> Address: 10.101.25.22#53
>>
>> Non-authoritative answer:
>> www.businessdirect.att.com canonical name = cp.eia.att.com.
>>
>> (It finds the canonical name but never resolves it).
>>
>
> If Win2k3 cannot resolve a Cname record it is usually because you are
> behind
> a firewall that blocks EDNS packets (UDP packets of more than 512 bytes)
> The best way to fix is to configure the firewall to allow UDP packets up
> to
> 1500 bytes (internet MTU). You can also disable the EDNS mechanism on the
> DNS server, but this reduces DNS efficiency because queries that won't fit
> into a single UDP packet will have to be answered using TCP which requires
> more overhead to set up and is therefore not as efficient.
>
> 828731 - An External DNS Query May Cause an Error Message in Windows
> Server
> 2003
> http://support.microsoft.com/default.aspx?scid=kb;en-us;828731
>
>
> --?
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>

.

Follow-Ups:
- Re: Can't Resolve Certain internet DNS names
  - From: Kevin D. Goodknecht Sr. [MVP]

References:
- Can't Resolve Certain internet DNS names
  - From: hamm3r
- Re: Can't Resolve Certain internet DNS names
  - From: Kevin D. Goodknecht Sr. [MVP]

Prev by Date: Re: AD Integrated DNS and Zone Transfers
Next by Date: Re: AD Integrated DNS and Zone Transfers
Previous by thread: Re: Can't Resolve Certain internet DNS names
Next by thread: Re: Can't Resolve Certain internet DNS names
Index(es):
- Date
- Thread

Relevant Pages

Re: Replication issues
... I wanted to say Zone Transfers not Zone Forwarding. ... AD-Integrated DNS does not do zone transfers between the ... your DNS server will bypass ...
(microsoft.public.windows.server.active_directory)
Re: Servers hang on boot
... The last DC at that site (not a DNS server). ... EventID: 0x00000457 ... (Event String could not be retrieved) ...
(microsoft.public.windows.server.networking)
Re: DNS Redesign Issue
... set the new child domain DNS server as primary for the domain controllers? ... -If you are going to create a new AD Integrated Zone in each child domain, ...
(microsoft.public.windows.server.dns)
Re: Internet connection wizard
... turn on DHCP on the workstation. ... Connection-specific DNS Suffix. ... calling CNetCommit::ValidateRouterConnectionProperties. ... Call to Reading preferred DNS server IP returned ok. ...
(microsoft.public.windows.server.sbs)
Re: DCDIAG DNS Failure
... I have looked at most of the articles you sited and I have configured DNS ... The DNS server lists only itself as the preferred server with no ... Best practices for DNS client settings in Windows 2000 Server and in Windows ... -Exchange configuration. ...
(microsoft.public.windows.server.dns)