Re: SBS Unable to resolve domain but Bind can?

Read inline please.

In news:FA2679C9-8124-4846-A877-D15B966B9C32@xxxxxxxxxxxxx,
Andrew <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
I have a SBS 2003 Server with the DNS server set to use root hints
and no forwarders. The SBS server is unable to resolve some domains
but if I install bind (on the same network and the rest) it can
resolve those domains?

I have tried adjusting a few settings like round robin, recursion and
the odd regedit, but no luck.

Is there any tool that will help diagnose why this is happening?

Using bind or forwarders is out of the question as I would like to
understand why this problem is happening rather than using a work
around.

Just guessing, there is a good chance that you are behind a firewall that is
blocking EDNS (UDP Packets over 512 bytes), while newer BIND servers support
EDNS, it is disabled by default.

Configure your firewall to pass UDP packets up to 1500 bytes (Internet MTU),
(the maximum is 65535 bytes) to the Win2k3 server, or disable EDNS. EDNS
increases efficiency by allowing DNS to resolve larger DNS responses without
using TCP. Large DNS responses are answers that have several CNAME or MX
records in them, these responses exceed 512 bytes and will not fit in a
single UDP packet without EDNS, in this case DNS has to retry the query
using TCP, which is a lot slower to set up.

828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP

You can also install the Support tools with dnscmd.exe and run this from a
command prompt.

dnscmd /config /enableednsprobes 0

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Remote buffer overflow in resolver code of libc
    ... > exactly do you mean when you say that a BINDv9 cache ``can be used to ... syntactically valid DNS responses. ... A sendmail 8.12 issue which involves DNS TXT records ... BIND 4.9.8 and earlier, so it affects a wider range of systems. ...
    (Bugtraq)
  • DNS .
    ... I use to use BINd for DNS now I am using Microsoft DNs ... I have thisdomain.com in my DNS server, ... www.thisdomain.com and I cannot resolve thisdomain.com. ...
    (microsoft.public.win2000.dns)
  • [NEWS] BIND 9 DNS Cache Poisoning
    ... BIND 9 DNS Cache Poisoning ... source UDP port and DNS transaction ID can be effectively predicted. ... address of the target name server), and the destination UDP port (53 the ...
    (Securiteam)
  • [UNIX] Multiple Remote Vulnerabilities in BIND4 and BIND8
    ... ISS X-Force has discovered several serious vulnerabilities in the Berkeley ... Internet Name Domain Server (BIND). ... majority of DNS servers on the Internet. ... deployed recursive DNS servers on the Internet. ...
    (Securiteam)
  • Re: DNS Manipulation via IPTables or other means?
    ... You might use the BIND view functionality ... I thought I could alter DNS responses ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)