Re: DNS, SMTP, AOL, Yahoo

From: Charles Palmer (charles_at_ggi.cc)
Date: 08/29/04 

Date: Sun, 29 Aug 2004 08:12:15 -0400

I am not aware of any lost functionality at this point. But you can fix the
PIX, but it may require an upgrade before you can make that settings change
that is mentioned by Raland. In my environment, we have two companies that
are managing the network in two different locations. We use PIX in both
locations, but the other location was the one having the problem. Their PIX
is not updated to the latest code and can't fix the code. Ours was already
updated to the latest code, so when we started using Win2K3 DNS servers, we
didn't experience the problem on our end.

But, again, I don't know of any lost functionality at this point. Honestly,
I haven't seen a lot of documentation on EDNS and I haven't tried to read
the RFC, yet.

Charles Palmer

"Steve Mahon" <stevemahon@lhpinc.com> wrote in message
news:%23Dsq62RjEHA.3476@tk2msftngp13.phx.gbl...
> Thank you Charles,
>
> Disabling Enhanced DNS did the trick. BTW, is there any important
> functionality we will miss without EDNS? I guess the question is: Would it
> be worth replacing the pix with something that is compatible?
>
> Steve
>
> "Charles Palmer" <charles@ggi.cc> wrote in message
> news:%237pintIjEHA.636@TK2MSFTNGP12.phx.gbl...
> > We had a similar issue to this on our network recently. You may be
> > experiencing a couple of problems. The first thing that jumps out as me
is
> > the SBS2003 and the PIX firewall. The problem we had was with Enhanced
DNS
> > that is supported by Windows 2003. It allows UDP packets greater than
> > 512byte(???) and some PIX firewalls don't recognize them on the way back
> in.
> > The problem is with domains like Yahoo, AOL and Microsoft because they
> have
> > so many different server you can deliver email to. Normally, the large
> list
> > would fail over to TCP 53 instead of the default UDP 53 and you wouldn't
> > have a problem. But, since your 2003 server advertises that is supports
> > EDNS, those sites are trying to send back a larger than normal UDP
packet
> > that the PIX is choking on. You can't send mail out but can't seem to
> figure
> > out why. That is the first think I would look at now knowing what I know
> > from my own experience.
> >
> > Something else I would look at is to make sure that the IP address that
> your
> > outbound SMTP comes from has a reverse DNS record and that it is not on
> any
> > blackhole lists anywhere.
> >
> > Those are your two most common problems, in my experience. You can go to
> > DNSSTUFF.COM to test the second situation. You can find an article on
> > disabling EDNS here:
> > http://www.winnetmag.com/Windows/Article/ArticleID/42188/42188.html or
> here:
> > http://www.jsiinc.com/SUBN/tip6900/rh6967.htm
> >
> > I give the second one because the first one may require a subscription
to
> > the Windows and .NET Magazine website. I highly recommend the
publication,
> > but it might not be your fastest solution if you aren't already a
member.
> >
> > Hope this helps,
> > Charles Palmer
> >
> >
> > "Steve Mahon" <stevemahon@lhpinc.com> wrote in message
> > news:%23y84v1HjEHA.3988@tk2msftngp13.phx.gbl...
> > > Upgraded last week from SBS2K to SBS2003Prem. It's been tough and I
> think
> > > now that I should have done a clean install. Still may in fact.
Anyway,
> I
> > am
> > > getting a bunch of SMTP queues which I think are NDRs generated for
> > spoofed
> > > incomming spam, but I'm not 100% sure. On our lan, nobody can access
> > > yahoo.com, and aol.com seems funky as well. Just as a test, I added
> > qwest's
> > > dns server as the alternate on my XP workstation, and was immediately
> able
> > > to ping and browse yahoo. I reran the internet/email wizard on the
> server
> > > and updated the dns server with the most recent from qwest.net. Still
> the
> > > sbsserver and workstations could not get to yahoo.com. I also notice
> some
> > of
> > > emails to aol.com accounts seem stuck in SMTP queues and I keep
getting:
> > "A
> > > large number of messages are pending in the e-mail server send queue."
> > There
> > > are around 150 smtp queues. Most look like spoofed accounts, but a few
> are
> > > legit. There are a ton of exchange events like: "This is an SMTP
> protocol
> > > warning log for virtual server ID 1, connection #687. The remote host
> > > "69.42.65.106", responded to the SMTP command "rcpt" with "451
> > > REVERSE_LOOKUP ". The full command sent was "RCPT
> > > TO:<beaicldgbljgfhaelcdcceedgcc@dc-30.com> ". This may cause the
> > connection
> > > to fail." We didn't have any of this trouble prior to upgrade.
> > >
> > > I suspect these things are related, but I can't seem to sort it out.
We
> > have
> > > 1 NIC, a pix firewall, and DSL with static IPs. the ipconfig/all
> follows.
> > > Thanks, Steve
> > >
> > >
> > > Windows IP Configuration
> > >
> > > Host Name . . . . . . . . . . . . : LHPServer
> > > Primary Dns Suffix . . . . . . . : lhpinc.local
> > > Node Type . . . . . . . . . . . . : Unknown
> > > IP Routing Enabled. . . . . . . . : Yes
> > > WINS Proxy Enabled. . . . . . . . : Yes
> > > DNS Suffix Search List. . . . . . : lhpinc.local
> > >
> > > Ethernet adapter Server Local Area Connection:
> > >
> > > Connection-specific DNS Suffix . :
> > > Description . . . . . . . . . . . : 3Com 3C996 10/100/
> > > Physical Address. . . . . . . . . : 00-04-76-3B-13-D3
> > > DHCP Enabled. . . . . . . . . . . : No
> > > IP Address. . . . . . . . . . . . : 192.168.16.2
> > > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > > Default Gateway . . . . . . . . . : 192.168.16.1
> > > DNS Servers . . . . . . . . . . . : 192.168.16.2
> > > Primary WINS Server . . . . . . . : 192.168.16.2
> > >
> > >
> >
> >
>
>

Relevant Pages

  • [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks
    ... PIX can and has done this as well. ... that firewalls SHOULD fix. ... >> Paul D. Robertson ... Win a $20,000 Career Makeover at Yahoo! ...
    (Firewall-Wizards)
  • PIX 501 obtaining an IP address
    ... I am a novice user trying to fix the firewall in my office. ... I see an interface called 'console' in the PIX box. ...
    (comp.dcom.sys.cisco)
  • Why am I a t**t? PIX related incident!
    ... I am officialy punishing myself by posting this message... ... If this wasn't enough I decided to relod the PIX when it warned ... Now I can't get into my network and fix my errors! ... boss - everybody has a boss! ...
    (comp.dcom.sys.cisco)
  • Re: DNS Timing out with Yahoo, and nothing else.
    ... The key here for you is Win2k3 behind a Pix firewall, ... with a Pix firewall that blocks EDNS packets, ... You can disable EDNS or fix the Pix to allow these packets. ...
    (microsoft.public.windows.server.dns)