The Blog

About the author

Jason Huitt is on the Windows Group with Academic Computing and Networking Services at Colorado State University.
E-mail me Send mail

Recent posts

Archive

Authors

Tags

None

    Categories


    Blogroll

      Disclaimer

      The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

      © Copyright 20082012

      Windows Server 2008 R2 DNS Servers Fail to Resolve Internet2.edu Names

      We encountered a strange one today that may not affect many folks out there, but after three hours of mind numbing troubleshooting (and some Wireshark Ninja Skillz), I figured it would be worth passing along what's happening here...

      Server 2008 R2 DNS Service by default supports DNSSEC.  This is a long-awaited feature for many of us, and is generally a good thing.  However after migrating our DNS services to R2, we noticed quickly that we were no longer able to resolve *.internet2.edu addresses.  When we looked at packet captures of this traffic, we could see the request leave our server, but the response from the destination DNS server showed up in Wireshark as "Fragmented IP Protocol", and we were only seeing one of the fragmented packets (the first packet transmitted by the responding DNS server) getting to our R2 server.

      When we did the same packet capture against our old Server 2008 SP2 DNS server, that same behavior did not occur.  We examined the difference between the request packet sent by the 2008 SP2 box versus the 2008 R2 box, and noticed that R2 is requesting DNSSEC information on each request.  For most domains there is no DNSSEC information to return, and thus the vast majority of the Internet worked correctly.

      We brought our firewall guy in on the problem and he began poking around in that space.  We eventually determined that the information being returned to R2 based on it's request for additional DNSSEC information exceeded the 1514 byte size limit on the Ethernet frame, causing the response packet to become fragmented.  This alone should be handled gracefully by the OS, but in our case we had an upstream firewall that was configured to block these kinds of packets (not the first fragmented packet, only the trailling packet fragments), which caused our DNS server to think that it never received a response from the queried DNS server.

      Reconfiguring the upstream firewall to allow those fragments through to just our DNS servers solved the issue, and we're now running our DNS services on Server 2008 R2 without error.

      Great success!


      Categories: Active Directory | IT | Server 2008 | Windows
      Posted by Jason on Thursday, March 18, 2010 3:20 PM
      E-mail | Kick it! | DZone it! | del.icio.us
      Permalink | Comments (0) | Post RSSRSS comment feed

      Add comment

      biuquote
      • Comment
      • Preview
      Loading