dns queries..

  • Thread starter Thread starter Stu Holzer
  • Start date Start date
S

Stu Holzer

I am trying to stop our Win2K servers from sending their
DNS queries out using tcp-53 instead of udp-53..
We are trying to send out emails..
Any help would be appreciated..
 
In
Stu Holzer said:
I am trying to stop our Win2K servers from sending their
DNS queries out using tcp-53 instead of udp-53..
We are trying to send out emails..
Any help would be appreciated..
Click to expand...

DNS uses both TCP & UDP 53 mail servers tend to use TCP because of MX
records size is the best explanation I've heard. 263237 - XCON: Windows 2000
and Exchange 2000 SMTP Use TCP DNS Queries
http://support.microsoft.com/default.aspx?scid=kb;en-us;263237

Use a DNS server that supports TCP queries.
 
Kevin...

Thanks..
I did know that.. but I still need to find a way to force
UDP..
We tried changing the max packet size...
http://support.microsoft.com/default.aspx?scid=kb;en-
us;244474&Product=win2000
Didnt seem to help.. Although we may try that one again..
Our ISP is getting pissed at us cause we are bogging down
their DNS servers with requests..
We might send out 500k emails at a shot..

Stu..
 
SH> I am trying to stop our Win2K servers from sending their
SH> DNS queries out using tcp-53 instead of udp-53..
SH> We are trying to send out emails..

The behaviour of Microsoft Exchange's SMTP client, described in KnowledgeBase
article Q263237, is simply erroneous. It violates a "MUST" requirement,
placed upon DNS clients, in section 6.1.3.2 of RFC 1123 by not using DNS/UDP
before DNS/TCP when performing its DNS queries. The only way to get this
fixed is to obtain a fixed version of the software, that conforms to RFC 1123,
from Microsoft.
 
In
Jonathan de Boyne Pollard said:
The behaviour of Microsoft Exchange's SMTP client, described in
KnowledgeBase article Q263237, is simply erroneous. It violates a
"MUST" requirement, placed upon DNS clients, in section 6.1.3.2 of
RFC 1123 by not using DNS/UDP before DNS/TCP when performing its DNS
queries. The only way to get this fixed is to obtain a fixed version
of the software, that conforms to RFC 1123, from Microsoft.
Click to expand...

You are incorrect on this one Jonathan, I copied this from the section you
noted. The DNS server MUST answer with UDP but should answer with TCP if the
mailer requests TCP and it should not refuse the query just because it is
TCP

http://www.faqs.org/rfcs/rfc1123.html.

6.1.3.2 Transport Protocols

DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
Specifically, a DNS resolver or server that is sending a
non-zone-transfer query MUST send a UDP query first. If the
Answer section of the response is truncated and if the
requester supports TCP, it SHOULD try the query again using
TCP.

DNS servers MUST be able to service UDP queries and SHOULD
be able to service TCP queries. A name server MAY limit the
resources it devotes to TCP queries, but it SHOULD NOT
refuse to service a TCP query just because it would have
succeeded with UDP.

While it does state that DNS must send an answer in UDP first it goes on to
state that IF the REQUESTER supports TCP, it SHOULD try the query again
using TCP.

Technically DNS is not required to accept TCP it should and as it goes on
later in the RFC it states:

Responsible practices can make UDP suffice in the vast
majority of cases. Name servers must use compression
in responses. Resolvers must differentiate truncation
of the Additional section of a response (which only
loses extra information) from truncation of the Answer
section (which for MX records renders the response
unusable by mailers). Database administrators should
list only a reasonable number of primary names in lists
of name servers, MX alternatives, etc.

However, it is also clear that some new DNS record
types defined in the future will contain information
exceeding the 512 byte limit that applies to UDP, and
hence will require TCP. Thus, resolvers and name
servers should implement TCP services as a backup to
UDP today, with the knowledge that they will require
the TCP service in the future.

So my suggestion to the poster is that since techaclly the ISP is not
required to answer TCP requsest YET the ISP should not refuse TCP.

I might suggest that if he can use another DNS server he should, but the ISP
cannot require him to stop using TCP.
 
In
Stu Holzer said:
Kevin...

Thanks..
I did know that.. but I still need to find a way to force
UDP..
We tried changing the max packet size...
http://support.microsoft.com/default.aspx?scid=kb;en-
us;244474&Product=win2000
Didnt seem to help.. Although we may try that one again..
Our ISP is getting pissed at us cause we are bogging down
their DNS servers with requests..
We might send out 500k emails at a shot..
Click to expand...

Maybe you should consider pointing Exchange to a different DNS server, say
maybe installing a local DNS server to reduce the load on his DNS server. If
the ISP is getting mad because of the TCP, packets he is going to get really
mad if you made all the requests for all those MX records using UDP.
Increasing the MaxCacheTtl on a local DNS server will reduce DNS requests to
your ISP.
 
Ahh, you did your homework on this one!

Cheers!

:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
posted a question
Then Kevin replied below:
Ahh, you did your homework on this one!

Cheers!
Click to expand...
Well, when someone makes a statement like that then "quotes" a rule I just
have to go look. I guess I get that from spending two years in the "Show me"
State when I was just a little tyke.
 
In
Kevin D. Goodknecht said:
In Ace Fekay [MVP]
<PleaseSubstituteMyActualFirstName&[email protected]> posted a
question
Then Kevin replied below:
Well, when someone makes a statement like that then "quotes" a rule I
just have to go look. I guess I get that from spending two years in
the "Show me" State when I was just a little tyke.
Click to expand...

Good point. Now curious to Jonathan's reply...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
SH> Our ISP is getting pissed at us cause we are bogging down
SH> their DNS servers with requests..
SH> We might send out 500k emails at a shot..

KDGS> If the ISP is getting mad because of the TCP, packets he is
KDGS> going to get really mad if you made all the requests for all
KDGS> those MX records using UDP.

On the contrary, it will probably be less annoyed. Servicing DNS/UDP
transactions is less work for a DNS server than servicing DNS/UDP transactions
is, because of the connection setup and teardown overhead of TCP. Moreover,
DNS/TCP service is almost always subject to far more stringent constraints (in
particular with respect to the number of concurrent transactions) than DNS/UDP
is. There are also security concerns with DNS/TCP that do not exist with
DNS/UDP.

That doesn't mean that configuring the SMTP Client to direct its queries to a
local caching proxy DNS server (even merely a forwarding one) is not a wise
idea, though. Indeed, it is an often-recommended practice.
 
JdeBP> The behaviour of Microsoft Exchange's SMTP client, described in
JdeBP> KnowledgeBase article Q263237, is simply erroneous. It
JdeBP> violates a "MUST" requirement, placed upon DNS clients, in
JdeBP> section 6.1.3.2 of RFC 1123 by not using DNS/UDP before
JdeBP> DNS/TCP when performing its DNS queries. The only way to
JdeBP> get this fixed is to obtain a fixed version of the software,
JdeBP> that conforms to RFC 1123, from Microsoft.

KDGS> You are incorrect on this one Jonathan, [...]

Untrue. Moreover, this has been discussed in detail before in this very
newsgroup and in "comp.protocols.tcp-ip.domains".

KDGS> The DNS server MUST [...]

Irrelevant. The relevant constraint is on the _client_, not the server.
Microsoft Exchange's SMTP client is (obviously) a DNS client, not a DNS
server.

Read the RFC again, paying particular attention this time to the constraints
upon the client.

KDGS> the ISP cannot require him to stop using TCP.

The ISP can legitimately require his DNS clients to conform to section 6.1.3.2
of RFC 1123. Exchange is not conformant because it does not obey a "MUST"
constraint in that section.
 
In
Jonathan de Boyne Pollard said:
JdeBP> The behaviour of Microsoft Exchange's SMTP client, described in
JdeBP> KnowledgeBase article Q263237, is simply erroneous. It
JdeBP> violates a "MUST" requirement, placed upon DNS clients, in
JdeBP> section 6.1.3.2 of RFC 1123 by not using DNS/UDP before
JdeBP> DNS/TCP when performing its DNS queries. The only way to
JdeBP> get this fixed is to obtain a fixed version of the software,
JdeBP> that conforms to RFC 1123, from Microsoft.

KDGS> You are incorrect on this one Jonathan, [...]

Untrue. Moreover, this has been discussed in detail before in this
very newsgroup and in "comp.protocols.tcp-ip.domains".

KDGS> The DNS server MUST [...]

Irrelevant. The relevant constraint is on the _client_, not the
server. Microsoft Exchange's SMTP client is (obviously) a DNS client,
not a DNS server.
Click to expand...

I don't know where you are reading the constraint is on the
client/requestor. The restriction is placed on the DNS resolver. I see
nothing in the paragraph you quoted, putting any restriction on the
requesting client.

Read the RFC again, paying particular attention this time to the
constraints upon the client.
Click to expand...

I challenge you to point out any contraints placed on the client in 6.1.3.2.
I don't see it.
KDGS> the ISP cannot require him to stop using TCP.

The ISP can legitimately require his DNS clients to conform to
section 6.1.3.2 of RFC 1123. Exchange is not conformant because it
does not obey a "MUST" constraint in that section.
Click to expand...
Show me that "must".
 
In

I don't know where you are reading the constraint is on the
client/requestor. The restriction is placed on the DNS resolver. I see
nothing in the paragraph you quoted, putting any restriction on the
requesting client.
Click to expand...

The definition of "resolver" in this context is software that sends out a
DNS query. That's a client.
 
Back
Top