CertCities.com -- The Ultimate Site for Certified IT Professionals
Post Your Mind in the CertCities.com Forums Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets

CertCities.com
Let us know what you
think! E-mail us at:
 
 
...Home ... Editorial ... Columns ..Column Story Tuesday: December 28, 2010


Microsoft: Under the Hood  
Don Jones
Don Jones
Stupid DNS Tricks
You learn something new every day -- such as why one company's DNS queries quit working when Yahoo! added a new server to their site. This one stumped me: See if you can figure it out!
by Don Jones  
4/30/2003 -- In this new monthly CertCities.com column, tech guru Don Jones explores the insides of key Microsoft products and technologies, revealing details seldom discussed - but ever so important when you're trying to run a Microsoft network. While plenty of columns will focus on Windows "insider information," Don will also look at other products, including Exchange Server, the .NET Framework, scripting, IIS, ISA Server, and much more. Everything will be written for the busy systems administrator, helping provide insight on common problems, troubleshooting techniques, automated administration and much more. Join us every month and prepare to get your hands a little greasy as Don takes you 'Under the Hood'!

O.K., here's a stumper that authors and tech gurus Mark Minasi and Brett Hill hit me with when we were all speakers at the recent MCP TechMentor conference. Say your company's DNS queries are working just fine through the company firewall. Then, all of a sudden, some queries stop working. You trace the problem down to Yahoo.com queries, and narrow it down even further to just queries made by the company's DNS server, seeking a list of authoritative Yahoo.com DNS servers. That's a common enough operation when a DNS server is configured to use root hints, rather than a forwarder, to resolve DNS names.

Now the stumper: The end reason for the problem is that Yahoo added a DNS server to their farm, and it's your fault -- not Yahoo's -- that the DNS queries quit working.

Take a minute and think about it. Mark and Brett had a big smirk on their faces when they explained all of this, and had a great time completely stumping me. Here's a hint that I didn't get: Wade through the official DNS RFC (http://www.faqs.org/rfcs/rfc1035.html) for the answer. C'mon, it's only 43 pages long!

O.K., I'll let you off the hook. Here's what happened: The company set up their firewall to allow DNS queries to go out on UDP port 53. That's pretty standard, and it'll usually work. After all, DNS queries tend to be pretty small, and there's little sense in setting up the whole handshake-response channel required for TCP connections. Yes, with UDP there's a chance that the DNS query will get lost, but in that case the DNS client can just resend the query after a second or two. No problem. In fact, RFC 1035 specifically says that UDP will be used for DNS queries, and that lost packets will be handled by simply retransmitting the query.

DNS does, of course, use the connection-oriented TCP protocol for zone transfers, which involve a lot more data than simple queries. Using TCP is actually more efficient and reliable in this case, since the zone transfer data will have to be broken into multiple packets. TCP can ensure that all of the packets arrive at the destination, and are reassembled back into the original data stream. However, most companies don't do zone transfers through their firewalls to or from outside DNS servers, so it's rare to see TCP port 53 opened in the firewall. In fact, in today's security-conscious IT shops, you're a lot more likely to see TCP 53 blocked, since it isn't used for legitimate traffic.

When a client gets back a DNS reply from a DNS server, the response comes over UDP, and includes an "answer section" that contains the records the client asked for. For example, Figure 1 shows a Network Monitor capture of a DNS response, with the answer section highlighted. As you can see, this answer to the query for my.yahoo.com returned two resource records, giving the client computer two possible IP addresses to choose from.

Figure 1
Figure 1. DNS response in Network Monitor. (Click image to view larger version.)

Of course, you and I both know that my.yahoo.com consists of more than two servers. In fact, the two IP addresses provided in this response are virtual IPs, meaning that each one points to a different Web farm, and each farm may consist of dozens of load-balanced servers. Using virtual IPs is a common trick on the Internet, and it gives Yahoo the ability to easily control their load balancing situation. It's pretty unusual to see large DNS responses, since most companies simply provide a virtual IP address or two to represent potentially hundreds of Web servers.

Figure 2 shows another important attribute of the DNS response: It's only 192 bytes long. Network Monitor shows that in the UDP header (highlighted). Why is that important? Well, if you've got RFC 1035 open, scroll down to section 4.2, entitled Transport.

Figure 2
Figure 2. Checking the packet size in Network Monitor. (Click image to view larger version.)

Section 4.2.1 specifically covers the use of UDP to transport DNS queries and responses. It says, and I quote, "Messages carried by UDP are restricted to 512 bytes (not counting the IP or UDP headers). Longer messages are truncated and the TC bit is set in the header." This implies that UDP can be used for longer queries. However, the RFC goes on to say, "UDP is not acceptable for zone transfers, but is the recommended method for standard queries in the Internet. Queries sent using UDP may be lost, and hence a retransmission strategy is required. Queries or their responses may be reordered by the network, or by processing in name servers, so resolvers should not depend on them being returned in order."

What's all that mean? It means just what I said: UDP is fine for smaller queries that can be transmitted in a single packet, but isn't so hot for longer queries. And that brings us back to what happened when Yahoo added another server.

In this particular instance, Yahoo had added a 14th DNS server to their farm. Not many folks use virtual IPs for DNS servers; if one DNS server asks for a list of authoritative DNS servers for a domain, the response will contain the real IP addresses of every valid DNS server that the target domain has to offer. To provide fault tolerance and load balancing, most major Internet presences like Yahoo might have a dozen servers or more. In this case, they apparently had 14, to be exact.

Fourteen servers apparently pushed the response's packet size over the critical 512 byte limit. Thus, when clients (or other DNS servers) attempted to query a list of Yahoo DNS servers, Yahoo tried to set up a TCP connection for the response. Since the company had allowed UDP port 53 in the firewall, the DNS query went out -- but because TCP port 53 hadn't been opened, the reply never made it back through. The problem seemed intermittent, too, because most DNS replies still fit into 512 bytes and came back through via UDP.

So what's the moral of this story?

First, of course, is to not let Mark and Brett pin you down with protocol questions over a friendly glass of wine after a day-long conference session. I learned that one!

Second, hop on your firewall and make sure TCP and UDP 53 are both available for queries and responses. Finally, make sure you thoroughly understand the networking protocols that you work with. While you may have known this bit of DNS trivia, there are dozens more for every major protocol we work with every day. Coming Next Month: Don tackles a different type of remote Exchange access.

Questions? Comments? Stupid DNS tricks of your own to share? Post 'em below!
Don Jones is the owner and operator of ScriptingAnswers.com, a speaker at national technical IT conferences, and the author of nearly twenty books on information technology. His latest book is "Managing Windows with VBScript and WMI" (Addison-Welsey) and he's completing "Windows Administrator's Automation Toolkit" (Microsoft Press). You can reach Don at his Web site or at .
 

More articles by Don Jones:

-- advertisement --


There are 13 CertCities.com user Comments for “Stupid DNS Tricks”
Page 1 of 2
5/2/03: eric says: gee , i dont know if i would open up TCP53 this is i think the bigest network footprinting doorway you can find , and if i understand well the article this is resolved by setting the server to forward , as i see it the choice is pretty simple ..... but on another hand i would also throw a brick at yahoo for not seeing this glitch , this probably affected many many admins ;(
5/2/03: Anonymous from San Diego, CA says: Hey, Eric. Learn to write in the American English language. Okay. I find it interesting that Yahoo is not aware of the security conciousness of the real world today to have seen this coming. Or that they did not care.
5/2/03: webweasel from The Great Northwet says: I only see this problem with 2 interdependent variables: 1. the user is using IE 6 2. there is a hardware firewall in place My users complain that they can no longer get Yahoo mail from behind the firewall, but can get it at home. In all of the those cases, at home they did not have both variables in place. In all of the cases behind the firewall, I solved it by installing Netscape 7x or Opera 7x. But then my web pages don't always work for those users...... ain't life a bitch?
5/3/03: Anonymous says: "I find it interesting that Yahoo is not aware of the security conciousness of the real world today to have seen this coming. Or that they did not care." Security can not have conciousness, the proper wording should include considerations as is applied to inanimate object Security. Oh and never start a sentence with or, the seperator should have been a comma or colon, depending on the structure of reewritten sentence. Before slamming anothers' attempt at English, be aware that it may not be their first language and also of your own use of it. The fact that only Americans use "American English', while the rest of the Engligh speaking world speak "Standard English" is something to take into consideration. Please bear this to mind the next time you "attempt" to correct someones' grammar.
5/3/03: Anonymous says: Providing DNS on Windows, are you kidding?
5/4/03: cj from st. louis says: Hey, does anyone know if Hotmail is having a similar problem? About a two weeks ago we stopped being able to access Hotmail inboxes at work. After entering the Passport info we get diverted back to msn.hotmail.com. The admins are busy arguing over whether it's a DNS issue or a problem with the proxy, and I'd love to beat 'em to the punch on this one.
5/4/03: Anonymous says: i bet your proxy went wacko on you!
5/5/03: jmf from houston says: CJ from St. Louis... Your problem seems to be proxy related. Do you have multiple proxies? If so, are you load balancing your proxy servers? Web servers using session state load balancing over HTTPS have a tendancy to break the session if the source IP address changes during the session. Common security setting.
6/8/03: Thomas Shinder from Dallas says: Great! Pretty straightforward, as we see this kind of issue pop up at www.isaserver.org all the time. Firewall guys are very aware of the fact that if the entire response or query can't fit in a UDP packet, that TCP is used. Just check out your MX queries from IIS 5 SMTP servers. :) As for the guys concerned about the security consequences, TCP isn't a major issue. I can create a DNS based tunneling protocol and tunnel anonymously through multiple DNS servers. That's why PIX is going to be history, and layer 7 firewalls like ISA Server are the new standard. Good article!
6/13/03: Anonymous says: Firstly, both the guys who dived in on the English versus American English conversation need to learn how to use it first. I do agree with the second guy though (although either your typing or spelling is atrocious). Secondly, I would not run ISA Server in an outward facing network. You would have to be off your rocker. Microsoft still have a lot to learn about security and will only have learned when they stop this practice of installing everything by default. Windows is quite secure if you stop all the services. But most people don't understand that open ports are open doors. God forbid that Microsoft ever released their code to the developer world. Long live Unix.
First Page   Next Page   Last Page
Your comment about: “Stupid DNS Tricks”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top
Home | Microsoft® | Cisco® | Oracle® | A+/Network+" | Linux/Unix | MOS | Security | List of Certs
Advertise | Contact Us | Contributors | Features | Forums | News | Pop Quiz | Tips | Press Releases | RSS Feeds RSS Feeds from CertCities.com
Search | Site Map | Redmond Media Group | TechMentor Conferences | Tech Library Webcasts
This Web site is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., Microsoft Corp., Oracle Corp., The Computing Technology Industry Association, Linus Torvolds, or any other certification or technology vendor. CiscoÆ and Cisco SystemsÆ are registered trademarks of Cisco Systems, Inc. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. OracleÆ is a registered trademark of Oracle Corp. A+Æ, i-Net+T, Network+T, and Server+T are trademarks and registered trademarks of The Computing Technology Industry Association. (CompTIA). LinuxT is a registered trademark of Linus Torvalds. All other trademarks belong to their respective owners.
Reprints allowed with written permission from the publisher. For more information, e-mail
Application Development Trends | Campus Technology | CertCities.com | The Data Warehousing Institute
E-Gov | EduHound | ENTmag.com | Enterprise Systems | Federal Computer Week | FTPOnline.com | Government Health IT
IT Compliance Institute | MCPmag.com | Recharger | Redmond Developer News | Redmond | Redmond Events | Redmond Channel Partner | Redmond Report
TCPmag.com | T.H.E. Journal | Virtualization Review | Visual Studio Magazine | VSLive!
Copyright 1996-2009 1105 Media, Inc. See our Privacy Policy.
1105 Redmond Media Group