Defintely better to fix the firewall than to limit the size of DNS queries on the server.
Other firewalls have needed similar fixes, too - not just Cisco. Kurt On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim <[email protected]> wrote: > Yes. At some point your DNS servers are talking to the outside work…directly > or via forwarders I would assume. If dns fixup is enabled you need to allow > longer lookups. > > > > fixup protocol dns maximum-length 4096 > > > > Or turn off eDNS on the 2003 servers. > > > > dnscmd /Config /EnableEDnsProbes 0 > > > > > > > > > > From: Robert Peterson [mailto:[email protected]] > Sent: Wednesday, January 23, 2013 2:39 PM > > > To: NT System Admin Issues > Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers > > > > Thank you Jim. > > We have no Cisco firewalls, but all Cisco switches, routers. A new switch > may have went in last week. We also are in the middle of a Cisco VOIP > project, past 6 months. Phones all up, but they are still working out > tweaks, etc. Trying to make a “Jabber” client work on desktops and PDAs. > > > > Something on the Cisco side I should dig into? > > > > From: Kennedy, Jim [mailto:[email protected]] > Sent: Wednesday, January 23, 2013 1:14 PM > To: NT System Admin Issues > Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers > > > > Did someone put in a shiny new Cisco firewall this past weekend? > > > > From: Robert Peterson [mailto:[email protected]] > Sent: Wednesday, January 23, 2013 2:02 PM > To: NT System Admin Issues > Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers > > > > Hoping this is an old problem and someone has ideas? > > > > We have Server 2003 R2 SP2 Domain Controllers, four of them. > > Since this past weekend, we saw a large increase in Event 5504 warnings. > Eventually the DC gives an Event 7502 and DNS services hang. > > > > When DNS hangs, memory usage of the DNS service has grown to 800,000K, after > reboot the memory usage starts around 50,000K. > > > > Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0” > setting. This has stopped the memory growth/leaks, and replaced the 5504 > errors with numerous 404 and 408 errors, till probably due to the registry > change to suppress “dups” it has quit logging those. > > > > DNS memory usage is stable around 100,000K and DNS services to our users is > remaining stable too. > > > > However, I feel this is just a stopgap and I need to resolve the real > culprit… thoughts? Ideas? > > > > As always… great listserv & thanks! > > Robert > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
