We do not have Cisco firewalls, though everything else is Cisco (switches, routers, VOIP) Has anyone seen this issue using Fortinet firewalls? Thx, Robert
-----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, January 23, 2013 3:05 PM To: NT System Admin Issues Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers Defintely better to fix the firewall than to limit the size of DNS queries on the server. Other firewalls have needed similar fixes, too - not just Cisco. Kurt On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim <[email protected]> wrote: > Yes. At some point your DNS servers are talking to the outside > work…directly or via forwarders I would assume. If dns fixup is > enabled you need to allow longer lookups. > > fixup protocol dns maximum-length 4096 > > Or turn off eDNS on the 2003 servers. > dnscmd /Config /EnableEDnsProbes 0 > From: Robert Peterson [mailto:[email protected]] > Sent: Wednesday, January 23, 2013 2:39 PM > > To: NT System Admin Issues > Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers > Thank you Jim. > > We have no Cisco firewalls, but all Cisco switches, routers. A new > switch may have went in last week. We also are in the middle of a > Cisco VOIP project, past 6 months. Phones all up, but they are still > working out tweaks, etc. Trying to make a “Jabber” client work on desktops > and PDAs. > > Something on the Cisco side I should dig into? > > From: Kennedy, Jim [mailto:[email protected]] > Sent: Wednesday, January 23, 2013 1:14 PM > To: NT System Admin Issues > Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers > > > > Did someone put in a shiny new Cisco firewall this past weekend? > From: Robert Peterson [mailto:[email protected]] > Sent: Wednesday, January 23, 2013 2:02 PM > To: NT System Admin Issues > Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers > > Hoping this is an old problem and someone has ideas? > > We have Server 2003 R2 SP2 Domain Controllers, four of them. > > Since this past weekend, we saw a large increase in Event 5504 warnings. > Eventually the DC gives an Event 7502 and DNS services hang. > > When DNS hangs, memory usage of the DNS service has grown to 800,000K, > after reboot the memory usage starts around 50,000K. > > Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0” > setting. This has stopped the memory growth/leaks, and replaced the > 5504 errors with numerous 404 and 408 errors, till probably due to the > registry change to suppress “dups” it has quit logging those. > > DNS memory usage is stable around 100,000K and DNS services to our > users is remaining stable too. > > However, I feel this is just a stopgap and I need to resolve the real > culprit… thoughts? Ideas? > > As always… great listserv & thanks! > Robert > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
