Ask Your Question
0

Windows Server DNS response cut short

asked 2025-02-22 14:29:27 +0000

net_tech gravatar image

updated 2025-02-22 14:58:10 +0000

grahamb gravatar image

Hi

Looks like our internal DNS servers (W2019) are robbing clients of 257 bytes in DNS traffic. As a result, clients can't get to some of the websites where DNS answers exceed 176 bytes.

Is there a Windows server setting that limits DNS traffic to 176 bytes? We are not seeing this 176 bytes limit on other protocols.

image description

Thank you!

edit retag flag offensive close merge delete

Comments

Are you sure it is truncated, there could be reassembly of IP fragments at work? Also, is the "truncated" flag set in the response? If so, it is the duty of the client to re-request the DNS entry, but now over TCP to get the full response.

Are you able to share the pcap for closer inspection?

SYN-bit gravatar imageSYN-bit ( 2025-02-22 15:21:41 +0000 )edit

Here is a pcap from a good working environment. Server (192.168.20.5) gets a 433 byte response from 1.1.1.1 and responds to the client with a 422 byte packet.

https://drive.google.com/file/d/1TYma...

Working on getting bad-dns.pacp shared

net_tech gravatar imagenet_tech ( 2025-02-22 16:22:26 +0000 )edit

Capture has been wranglered

97.205.219.232 is 1.1.1.1,
172.16.96.78 - Client, 172.21.59.11 - Server

https://drive.google.com/file/d/1fYz8...

net_tech gravatar imagenet_tech ( 2025-02-22 16:58:02 +0000 )edit

@SYN-bit,

No, Truncated flag is 0. = : Message is not truncated

Someone asked for this behavior here -> https://serverfault.com/questions/116...

I don't know how, but my DNS server is doing exactly what was asked on serverfault post

net_tech gravatar imagenet_tech ( 2025-02-22 17:10:26 +0000 )edit

Is this a CNAME chaining issue or CNAME chaining limit configured on the 172.21.59.11 windows server?

net_tech gravatar imagenet_tech ( 2025-02-22 18:23:17 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2025-02-23 02:49:51 +0000

net_tech gravatar image

privatelink.azure-api.net zone was present on the internal DNS server for other reasons, but didn't have the CNAME record that was in the chain. Adding the CNAME internally resolved the issue.

edit flag offensive delete link more

Comments

It’s not DNS There’s no way it’s DNS It was DNS

Good find, glad you were able to solve it, does make one wonder why the privatelink.azure-api.net zone is needed on the internal DNS server, while it is not authoritative for it.

SYN-bit gravatar imageSYN-bit ( 2025-02-23 14:32:38 +0000 )edit

it's needed for private endpoints, at least that is what was i was able to find here. https://learn.microsoft.com/en-us/azu...

sites that were affected by this problem had either a CNAME or an A record inside privatelink.azure-api.net zone.

net_tech gravatar imagenet_tech ( 2025-02-23 15:20:09 +0000 )edit

I'm no Azure administrator, but in the linked document I do not see any reference to have the zone locally configured as authoritative. Perhaps a NS record to Azure would have been enough to make all private endpoints available?

SYN-bit gravatar imageSYN-bit ( 2025-02-23 16:19:59 +0000 )edit

https://youtu.be/bo88q4JPOR0?si=5IhOO...

net_tech gravatar imagenet_tech ( 2025-02-23 17:04:42 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-02-22 14:29:27 +0000

Seen: 116 times

Last updated: Feb 23

Related questions

Monitoring UDP data on wireshark shows ARP packet

is the domain from opendns ?

RST packets sent by both client and server during file transfer

dns request, response malformed?

What is the position of WinPcap within a Windows server 2016 network stack?

Malformed DNS response

ARP protocol in Handover

What is wrong with this sequence of TCP 3 way handshake?

LUA script how to get all IPs from DNS.A (dns answer)

DNSSEC response marked as Malformed