locked
Windows Server 2016 DNS not fully EDNS RFC compliant RRS feed

  • Question

  • While doing some checking in anticipation of DNS Flag Day Windows Server 2016 DNS doesn't appear to be fully EDNS compliant.

    If you query WS2016 DNS using dig: dig +nocookie +norec +noad +ednsopt=100 soa zone @server

    the server echos back OPT=100, which it shouldn't.

    • Does anyone know if Windows Server 2019 is the same?
    • Does anyone at MS know if this is being looked at?

     
    Monday, January 21, 2019 12:52 PM

All replies

  • I have the same question regarding Server 2012 22.

    I get the following response from my Server 2012 r2 servers but get correct answers from my 3 Bind slave servers.

    Windows:

    dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok docookie=formerr edns512tcp=ok optlist=formerr,subnet

    Bind:

    dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok

    Monday, January 21, 2019 4:00 PM
  • More information here: https://dnsflagday.net/

    Microsoft seems to have the same issues regarding their azure.com domain.
    I believe this needs to be fixed in code.

    EDNS Compliance Tester

    Checking: 'azure.com' as at 2019-01-22T09:38:24Z

    azure.com. @193.221.113.53 (ns3.msft.net.): dns=ok edns=ok edns1=formerr,version-not-zero edns@512=ok ednsopt=echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,subnet
    azure.com. @2620:0:34::53 (ns3.msft.net.): dns=ok edns=ok edns1=formerr,version-not-zero edns@512=ok ednsopt=echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,subnet

    https://ednscomp.isc.org/ednscomp/6c545a06f5

    Tuesday, January 22, 2019 9:39 AM
  • I am looking same information....

    Tuesday, January 22, 2019 2:58 PM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 23, 2019 9:51 AM
  • Hi, 

    I don't believe the information you provided is useful. I am also running Public DNS on the Windows DNS 2012 r2 and having issues with the upcoming Flag Day Change. I get the below errors when testing our servers against the EDNS Compliance Tester. 

    dns=ok edns=ok edns1=ok edns@512=ok ednsopt=echoed edns1opt=echoed do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,subnet

    I appreciate the errors do not provide much information on resolving this "echoed" issue as it could be the software or a firewall issue. Has anyone discovered if this "echoed" issue is in fact a Microsoft issue or a firewall setting?

     


    Wednesday, January 23, 2019 10:31 AM
  • got info from Microsoft that they are working on EDNS compliance such as EDNS - Unknown Version Handling (edns1), EDNS - Unknown Option Handling (ednsopt), EDNS - Unknown Version with Unknown Option Handling (edns1opt) and they will release an monthly update for it.

    Wednesday, January 23, 2019 11:33 AM
  • We had same error with 2008 R2, but thanks to Checkpoint support we found the root cause.

    In fact the main problem was caused by a Checkpoint policy, now is not perfect but we think that we won't have problems on February 1st

    I suggest you check your firewall or other security devices.


    alfonsoxsi


    Thursday, January 24, 2019 1:21 PM
  • Hi alfonsoxsi, did you have any port blocked? Can you tell us the ports numbers?

    Thursday, January 24, 2019 4:20 PM
  • Please make sure the firewall or network device in front of the Windows server is EDNS capable. Older Cisco PIX firewalls will not allow UDP larger than 512 bytes. Use the fixup command to fix. EDNS also requires TCP open on port 53. Newer firewalls (ASA, firepower) are EDNS aware but the features may need to be enabled. 

    Has Microsoft provided any guidance on supporting EDNS compliance?  I'm getting similar "echoed" replies when I perform tests on https://dnsflagday.net/

    Friday, January 25, 2019 12:48 AM
  • Hi,

    If you try to verify the following domains, you will get the same result:

    onmicrosoft.com
    outlook.com

    P.S. Apparently these warnings are related to the concept of the Microsoft DNS Server.


    Avis de non-responsabilité:
    Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.

    Bien cordialement, Andrei ...

    MCP

    Friday, January 25, 2019 1:18 AM
  • Hi

    Would you mind letting me know the result of the suggestions? If you need further assistance, feel free to let me know. I will be more than happy to be of assistance.

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 25, 2019 9:17 AM
  • got info from Microsoft that they are working on EDNS compliance such as EDNS - Unknown Version Handling (edns1), EDNS - Unknown Option Handling (ednsopt), EDNS - Unknown Version with Unknown Option Handling (edns1opt) and they will release an monthly update for it.

    why do you so confident? is there any official source of that info? thanks in advance!

    ILYA MATIBORSKIY

    Monday, January 28, 2019 3:42 PM
  • Hi All - Is there any potential fix for this on Windows based DNS? It seems this is being alerted due to DNS Flag Day. Warning message is ednsopt=echoed
    Tuesday, January 29, 2019 8:31 AM
  • Getting the same errors on my 2012R2 DNS servers 

    dns=ok edns=ok edns1=ok edns@512=ok ednsopt=echoed edns1opt=echoed do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,subnet 

    Tuesday, January 29, 2019 10:29 PM
  • I am also interested in this resolution. I have the same response on my Windows Server 2008 DNS Server. 
    Tuesday, January 29, 2019 11:01 PM
  • https://azure.microsoft.com/en-us/updates/azure-dns-flag-day/

    official info
    about azure and i hope there will be windows updates "in the coming weeks" for on-premises DNS (2012R2) too


    ILYA MATIBORSKIY

    Wednesday, January 30, 2019 9:02 AM
  • Hi,

       

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

       

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 30, 2019 9:43 AM
  • No, it is not resolved and it won't be until Microsoft fixes it in code!

    It would be nice to get some official response from Microsoft instead.

    Wednesday, January 30, 2019 2:41 PM
  • Tengo la misma pregunta con respecto al servidor 2012R2 Standard .

    Obtengo la siguiente respuesta de mis servidores Server 2012 r2 para el dominio banesco.com y banesconline.com

    si alguien sabe de alguna solución

    Wednesday, January 30, 2019 8:16 PM
  • Yes MSFT, Please provide an official response to this issue. My windows dns servers are running 2012 r2 and we have the same problem. When can we expect an server update that resolves this issue?
    Wednesday, January 30, 2019 9:36 PM
  • There should be an official advisory / KB Article on this by now from Microsoft.
    Thursday, January 31, 2019 3:39 AM
  • Hi,

    Microsoft is evaluating how MS DNS should respond to DIG commands used in EDNS compliance tests used by DNSFLAGDAY.NET,  EDNSCOMP and the "Testing Methodology" section of https://www.isc.org/blogs/dns-flag-day/
    Current indications are that

    (1.) MS DNS Servers test "ok" or "ok with minor issues";

    (2.) that MS DNS will not experience EDNS interoperability on February 1st

    (3.) that no intervention is required by MS DNS administrators
    Intermediate devices can also cause EDNS false test successes and failures on fully or substantially compliant devices.

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 31, 2019 8:33 AM
  • Hi Eric,

    Is there a Microsoft blog post or KB article that will be getting updated, or should we be keeping an eye on this thread?

    Thursday, January 31, 2019 11:57 PM
  • All - Finally there is the official article from Microsoft, basically wait for the Windows Update to Fix this

    https://support.microsoft.com/en-sg/help/4489468/windows-server-domain-name-system-dns-flag-day-compliance


    • Edited by DrDNS Friday, February 1, 2019 4:15 AM
    • Proposed as answer by DrDNS Friday, February 1, 2019 6:03 AM
    Friday, February 1, 2019 4:15 AM
  • All-

    But the link https://support.microsoft.com/en-sg/help/4489468/windows-server-domain-name-system-dns-flag-day-compliance only shows only "minor problems detected". I found out that Windows 2012 R2 and Windows 2016 switchover to TCP DNS once the record is larger than 512 bytes. RFC6891 (EDNS) states DNS should remain in UDP even if the packet is > 512 bytes. 

    So, is this behaviour "minor defect", or major defect, or no defect...?

    Thanks

    Regards

    Ivica

    Tuesday, March 10, 2020 4:25 PM
  • Need to correct myself - Windows servers 2012 and 2016 are EDNS compatible.

    The problem is Windows nslookup client. When the query is done via Linux/dig client, all servers (Windows, BIND...) behave as per RFC6891/EDNS compliant (default dig flags, response >512 bytes). 

    If the query is sourced via Windows nslookup client (Windows 10), then the EDNS compatibility is broken and the server sends "Truncated" flag in DNS reply and switches over to TCP. 

    Wednesday, March 11, 2020 11:35 AM