My DNS Server Prevents some Websites from Loading

The Missing Plug

All Desktop Support guys get this call eventually:

Helpdesk: “Thanks for calling the Helpdesk, How can I help you?”

Joe User: “I can’t pull up (insert website) but other sites work fine.”

Using Windows Server 2003R2 DNS or later, you may run into issues with sites loading if you have a Cisco ASA that performs policy inspection of DNS packets. What does that mean? Well it means that when DNS UDP  packets are returned from the public DNS Server through your Firewall, the packets run through a set of inspection checks and balances to verify they are not malformed or something is trying to impersonate DNS. When the DNS resolver returns packets that are larger than the standard DNS packet of 512 bytes (EDNS0 packets can be up to 4096 bytes), the firewall dumps the  packets causing the user to receive the dreaded “Page Cannot Be Displayed.” error in their browser…

View original post 435 more words


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s