>On Oct 21, 2013, at 9:47 AM, WBrown at wrote:
>>> From: Alan Clegg <alan at>
>>> Fix your windows clients.
>> You can't fix stupid.
>I have lots of windows clients and they don't exhibit this "feature".
>There's something wrong on the windows clients and it's not the norm.
>To be honest, recent windows releases do a pretty fine job with DNS.

Agreed.  The problem here is the TCP fall-back vs BIND/OS tuning.  I've
got a lot of Windows clients (mostly vmware related infra) that don't
query via TCP.  I would focus on a deeper inspection of the environment
including network layer.  The OP needs to figure out why the queries are
using TCP.

Speculating based on the available data, I'm wondering if the new BIND
servers were stood up behind a firewall...possibly with broken protocol
inspection/fixup type configuration limiting UDP packet size to 512
bytes...and zone data with large NS/whatever RR sets resulting in TCP

