strange problem with MX records, firewall, Bind and Windows DNS

bindlist bindlist at packetstorm.org
Thu May 30 19:19:35 UTC 2002 


I was recently asked to look at a network that was having some strange
problems with MX records and DNS.

The topology is

[ns.foo.bar]  (public dns server, any queries, recursion on, acl xfers)
[firewall]    (port 53 tcp/udp open)
[inner.ns.foo.bar]   (internal dns server setup to forward queries to
ns.foo.bar for any queries that are not in their local domain)

ns.foo.bar is an HP UX system
           is running bind 8.2.x
Firewall
           we looked for any dropped dns packets on port 53 and no luck.
looks
           clean

inner.foo.bar  is running Microsoft DNS server
               is setup with forwarding enabled
               ip address of external dns server is listed


Testing shows that queries work for the most part except for one instance
that is causing mail problems with other mailsystems.

If, say I am on inner.foo.bar (or a workstation on the net using the
inner.foo.bar NS) and try to lookup and MX record for some.com, the
request is forwarded to the external DNS server. Next ns.foo.bar tries to
lookup the MX record and gets (one example but any such occur taken from a
cache dump):


$ORIGIN BERKELEY.edu.
ssl     14237   IN      NS      sunspot.ssl.berkeley.edu.       ;Cr=addtnl
[164.67.128.2]
        14237   IN      NS      ns1.berkeley.edu.       ;Cr=addtnl
[164.67.128.2]
        14237   IN      NS      ns2.berkeley.edu.       ;Cr=addtnl
[164.67.128.2]
        14237   IN      SOA     sunspot.ssl.berkeley.edu.
root.sunspot.ssl.berkeley.edu. (
                1001158 10800 300 3600000 14400 )       ;Cr=auth
[128.32.147.25]
;       10637   IN      MX      sunspot.ssl.berkeley.edu.
root.sunspot.ssl.berkeley.edu. (
;               1001158 10800 300 3600000 14400 );ssl.berkeley.edu.;NODATA
;-$     ;Cr=auth [128.32.147.25]



The result sent to the inner.foo.bar nameserver ends up as:

DNS R  Error:2(Server Fail)


At this point mail gets queued to the outside domain (in this case
x.berkeley.edu) because the error return is keeping something from falling
back to an A record to try to hand mail off to since there is no MX
record.

Or at least thats what I thought occured. If there is no MX records BIND
would then try for an A record yes?

This happens only if we try getting MX records from an external zone that
has no MX entry for their mailserver(s).

Also i turned on query logging and this is what i get in my logs

30-May-2002 10:11:35.565 queries: info: XX+/x.x.x.x/foo.bar/MX/IN


Also debug from the nt server to the unix server shows

HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  rd
        qdcount = 1, ancount = 0, nscount = 0, arcount = 0

QUESTIONS:
        some.com, type = MX, class = IN

Querying server (# 1) address = x.x.x.x
got answer:
HEADER:
        opcode = QUERY, id = 4, rcode = SERVFAIL
        header flags:  qr rd ra
        qdcount = 1, ancount = 0, nscount = 0, arcount = 0

QUESTIONS:
        some.com, type = MX, class = IN

rcode = 2, ancount=0
An error occurred while trying to resolve an IP address for sonm.com.
The message would have been queued for another delivery attempt later.
Check your DNS configuration and make sure your DNS server(s) are
running.A

for a failure

what i would expect is

HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  qr aa ra
        qdcount = 1, ancount = 0, nscount = 0, arcount = 0


Anyone got any ideas?

thanks

More information about the bind-users mailing list