DNS configuration on our domain
Mark Andrews
Mark_Andrews at isc.org
Wed Sep 13 01:25:58 UTC 2006
> I need some help troubleshooting a problem. Sorry for the lengthy
> message. I thought it would be better to provide as much information as
> possible. I am not sure whether our problem is a DNS problem, a qmail
> problem, a spamassassin problem, an exchange 2000 problem or something
> totally different. I am starting with posting to this list as I have
> had previous DNS problems that have shut down my email delivery in the
> past.
>
>
> At the bottom of this message are the zone configurations for the three
> zones that affect email in our domain. The server listed below is
> serving as an external DNS server for our domain. I also have (or I
> should say, had) two servers on the domain serving as internal DNS
> servers. One is a new Windows 2003 server that I just set up a couple
> of weeks ago. The other is an older machine running Windows Advanced
> Server 2000. I have removed the older Server 2000 from serving as a DNS
> server. The reason for this was that the C: drive on that machine is
> full (less than 32 mb of free space available). This was causing DNS to
> shut down on that server. I have added the Windows 2003 server to the
> domain as a DNS server and removed the older server from acting as a DNS
> server. Since removing that old server as a DNS server I have not had
> any further DNS issues that I am aware of.
>
>
>
> Prior to discovering the above mentioned internal DNS problem with the
> C: drive I was attempting to troubleshoot why emails were not being
> delivered. In doing so I changed the MX setting on the external DNS to
> direct email to the Exchange 2000 server (204.87.111.232) instead of to
> the qmailtoaster server (204.87.111.225) which is the same server as the
> BIND DNS server. I also have a new Exchange 2003 server (MXI2) which
> has my personal mailbox on it. Because of the above changes to my BIND
> DNS zone settings I am wondering if my BIND DNS configurations below may
> be causing some delivery problems for incoming and outgoing email.
>
>
>
> Since making these changes I have had some users complain that some
> emails that are sent to them from outside the network are not coming
> through or that some emails they send out are not being delivered. In
> one instance, I had a user who could not send an email to an outside
> contact. After exploring that problem with that domain's systems
> administrator it was discovered that their spam filters were blocking
> email from our domain because our MX (204.87.111.232) server did not
> have the same IP address as the DNS (204.87.111.225) server? Below is
> the header for a message sent to that administrator after he resolved
> the filtering problem and his server began accepting email from our
> domain:
>
>
>
> Microsoft Mail Internet Headers Version 2.0
>
> Received: from mx1.okhouse.gov ([10.0.0.13]) by MAIL.ohr.lsb.state.ok.us
> with Microsoft SMTPSVC(6.0.3790.1830);
>
> Fri, 8 Sep 2006 14:19:11 -0500
>
> Received: from dellapp02.occa.state.ok.us (ns.occa.state.ok.us
> [204.87.111.225])
>
> by mx1.okhouse.gov (BorderWare MXtreme Mail Firewall) with
> ESMTP id 3276160D1F
>
> for <davidw at okhouse.gov>; Fri, 8 Sep 2006 14:19:10 -0500
> (CDT)
>
> Received: (qmail 5259 invoked by uid 507); 8 Sep 2006 19:17:59 -0000
>
> Received: by simscan 1.1.0 ppid: 5239, pid: 5245, t: 1.8778s
>
> scanners: clamav: 0.86.2/m:34/d:1084 spam: 3.0.4
>
> Received: from unknown (HELO MXI.occa.state.ok.us) (204.87.111.232)
>
> by dellapp02.occa.state.ok.us with SMTP; 8 Sep 2006 19:17:57 -0000
>
> Received: from mxi2.occa.state.ok.us ([172.16.254.137]) by
> MXI.occa.state.ok.us with Microsoft SMTPSVC(5.0.2195.6713);
>
> Fri, 8 Sep 2006 14:21:28 -0500
>
> Subject: test2
>
> Date: Fri, 8 Sep 2006 14:21:28 -0500
>
> Message-ID: <088EFB279DB2A64688EE22B92FBEABA02933 at mxi2.occa.state.ok.us>
>
> MIME-Version: 1.0
>
> Content-Type: multipart/alternative;
>
> boundary="----_=_NextPart_001_01C6D37B.FB8A5281"
>
> X-MS-Has-Attach:
>
> X-MS-TNEF-Correlator:
>
> Thread-Topic: test2
>
> Content-class: urn:content-classes:message
>
> Thread-Index: AcbTe/uSwb1jKXUKSdmrljDTvRLHlQ==
>
> X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
>
> From: "Steve Ingraham" <singraham at okcca.net>
>
> To: <davidw at okhouse.gov>
>
> X-OriginalArrivalTime: 08 Sep 2006 19:21:28.0061 (UTC)
> FILETIME=[FB80FAD0:01C6D37B]
>
> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
>
> dellapp02.occa.state.ok.us
>
> X-Spam-Level:
>
> X-Spam-Status: No, score=-1.6 required=3.0 testsºYES_00,HTML_90_100,
>
> HTML_MESSAGE autolearn=no version=3.0.4
>
> X-STA-Metric: 29 (engine2)
>
> X-STA-NotSpam: oklahoma from:addr:okcca.net test2 steve 405
>
> X-STA-Spam: <!-->:2**0 header:Message-ID:1 appeals content-type:text/ht
> header:MIME-Version:
>
> X-BTI-AntiSpam:
> score:0,sta:29/022,dcc:passed,dnsbl:passed,sw:passed,bsn:41/passed,spf:n
> one,dk:off,pbmf:accept/399,ipr:0/3,trusted:no,ts:no,ubl:passed
>
> Received-SPF: none
>
> Return-Path: singraham at okcca.net
>
>
>
>
>
> In another instance, one of my users attempted to use his AOL account
> from home last night to send an email to his email account here. A
> rejection notice was bounced back to his AOL account with the following
> information:
>
>
>
> ----- The following addresses had permanent fatal errors -----
> <lblosser at okcca.net
> <javascript:parent.ComposeTo(%22lblosser%40okcca.net%22,%20%22%22);> >
>
> ----- Transcript of session follows -----
> ... while talking to okcca.net.:
> >>> DATA
> <<< 554 Your email is considered spam (1.00 spam-hits)
> 554 <lblosser at okcca.net
> <javascript:parent.ComposeTo(%22lblosser%40okcca.net%22,%20%22%22);>
> >... Service unavailable
> Final-Recipient: RFC822; lblosser at okcca.net
> <javascript:parent.ComposeTo(%22lblosser%40okcca.net%22,%20%22%22);>
> Action: failed
> Status: 5.0.0
> Remote-MTA: DNS; okcca.net
> Diagnostic-Code: SMTP; 554 Your email is considered spam (1.00
> spam-hits)
> Last-Attempt-Date: Thu, 7 Sep 2006 22:36:05 -0400 (EDT)
> Received: from LendellB at aol.com
> <javascript:parent.ComposeTo(%22LendellB%40aol.com%22,%20%22%22);>
> by imo-m24.mx.aol.com (mail_out_v38_r7.6.) id l.bfd.3d7a3e7 (33856)
> for <lblosser at okcca.net
> <javascript:parent.ComposeTo(%22lblosser%40okcca.net%22,%20%22%22);> >;
> Thu, 7 Sep 2006 22:34:46 -0400 (EDT)
> Return-path: <LendellB at aol.com
> <javascript:parent.ComposeTo(%22LendellB%40aol.com%22,%20%22%22);> >
> From: LendellB at aol.com
> <javascript:parent.ComposeTo(%22LendellB%40aol.com%22,%20%22%22);>
> Message-ID: <bfd.3d7a3e7.323230c6 at aol.com
> <javascript:parent.ComposeTo(%22bfd.3d7a3e7.323230c6%40aol.com%22,%20%22
> %22);> >
> Date: Thu, 7 Sep 2006 22:34:46 EDT
> Subject: Fwd: FW: this attached file is the packet I sent I will have a
>
> official rule...
> To: lblosser at okcca.net
> <javascript:parent.ComposeTo(%22lblosser%40okcca.net%22,%20%22%22);>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="part1_bfd.3d7a3e7.323230c6_boundary"
> X-Mailer: 9.0 Security Edition for Windows sub 5326
> X-Spam-Flag: NO
>
>
>
> Since changing the MX addresses to the Exchange 2000 machine our spam
> has decreased but I am getting sporadic reports like the two examples
> above from users that some email is not being properly delivered. Below
> are three of our domain zone configurations for our External DNS server
> running BIND DNS 9.2.4:
>
>
>
> 204.87.111.225 is a Dell Power Edge 1850 Server running Redhat
> Enterprise Linux AS ver 3, BIND DNS 9.2.4, qmailtoaster ver 1.2,
> spamassassin 3.0.4
>
> 204.87.111.232 is a Windows Advanced Server 2000 running Exchange 2000
>
>
>
> IN occa.state.ok.us
>
> Name Type TTL Values
>
> occa.state.ok.us. NS Default ns
>
> occa.state.ok.us. NS Default ns2
>
> occa.state.ok.us. MX Default 10
> 204.87.111.232
>
> occa.state.ok.us. A Default
> 204.87.111.225
>
> localhost.occa.state.ok.us. A Default 127.0.0.1
>
> ns.occa.state.ok.us. A Default 204.87.111.225
>
> ns2.occa.state.ok.us. A Default 204.87.111.226
>
> mxi.occa.state.ok.us. A Default 204.87.111.232
>
> inet1.occa.state.ok.us. A Default 204.87.111.228
>
> mail.occa.state.ok.us. A Default 204.87.111.229
>
> vpn.occa.state.ok.us. A Default 204.87.111.233
>
> www.occa.state.ok.us. CNAME Default inet1
>
> dellapp02.occa.state.ok.us. A Default 204.87.111.225
>
> mxo.occa.state.ok.us. CNAME Default dellapp02
>
>
>
> IN mail.occa.state.ok.us
>
> Name Type TTL
> Values
>
> mail.occa.state.ok.us. NS Default ns
>
> mail.occa.state.ok.us. NS Default ns2
>
> mail.occa.state.ok.us. MX Default 10
> mail
>
> mail.occa.state.ok.us. A Default
> 204.87.111.225
>
> ns.okcca.net. A Default
> 204.87.111.225
>
> ns2.mail.occa.state.ok.us. A Default
> 204.87.111.226
>
> mxgateway.mail.occa.state.ok.us. CNAME Default ns.okcca.net.
>
> mail.mail.occa.state.ok.us. A Default
> 204.87.111.232
>
> inet1.mail.occa.state.ok.us. A Default
> 204.87.111.228
>
> mymail.mail.occa.state.ok.us. A Default
> 204.87.111.232
>
> www.mail.occa.state.ok.us. CNAME Default
> inet1.okcca.net.
>
> online.mail.occa.state.ok.us. CNAME Default
> inet1.okcca.net.
>
> okcca.net. A
> Default 204.87.111.225
>
>
>
> IN okcca.net
>
> Name Type TTL
> Values
>
> okcca.net. NS Default
> ns
>
> okcca.net. NS Default
> ns2
>
> mail.occa.state.ok.us. MX Default 10
> mail
>
> mail.occa.state.ok.us. A Default
> 204.87.111.225
>
> ns.okcca.net. A Default
> 204.87.111.225
>
> ns2.okcca.net. A Default
> 204.87.111.226
>
> mxgateway.okcca.net. CNAME Default
> ns.okcca.net.
>
> mail.okcca.net. A Default
> 204.87.111.232
>
> inet1.okcca.net. A Default
> 204.87.111.228
>
> mymail.okcca.net. A Default
> 204.87.111.232
>
> www.okcca.net. CNAME Default
> inet1.okcca.net.
>
> online.okcca.net. CNAME Default
> inet1.okcca.net.
>
> okcca.net. A
> Default 204.87.111.225
>
>
>
> I am not sure whether our mail delivery problems are a DNS issue or not.
> I do know that 99% of our mail is delivered without problems. Are there
> some DNS zone configurations listed above that should be changed? If
> so, I would appreciate some insight on how the IP addresses should be
> set up for the various "Types" if I am directing email to the Exchange
> 2000 server on 204.87.111.232. I have inherited this system and am
> trying to understand how DNS, email and spam filtering all work
> together. Any assistance would be appreciated.
>
>
>
> Thanks,
>
> Steve Ingraham
You need to ensure that the PTR and A records are
consistant and that they also match the name emitted
in the HELO/EHLO of the SMTP transaction.
You PTR and A records are not consistant.
Mark
drugs:bind9-gdib 11:21 {729} % dig -x 204.87.111.232
; <<>> DiG 9.3.2-P1 <<>> -x 204.87.111.232
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18479
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;232.111.87.204.in-addr.arpa. IN PTR
;; ANSWER SECTION:
232.111.87.204.in-addr.arpa. 259200 IN PTR mail.occa.state.ok.us.
232.111.87.204.in-addr.arpa. 259200 IN PTR mymail.okcca.net.
;; AUTHORITY SECTION:
232.111.87.204.in-addr.arpa. 86397 IN NS ns2.occa.state.ok.us.
232.111.87.204.in-addr.arpa. 86397 IN NS ns.occa.state.ok.us.
;; Query time: 3774 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 13 11:21:56 2006
;; MSG SIZE rcvd: 145
drugs:bind9-gdib 11:21 {730} % dig mail.occa.state.ok.us
; <<>> DiG 9.3.2-P1 <<>> mail.occa.state.ok.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35360
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.occa.state.ok.us. IN A
;; ANSWER SECTION:
mail.occa.state.ok.us. 86400 IN A 204.87.111.225
;; AUTHORITY SECTION:
occa.state.ok.us. 86382 IN NS dns2.occa.state.ok.us.
occa.state.ok.us. 86382 IN NS dns.occa.state.ok.us.
;; Query time: 599 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 13 11:22:11 2006
;; MSG SIZE rcvd: 92
drugs:bind9-gdib 11:22 {731} % dig mymail.okcca.net
; <<>> DiG 9.3.2-P1 <<>> mymail.okcca.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52995
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;mymail.okcca.net. IN A
;; ANSWER SECTION:
mymail.okcca.net. 86400 IN A 204.87.111.232
;; AUTHORITY SECTION:
okcca.net. 138306 IN NS ns2.okcca.net.
okcca.net. 138306 IN NS ns.okcca.net.
;; Query time: 247 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 13 11:22:24 2006
;; MSG SIZE rcvd: 85
drugs:bind9-gdib 11:22 {732} %
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list