DNS problems with Yahoo & Hotmail?
Brad Knowles
brad.knowles at skynet.be
Wed Jul 11 18:51:07 UTC 2001
At 7:10 AM -0700 7/11/01, Eric wrote:
> Setup a mail server for one of our Domains, eregs.com
>
> Has an mx record of mail.eregs.com which shows up on an nslookup on
> most ISPs and I can send mail back and forth. However, Yahoo and
> Hotmail fail to recognize this change, even after a week, they still
> do not recognize this mail exchanger. I am also unable to nslookup
> off of any of their listed NS servers. Appears their servers are not
> configured to allow outside lookups.
You've got some problems. Here's what the latest version of
"doc" has to say about your domain:
% doc -d eregs.com
Doc-2.2.2: doc -d eregs.com
Doc-2.2.2: Starting test of eregs.com. parent is com.
Doc-2.2.2: Test date - Wed Jul 11 14:26:37 EDT 2001
DEBUG: digging @a.gtld-servers.net. for soa of com.
soa @a.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @b.gtld-servers.net. for soa of com.
soa @b.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @c.gtld-servers.net. for soa of com.
soa @c.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @d.gtld-servers.net. for soa of com.
soa @d.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @e.gtld-servers.net. for soa of com.
soa @e.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @f.gtld-servers.net. for soa of com.
soa @f.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @g.gtld-servers.net. for soa of com.
soa @g.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @h.gtld-servers.net. for soa of com.
soa @h.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @i.gtld-servers.net. for soa of com.
soa @i.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @j.gtld-servers.net. for soa of com.
soa @j.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @k.gtld-servers.net. for soa of com.
soa @k.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @l.gtld-servers.net. for soa of com.
soa @l.gtld-servers.net. for com. has serial: 2001071001
DEBUG: digging @m.gtld-servers.net. for soa of com.
soa @m.gtld-servers.net. for com. has serial: 2001071001
SOA serial #'s agree for com. domain
Found 2 NS and 2 glue records for eregs.com. @a.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @b.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @c.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @d.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @e.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @f.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @g.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @h.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @i.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @j.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @k.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @l.gtld-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for eregs.com. @m.gtld-servers.net. (non-AUTH)
DNServers for com.
=== 0 were also authoritatve for eregs.com.
=== 13 were non-authoritative for eregs.com.
Servers for com. (not also authoritative for eregs.com.)
=== agree on NS records for eregs.com.
DEBUG: domserv = ns1.regscan.com. ns2.regscan.com.
NS list summary for eregs.com. from parent (com.) servers
== ns1.regscan.com. ns2.regscan.com.
digging @ns1.regscan.com. for soa of eregs.com.
soa @ns1.regscan.com. for eregs.com. serial: 2001032333
digging @ns2.regscan.com. for soa of eregs.com.
soa @ns2.regscan.com. for eregs.com. serial: 2001032333
SOA serial #'s agree for eregs.com.
Authoritative domain (eregs.com.) servers agree on NS for eregs.com.
ERROR: NS list from eregs.com. authoritative servers does not
=== match NS list from parent (com.) servers
NS list summary for eregs.com. from authoritative servers
== deathstar. ns1.regscan.com. ns2.regscan.com.
Checking 0 potential addresses for hosts at eregs.com.
==
Summary:
ERRORS found for eregs.com. (count: 1)
Done testing eregs.com. Wed Jul 11 14:26:43 EDT 2001
Here's what "dnswalk" has to say:
% dnswalk -alF eregs.com.
Checking eregs.com.
Getting zone transfer of eregs.com. from ns1.regscan.com...failed
FAIL: Zone transfer of eregs.com. from ns1.regscan.com failed: REFUSED
Getting zone transfer of eregs.com. from ns2.regscan.com...done.
SOA=ns1.regscan.com contact=root at regscan.com
WARN: SOA contact name (root at regscan.com) is invalid
WARN: eregs.com A 205.160.213.25: no PTR record
FAIL: Cannot find address for nameserver: NXDOMAIN
FAIL: Cannot get SOA record for eregs.com from deathstar (lame?): no
nameservers
BAD: eregs.com NS deathstar: unknown host
WARN: cbiz.eregs.com A 205.160.213.25: no PTR record
WARN: cc.eregs.com A 205.160.213.25: no PTR record
WARN: contractors.eregs.com A 205.160.213.25: no PTR record
WARN: deliverance.eregs.com A 205.160.213.241: no PTR record
WARN: mail.eregs.com A 205.160.213.241: no PTR record
WARN: nare.eregs.com A 205.160.213.25: no PTR record
WARN: unsubscribe.eregs.com A 205.160.213.241: no PTR record
WARN: www.eregs.com A 205.160.213.25: no PTR record
3 failures, 10 warnings, 1 errors.
Finally, here's what DNS Expert Professional 1.6 has to say:
DNS Expert
Detailed Report for eregs.com.
7/11/01, 8:22 PM, using the analysis setting "Minimal"
======================================================================
Information
----------------------------------------------------------------------
Serial number: 2001032333
Primary name server: ns1.regscan.com.
Primary mail server: mail.eregs.com.
Number of records: 15 (3 NS, 2 MX, 9 A, 1 CNAME, 0 PTR, 0 Other)
Errors
----------------------------------------------------------------------
o Unable to check the name server "deathstar."
It was not possible to check the name server "deathstar.",
because its address could not be resolved.
o The primary mail server "mail.eregs.com." does not respond
The mail server "mail.eregs.com.", which is a primary mail server
for "eregs.com.", does not seem to be working.
o The secondary mail server "mail.eregs.com." does not respond
The mail server "mail.eregs.com.", which is a secondary mail
server for "eregs.com.", does not seem to be working.
o There is no PTR record for the host "eregs.com."
There is no PTR record available for the host "eregs.com." which
has the IP address 205.160.213.25.
o There is no PTR record for the host "deliverance.eregs.com."
There is no PTR record available for the host
"deliverance.eregs.com." which has the IP address 205.160.213.241.
Warnings
----------------------------------------------------------------------
o All name servers for the zone are on the same subnet.
All name servers for the zone are on the same subnet
(205.160.213.*). If the connection to the network breaks, your
domain will become inaccessible.
----------------------------------------------------------------------
end of report
Looking at these records a bit more closely ourselves, we see
some more problems. First, your SOA records:
% dig @ns1.regscan.com. eregs.com. soa
; <<>> DiG 9.1.2 <<>> @ns1.regscan.com. eregs.com. soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29517
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;eregs.com. IN SOA
;; ANSWER SECTION:
eregs.com. 3600 IN SOA ns1.regscan.com.
root\@regscan.com. 2001032333 18000 600 86400 3600
;; Query time: 30 msec
;; SERVER: 205.160.213.4#53(ns1.regscan.com.)
;; WHEN: Wed Jul 11 14:28:46 2001
;; MSG SIZE rcvd: 88
The "@" symbol in the MNAME field of the SOA record is invalid.
Replace the backslash and "@" symbol with a dot, so that
"root\@regscan.com." becomes "root.regscan.com.".
Now, your NS records:
% dig @ns1.regscan.com. eregs.com. ns
; <<>> DiG 9.1.2 <<>> @ns1.regscan.com. eregs.com. ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32490
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;eregs.com. IN NS
;; ANSWER SECTION:
eregs.com. 3600 IN NS ns1.regscan.com.
eregs.com. 3600 IN NS deathstar.
eregs.com. 3600 IN NS ns2.regscan.com.
;; Query time: 31 msec
;; SERVER: 205.160.213.4#53(ns1.regscan.com.)
;; WHEN: Wed Jul 11 14:30:26 2001
;; MSG SIZE rcvd: 94
The name "deathstar." is a totally invalid FQDN. You either need
to add the proper domain name to the end of this hostname, or you
need to strip the trailing dot and allow BIND to add the domain name
for you. Furthermore, this does not match your delegations from the
gTLD nameservers:
% dig @a.gtld-servers.net. eregs.com. ns
; <<>> DiG 9.1.2 <<>> @a.gtld-servers.net. eregs.com. ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20383
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;eregs.com. IN NS
;; ANSWER SECTION:
eregs.com. 172800 IN NS NS1.REGSCAN.com.
eregs.com. 172800 IN NS NS2.REGSCAN.com.
;; ADDITIONAL SECTION:
NS1.REGSCAN.com. 172800 IN A 205.160.213.4
NS2.REGSCAN.com. 172800 IN A 205.160.213.5
;; Query time: 6 msec
;; SERVER: 192.5.6.30#53(a.gtld-servers.net.)
;; WHEN: Wed Jul 11 14:31:52 2001
;; MSG SIZE rcvd: 103
So, you've got some delegation errors to correct.
Now, let's look at your MXes:
% dig @ns1.regscan.com. eregs.com. mx
; <<>> DiG 9.1.2 <<>> @ns1.regscan.com. eregs.com. mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60106
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;eregs.com. IN MX
;; ANSWER SECTION:
eregs.com. 3600 IN MX 10 mail.eregs.com.
eregs.com. 3600 IN MX 15 mail.eregs.com.
;; ADDITIONAL SECTION:
mail.eregs.com. 3600 IN A 205.160.213.241
mail.eregs.com. 3600 IN A 205.160.213.241
;; Query time: 30 msec
;; SERVER: 205.160.213.4#53(ns1.regscan.com.)
;; WHEN: Wed Jul 11 14:38:48 2001
;; MSG SIZE rcvd: 96
While perhaps not quite totally illegal, it is certainly highly
irregular to have the same machine be both the primary and secondary
MX for your domain. Moreover, when I attempt to contact your
mailserver, I get "connection timed out". If your mail server is not
connected to the 'net, then that would certainly prevent you from
ever accepting any mail for that domain.
Now, while you've protected ns1.regscan.com against zone
transfers from unknown machines, you have not done the same for
ns2.regscan.com. So, I can get a complete copy of your zone:
% dig @ns2.regscan.com. eregs.com. axfr
; <<>> DiG 9.1.2 <<>> @ns2.regscan.com. eregs.com. axfr
;; global options: printcmd
eregs.com. 3600 IN SOA ns1.regscan.com.
root\@regscan.com. 2001032333 18000 600 86400 3600
eregs.com. 3600 IN A 205.160.213.25
eregs.com. 3600 IN NS ns1.regscan.com.
eregs.com. 3600 IN NS deathstar.
eregs.com. 3600 IN NS ns2.regscan.com.
eregs.com. 3600 IN MX 10 mail.eregs.com.
eregs.com. 3600 IN MX 15 mail.eregs.com.
adv.eregs.com. 3600 IN CNAME deliverance.eregs.com.
cbiz.eregs.com. 3600 IN A 205.160.213.25
cc.eregs.com. 3600 IN A 205.160.213.25
contractors.eregs.com. 3600 IN A 205.160.213.25
deliverance.eregs.com. 3600 IN A 205.160.213.241
mail.eregs.com. 3600 IN A 205.160.213.241
nare.eregs.com. 3600 IN A 205.160.213.25
unsubscribe.eregs.com. 3600 IN A 205.160.213.241
www.eregs.com. 3600 IN A 205.160.213.25
eregs.com. 3600 IN SOA ns1.regscan.com.
root\@regscan.com. 2001032333 18000 600 86400 3600
;; Query time: 94 msec
;; SERVER: 205.160.213.5#53(ns2.regscan.com.)
;; WHEN: Wed Jul 11 14:44:09 2001
;; XFR size: 18 records
At least you're not blindly blocking all TCP queries to port 53. ;-)
Finally, you do not have reverse DNS set up for your IP addresses:
% dig 213.160.205.in-addr.arpa. ns
; <<>> DiG 9.1.2 <<>> 213.160.205.in-addr.arpa. ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21480
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;213.160.205.in-addr.arpa. IN NS
;; ANSWER SECTION:
213.160.205.in-addr.arpa. 80370 IN NS ns1.inav.net.
213.160.205.in-addr.arpa. 80370 IN NS ns2.inav.net.
;; ADDITIONAL SECTION:
ns1.inav.net. 27 IN A 64.6.64.1
ns2.inav.net. 167 IN A 64.6.64.2
;; Query time: 3 msec
;; WHEN: Wed Jul 11 14:47:49 2001
;; MSG SIZE rcvd: 118
% dig @ns1.inav.net. 25.213.160.205.in-addr.arpa. any
; <<>> DiG 9.1.2 <<>> @ns1.inav.net. 25.213.160.205.in-addr.arpa. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30986
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;25.213.160.205.in-addr.arpa. IN ANY
;; Query time: 562 msec
;; SERVER: 64.6.64.1#53(ns1.inav.net.)
;; WHEN: Wed Jul 11 14:49:16 2001
;; MSG SIZE rcvd: 45
% dig @ns2.inav.net. 25.213.160.205.in-addr.arpa. any
; <<>> DiG 9.1.2 <<>> @ns2.inav.net. 25.213.160.205.in-addr.arpa. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1508
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;25.213.160.205.in-addr.arpa. IN ANY
;; Query time: 666 msec
;; SERVER: 64.6.64.2#53(ns2.inav.net.)
;; WHEN: Wed Jul 11 14:49:30 2001
;; MSG SIZE rcvd: 45
It looks to me like you've got a lot of problems that need to be
solved. Some are serious, some are less so. But the sooner you
solve all of them, the better for you and your customers.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list