Overriding MX records to internal gateways

Kevin Darcy kcd at chrysler.com
Thu May 8 03:27:43 UTC 2008 

Phaniraj Ranganath wrote:
> On Tue, May 6, 2008 at 6:52 AM, Barry Margolin <barmar at alum.mit.edu> wrote:
>   
>> In article <fvn7a4$1ire$1 at sf1.isc.org>,
>>  "Pedro Espinoza" <raindoctor at gmail.com> wrote:
>>
>>     
>>> On Sat, May 3, 2008 at 11:47 AM, Josh Smith <juicewvu at gmail.com> wrote:
>>>       
>>>> Why not just configure your MTA to use your internal gateway(s) as
>>>>         
>> smart
>>     
>>>> hosts?
>>>>         
>>> I asked this question, because my shop has this setup; and I am trying
>>> to understand how they set up. Here is the sample dig results, for
>>> google.com A, MX, NS
>>>       
>> Are they running BIND?
>>
>> It's curious that the A response has the AA flag set, even though it's
>> returning a response that's apparently cached, while the MX response
>> does NOT have the AA flag set, even though it's returning the local
>> override.
>>
>>     
>>> # dig @a.b.example.com google.com ns
>>>
>>> ; <<>> DiG 9.3.2 <<>> @a.b.example.com google.com ns
>>> ; (1 server found)
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3595
>>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>>>
>>> ;; QUESTION SECTION:
>>> ;google.com.                    IN      NS
>>>
>>> ;; AUTHORITY SECTION:
>>> com.                    1800    IN      NS      abc200.a.example.com.
>>> com.                    1800    IN      NS      abc201.a.example.com.
>>>
>>>
>>>
>>> # dig @a.b.example.com google.com a
>>>
>>> ; <<>> DiG 9.3.2 <<>> @a.b.example.com google.com a
>>> ; (1 server found)
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3193
>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;google.com.                    IN      A
>>>
>>> ;; ANSWER SECTION:
>>> google.com.             19      IN      A       72.14.207.99
>>> google.com.             19      IN      A       64.233.187.99
>>> google.com.             19      IN      A       64.233.167.99
>>>
>>>
>>>
>>> # dig @a.b.example.com google.com mx
>>>
>>> ; <<>> DiG 9.3.2 <<>> @a.b.example.com google.com mx
>>> ; (1 server found)
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18239
>>> ;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 6
>>>
>>> ;; QUESTION SECTION:
>>> ;google.com.                    IN      MX
>>>
>>> ;; ANSWER SECTION:
>>> google.com.             1800    IN      MX      6 relay1.example.com.
>>> google.com.             1800    IN      MX      6 relay2.example.com.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>       
>>>>  Thanks,
>>>>  Josh
>>>>
>>>>
>>>>
>>>>  On Fri, May 2, 2008 at 3:56 PM, Kevin Darcy <kcd at chrysler.com> wrote:
>>>>  >
>>>>  > Pedro Espinoza wrote:
>>>>  >  > Gurus:
>>>>  >  >
>>>>  >  > is it possible with BIND to replace authoritative MX records
>>>>         
>> with
>>     
>>>>  >  > internal gateways, so that the MTA can route the email to
>>>>         
>> internal
>>     
>>>>  >  > gateways? Of course, sendmail/postfix provides a solution to do
>>>>         
>> that.
>>     
>>>>  >  > But I am looking at DNS level, as follows:
>>>>  >  >
>>>>  >  >
>>>>  >  >
>>>>  >  > ;; QUESTION SECTION:
>>>>  >  > ;gmail.com.                     IN      MX
>>>>  >  >
>>>>  >  > ;; ANSWER SECTION:
>>>>  >  > gmail.com.              870     IN      MX      10
>>>>  >  > localrelay1.example.com.
>>>>  >  > gmail.com.              870     IN      MX      50
>>>>  >  > localrelay2.example.com
>>>>  >  >
>>>>  >  >
>>>>  >  You'd have to have a "private" version of the whole gmail.comzone.
>>>>  >
>>>>  >
>>>>  >  -Kevin
>>>>  >
>>>>  >
>>>>  >
>>>>
>>>>
>>>>
>>>>  --
>>>>  Josh Smith
>>>>  email/jabber: juicewvu at gmail.com
>>>>  phone: 304.237.9369(c)
>>>>
>>>>  () ascii ribbon campaign - against html e-mail
>>>>  /\ www.asciiribbon.org - against proprietary attachments
>>>>
>>>>
>>>>         
>> --
>> Barry Margolin, barmar at alum.mit.edu
>> Arlington, MA
>> *** PLEASE don't copy me on replies, I'll read them in the group ***
>>
>>     
>
> Does it work like this ...
>
> Following entry should direct all mails to relay host which in turn tries to
> resolve destination domain name.
> If relay host is able to resolve domain name  in internet namespace mail
> deliver happens.
> google.com.             1800    IN      MX      6 relay1.example.com.
> google.com.             1800    IN      MX      6 relay2.example.com.
>
>
> Please let me know if my observation is correct.
>
>   
Well, yes, but
1. relay1.example.com and relay2.example.com would, in fact, need to be 
configured to allow relaying of google.com mail (most mail software 
these days disable relaying by default, since open relays are used 
extensively by spammers).
2. In BIND, in order to override the google.com MX records, you'd have 
to define a private version of the whole google.com *zone*. How then are 
your users going to access Google, unless you have some way to 
constantly keep that private zone (except for the MX records) in sync 
with the "real" google.com zone on the Internet? Bit of a conundrum eh?

                                                                         
               - Kevin

More information about the bind-users mailing list