DNS Newbie Problem

Axman

Axman

VP of Extreme Liberty
Joined
Jul 13, 2005
Messages
17,296
I've had my company's website dumped in my lap. I don't know how to set up the hosting records.

Now I have a copy of O'Reilly's DNS and BIND and am sufficiently whelmed, but for reasons not being the firewall our Exchange server isn't receiving email. I know it's somewhere in the NS/ MX/ A/ CNAME records, but I'm in need of some better general references to get things working correctly.

It really is a simple set-up, with one web host and one mail exchanger, and the fact that I can't get it running is a real frustration for me.

If there are some DNS goons here, I sure could use some tools to help me figure all this out. Suggestions?

Axman
 
from outside of your network (or at least asking someone else's DNS servers) do

nslookup -type=mx yourdomainnamehere.com

This will tell you what MX record (Mail Exchanger) record hosts on the internet will send email to for yourdomainnamehere.com. This should be the external name of your email server. Then, make sure that external name matches your external IP for your email server, by doing

nslookup mail.YourEmailServersNameHere.here

Then, from outside your network, make sure you can connect to the SMTP port of your mail server by doing

telnet mail.YourEmailServersNameHere.com smtp



It should look something like this:

Code: 
D:\syslogd>nslookup -type=mx fint.org
Server:  rtix-dc-001
Address:  10.5.60.12

Non-authoritative answer:
fint.org        MX preference = 0, mail exchanger = mx2.swarthy.mail.dreamhost.net
fint.org        MX preference = 0, mail exchanger = mx1.swarthy.mail.dreamhost.net

mx2.swarthy.mail.dreamhost.net  internet address = 66.33.196.116
mx1.swarthy.mail.dreamhost.net  internet address = 66.33.196.49

D:\syslogd>telnet mx1.swarthy.mail.dreamhost.com smtp
220 ludo.dreamhost.com ESMTP
 
Suddenly I am suspect that it is my firewall; if I use the outside domain name or IP, I get no telnet connection, but if I use the inside IP it connects immediately.

Does Exchange 2003 require more than http, https, smtp, nntp, pop3, imap4 and telnet? because that's what I'm currently forwarding.

Thanks

Axman
 
It needs *only* inbound TCP/25 (SMTP) to accept incoming email. 80/443 are nice if you use OWA, 110 is only needed if remote clients download mail via POP3 (unlikely). incoming NNTP is very unlikely to be needed, as is telnet.
 
Let's assume that my firewall is working jus' fine, for now at least.

Then, I set up my host records like so:
Code: 
#-------------------------------
gs-beer.org.          86400 IN NS    ns19a.nameservers.net.
gs-beer.org.          86400 IN NS    ns19b.nameservers.net.
[url]www.gs-beer.org[/url].      86400 IN MX    10 net.gs-beer.org.
gs-beer.org.          86400 IN MX    10 net.gs-beer.org.
[url]www.gs-beer.org[/url].      86400 IN A     78.15.96.70
gs-beer.org.          86400 IN A     78.15.96.70
net.gs-beer.org.      86400 IN A     78.15.96.70
#-------------------------------
Where net.gs-beer.org is the web server and mail exchanger.

Am I missing something?

When it worked for one twenty-four hour period, the NS records pointed to net.gs-beer.org, but then were not replicated after expiration. Is that a coincidence or do we need an NS record pointing to us as well?

Axman
 
As further evidence to suggest that my firewall is not forwarding correctly, I can not ping my servers by their external IPs, though I have not blocked ICMP. (In fact, now I have specifically allowed it, and I am still not able to ping them.)

For what it's worth.

A
 
Yeah. Oh to hell with it, it's gs-school.org. For those of you so inclined to fuck with people, please not us.

By the way, some of the hosting records may be in limbo, I changed them to what I posted this morning.
 
Is there a mail server and a web server with 2 seperate IPs, or is there 1 box running both services? Or, are you NATing internally with port forwarding? The reason I ask, is that your A names and MX record all point to the same IP currently.
 
Axman said:
Let's assume that my firewall is working jus' fine, for now at least.

Then, I set up my host records like so:
Code: 
#-------------------------------
gs-beer.org.          86400 IN NS    ns19a.nameservers.net.
gs-beer.org.          86400 IN NS    ns19b.nameservers.net.
[url]www.gs-beer.org[/url].      86400 IN MX    10 net.gs-beer.org.
gs-beer.org.          86400 IN MX    10 net.gs-beer.org.
[url]www.gs-beer.org[/url].      86400 IN A     78.15.96.70
gs-beer.org.          86400 IN A     78.15.96.70
net.gs-beer.org.      86400 IN A     78.15.96.70
#-------------------------------
Where net.gs-beer.org is the web server and mail exchanger.


Am I missing something?

When it worked for one twenty-four hour period, the NS records pointed to net.gs-beer.org, but then were not replicated after expiration. Is that a coincidence or do we need an NS record pointing to us as well?

Axman
Click to expand...


Perhaps. I am AWARE that this isnt your real domain, but if in my mind I substitute your real domain for the fake one in your code, it looks ok.

No, the NS records need to stay with your DNS hosting provider unless you run your own DNS, in which case, you will have to change your NS records to you and get your ISP to make a PTR for your IP so your NS will work better.

Basically, log into your DNS hosting provider's system (web interface, make a phonecall, etc, however they do it) and make the records there match what you've listed here.

Now, if your firewall is set up correctly, I cannot connect to TCP/25 to the IP listed up there (78.15.96.70). Thats going to be a deal-breaker in getting email into your network.

Once the changes are made, it will take at least 24 hours before the rest of the world sees it and perhaps 48 hours (well, 47 hours, 59 mins, 59 seconds) before you are guaranteed to have propogated out to everyone in the world with a properly running DNS server.

Now what's odd is that at 5pm yesterday you said you changed the records to what you posted. 8:15am on 9/9 is the first time I saw the thread and I run my own DNS server at home, and it has never cached a record of gs-school.org and its still reporting some differences. If you HAVE made the changes with your DNS host (the world thinks its ns19b.nameservers.net or ns19a.nameservers.net) they havent done their job. Get them on the phone or open a trouble-ticket with their tech support.
 
yeah, I'd say either your MX record is pointing to the wrong place, or your firewall is blocking the incoming packets (or your Exchange box isn't listening for SMTP, or isn't listening on the right IP)

fint@postal:~$ host -t mx gs-school.org
gs-school.org mail is handled by 10 net.gs-school.org.
fint@postal:~$ telnet net.gs-school.org smtp
Trying 69.15.96.70...
[Connection timed out]

This is a helpful site for DNS newbies
 
Thanks.

I'll be here all weekend, or as they used to say if you were crazy-rich, Fridays-to-Mondays. If it all works, I'll give you props. If not, you know, thanks just the same.

Axman
 
Indeed, your mail server is listed as net.gs-school.org on IP address 69.15.96.70.

But there is no SMTP server on 69.15.96.70.

Is that the right IP address? If so, your firewall is not forwarding to your email server. If not, it is a DNS problem, and you need to correct the MX record.

==>Lazn
 
Back on track.

So to find out if the firewall was the source of all of our problems, I stuck our mail server right on the internet and was indeed able to telnet to it's IP's port 25. But it still failed to recieve any email. To verify I repeated the test on another night and spammed the hell out of the box. Nothing showed up. No load variations or anything, but mail sent by Telnet:25 worked.

While I'm the first to admit that our firewall can do some screwy things, it doesn't seem to be the thing, at least not the first thing, blocking email.

69.15.95.70 is indeed the right IP, by the way.

I'm really tapped for explanation.
 
I suppose the server is offline. I can't connect to it. Yes, check your logfiles for what's happening with the email.
 
The event log is bereft of any errors dealing with Exchange, with about one exception a week stating that the primary domain controller can't be contacted. While they don't neccessarily correspond to that server's downtime I don't think that they reflect any operations faliures pertaining to Exchange.

Essentially, it's blank.

Axman
 
This is just my opinion, but if I were you I would work on getting the exchange server reachable from the internet first. We can troubleshoot the exchange part all we want, but if the outside world can't reach it, we'll never know if progress is made. What kind of firewall is in front of this device, and it is doing NAT for you (if I read the thread correctly), right?
 
Sorry, I was trying to say that I think Exchange works fine, as is indicated by the lack of events as well as the fact that email sent internally, from one Exchange mailbox to another has no problems.

The firewall is a Cisco PIX 506E, but even when bypassed, with the server connected directly to the router and configured with it's outside IP, mail goes into the void. The router is a Cisco IAD2400, but because it splits phones out from the CSU/ DSU I'm really limited on my ability to kick it around. I would be surprised if it did any addressing or blocking whatsoever.

Axman
 
It could certainly be your router blocking access.

If you have the email server outside of your firewall can you get to it from home (or we could test from here) because your firewall should allow access from the inside to anything, but if your router is the cause of the problem you would not know unless you tried to get to it from outside of it.

==>Lazn
 
When I had it bypassing the firewall, I was able to telnet to port 25 from my freeshell.org shell account. Is that good enough?
 
Axman said:
When I had it bypassing the firewall, I was able to telnet to port 25 from my freeshell.org shell account. Is that good enough?
Click to expand...
Technically yes it is. That suggests that your router is not blocking any SMTP traffic and that the problem is at your firewall. If you can Telnet:25 from internal and do the same with the machine direct attached to your router it sounds like your firewall is at issue.

Check out your access lists or conduit statements on your firewall...whichever method you use for your firewall.
 
It does not recieve email when bypassing the firewall, either. But being able to telnet to port 25 when it sits on the router suggests (I think/ hope) that the router is not blocking the email on top of it.
 
Axman said:
It does not recieve email when bypassing the firewall, either. But being able to telnet to port 25 when it sits on the router suggests (I think/ hope) that the router is not blocking the email on top of it.
Click to expand...

If you can telnet to port 25, you can send email to it. That really is how email works, you can manually do it as seen here: http://exchange.mvps.org/smtp_frames.htm but that is really all an email program does.

==>Lazn
 
Axman said:
So I'm back to DNS record problems.
Click to expand...

Not if that is the correct IP address in the mx record, DNS is not magic.

I can not telnet to that IP address on port 25, untill you get that working from the outside, there is no point in looking any furthur.

==>Lazn
 
Today it looks like our email works. The firewall was a big part, but there was also a failiure to replicate WINS internally that was throwing a shoe into the gears. Even though it works by all accounts, I'm concerned about this:
$ telnet 69.15.95.70 25
Trying 69.15.95.70...
Connected to 69.15.95.70.
Escape character is '^]'.
220 *************************************************************0****0*0 ***************2******200************0*00
Click to expand...
Should I be, if, you know, email works otherwise?

Ever see or hear of this crap before?

Also, many, MANY thanks for your time. If any of you swing by Denver I'll buy you a drink.

Axman
 
yuck.

here is what I get:
Code: 
 220 mail.domainname.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at  Wed, 28
 Sep 2005 13:00:23 -0700
quit
221 2.0.0 mail.domainname.com Service closing transmission channel

The quit I typed in to quit.. that did not work on your server..

But that is an exchange issue.. what version are you running and are you all patched up? (I think I might actually be a few micropatches back, but yours looks ugly)

==>Lazn
 
Service pack one for Exchange 2003 and no service pack on Server 2003. We repeatedly ran into problems with service pack one for Server 2003 which caused the Exchange and IIS services to stop or hang. Honestly, I don't think they are really issues, I think that they had more to do with some other problems that we've taken care of, but until I have a long weekend that I feel like playing with bare-metal backups I'm going to let it sit ugly.

When I do, though, I'll post updates.

a
 
You must log in or register to reply here.
Back
Top