DNS

[BCC1Tech]

I recently pointed our email to our office, but I am having an issue I'm not sure how to resolve. Our web site is still hosted elsewhere, but now the email comes to our office. I contacted our isp - Qwest and had them set up reverse DNS for us, but it didn't seem to make a difference.

We are not able to receive mail from Comcast. Below is what the Comcast technician told me. Can someone tell me what I need to do to fix this?

Thank you!
Melinda

FAIL Reverse DNS entries for MX records ERROR: None of your mail server(s) seem to have reverse DNS (PTR) entries (I didn't get any responses for them). RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server).
Mail FAIL Connect to mail servers ERROR: I could not complete a connection to any of your mailservers!

Could not connect without glue or A record.<br />
If this is a timeout problem, note that the DNSreport only waits about 40 seconds for responses, so your mail *may* work fine in this case but you will need to use testing tools specifically designed for such situations to be certain.

 

[elgrandeperro]

First, it claims there is no A record. Do you have a MX record, and does it entries resolve? Then do those have valid reverse entries? Do you have a static IP?

 

[BCC1Tech]

I do have a static ip address and most mail does work. We have our MX record pointed to the same place as our web site. At the web host, we have the MX split and pointed to our office static ip address. I called the isp and had the reverse dns setup. The domain is bouldercounty.com. I'm not sure how to check if it resolves or not.

This is new territory for me, so I'm not exactly sure what items need to be setup to make it work properly.

Thank you!

 

[ChrisAC]

Your problem is that who ever set up your reverse DNS didn't do it right! MX records should point to hosts name, not IP addresses.

$ dig bouldercounty.com mx

; <<>> DiG 9.2.3 <<>> bouldercounty.com mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bouldercounty.com. IN MX

;; ANSWER SECTION:
bouldercounty.com. 86400 IN MX 10 71.216.93.193.

Instead of an IP address is should be something like mail.bouldercounty.com.

So, that's problem number 1. Now, if IP address 71.216.93.193 is sending email then the receiving mail server will do a reverse DNS lookup on it and find ..

$ dig -x 71.216.93.193 +short
bouldercounty.com.

.. that it resolves to the host bouldercounty.com. Now when it looks up that host to see if the IP address is the same it finds ..

$ dig bouldercounty.com +short
216.81.70.128

A different IP address!! This is why your RDNS is failing.

So what you need is something like (presuming that 71.216.93.193 is your mail server)

bouldercounty.com IN MX mail.bouldercounty.com
mail.bouldercounty.com IN A 71.216.93.193

193.93.216.71.in-addr.arpa. IN PTR mail.bouldercounty.com.

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[elgrandeperro]

ChrisAC, you forgot the mail precedence field in the MX record, and (if using bind format) you need the trailing '.'. I know some management tools add it for you, but I don't think it hurts:

bouldercounty.com. IN MX 10 mail.bouldercounty.com.
mail.bouldercounty.com. IN A 71.216.93.193

 

[ChrisAC]

Very good point! Many a DNS fluff up is because a trailing dot is left off!

If that MX record was created in the bouldercounty.com WITHOUT adding a trailing dot to the end, then the host would become ..

mail.bouldercounty.com.bouldercounty.com.

And that wouldn't be good at all ;-)

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[BCC1Tech]

Thank you both for the information. I made the changes a few hours ago. I'm getting all of my email returned. Can you take a look and see if I did it right? Should it be immediate or take time to propagate?

Thank you!

 

[elgrandeperro]

> bouldercounty.com
Server: 140.172.10.9
Address: 140.172.10.9#53

Non-authoritative answer:
bouldercounty.com
origin = ns.bcc7.com
mail addr = admin.bouldercounty.com
serial = 2005071322
refresh = 10800
retry = 3600
expire = 604800
minimum = 86400

The serial number should always increase, typically a time stamp. Yours indicate it hasn't been updated since 2005!

I don't see an A record for mail, did you forget a '.'?

Also the reverse points just to bouldercounty.com, you want to make that a distinct entity, like mail.bouldercounty.com

Non-authoritative answer:
193.93.216.71.in-addr.arpa name = bouldercounty.com.

 

[elgrandeperro]

Yes, your forgot a '.':

> mail.bouldercounty.com.bouldercounty.com
Server: 140.172.10.9
Address: 140.172.10.9#53

Non-authoritative answer:
Name: mail.bouldercounty.com.bouldercounty.com
Address: 216.81.70.128
>

You have:
mail.bouldercounty.com IN A 71.216.93.193
and it should be:
mail.bouldercounty.com. IN A 71.216.93.193

 

[BCC1Tech]

My host's tool won't allow the trailing dot. Here is what my record looks like:

bouldercounty.com 86400 IN A 216.81.70.128
*.bouldercounty.com 86400 IN A 216.81.70.128
podcasts.bouldercounty.com 86400 IN A 216.81.70.128
*.podcasts.bouldercounty.com 86400 IN A 216.81.70.128
nas.podcasts.bouldercounty.com 86400 IN A 216.81.70.128
*.nas.podcasts.bouldercounty.com 86400 IN A 216.81.70.128
blogs.bouldercounty.com 86400 IN A 216.81.70.128
*.blogs.bouldercounty.com 86400 IN A 216.81.70.128

Custom A records
mail.bouldercounty.com 86400 IN A 71.216.93.193

Built in MX records
podcasts.bouldercounty.com 86400 IN MX 10 mail11.hsphere.cc
nas.podcasts.bouldercounty.com 86400 IN MX 10 mail11.hsphere.cc
blogs.bouldercounty.com 86400 IN MX 10 mail4.bcc7.com

Custom MX records
bouldercounty.com IN MX 10 mail.bouldercounty.com
Add DNS MX Record
Built in CNAME records
mail.podcasts.bouldercounty.com 86400 IN CNAME mail11.hsphere.cc
mail.nas.podcasts.bouldercounty.com 86400 IN CNAME mail11.hsphere.cc
mail.blogs.bouldercounty.com 86400 IN CNAME mail4.bcc7.com

Custom CNAME records
mail.bouldercounty.com 1 IN CNAME 71.216.93.193

 

[elgrandeperro]

Let me 'splain.

If the file is for bouldercounty.com, any entry without a . is suffixed with .bouldercounty.com. (the default domain for this file). Any ending with a . is fully qualified.

So either use
mail
or
mail.bouldercounty.com.
but not
mail.bouldercounty.com (and it adds .bouldercounty.com!)

The . rule applies to any entry with a host field (NS, A, PTR, CNAME, SOA)

 

[elgrandeperro]

Then it is the wildcard (*) records that are screwing you up. See, any bogus name is matching:

> set type=a
> lksjdf.bouldercounty.com
Server: 140.172.10.9
Address: 140.172.10.9#53

Non-authoritative answer:
Name: lksjdf.bouldercounty.com
Address: 216.81.70.128
>

I believe that it did generate the correct entry, but this is in error:

Custom CNAME records
mail.bouldercounty.com 1 IN CNAME 71.216.93.193

A CNAME can't share an A record (look in your startup logs) and I bet it is complaining. Besides this cname is wrong,
the right side needs to be a host name or another CNAME, not an IP. This says:

mail.bouldercounty.com is 71.216.93.193.bouldercount.com!

Change mail.bouldercounty.com in the MX and A to another name like

bouldercounty.com. IN MX 10 newmail.bouldercounty.com.
newmail.bouldercounty.com. IN A 71.216.93.193

You will still need to fix the reverse because some MTAs will not like that it returns the domain name (I think).

 

[elgrandeperro]

Oh, increase your serial for you SOA, your secondaries will not detect a change without that!

 

[BCC1Tech]

Okay, so I just deleted the entry I made in the A record. When I input the name, I just put mail, so I think this is fixed.

How do I do this part: 193.93.216.71.in-addr.arpa. IN PTR mail.bouldercounty.com.

Lastly, Non-authoritative answer:
Name: mail.bouldercounty.com.bouldercounty.com
Address: 216.81.70.128 (this is the old ip address of the host - it is still where the MX is split)

Do I need to do anything to that?

Thanks again!

 

[elgrandeperro]

If you don't want to touch the CNAME record (which I think is bogus), do the rename above. I believe you still are going through the wildcard A record when you type in "mail".
Update the SOA.
I believe that netrange is owned by QWEST, you will need to talk to them about how to get a reverse installed.

 

[elgrandeperro]

Oh, sorry, I reread and you had them install the reverses.

Perhaps that reverse might be good enough. I know that some MTAs will bound with no reverse or a one that looks like it is machine generated (looks like the IP).
The problem I see is that some take the forward (mail or newmail), then take the reverse of that IP and match. So the problem is that your forward (mail or newmail .bouldercounty.com) is not going to match (bouldercounty.com).

 

[BCC1Tech]

Thank you for all of your help. I just removed the *.bouldercounty.com record and the CNAME record. Am I correct that I don't really need the CNAME record?

I've also requested my host update the SOA ASAP.

I'll contact Qwest next to have them update the reverse DNS.

Thank you!

 

[elgrandeperro]

If you host lots of sites on your web server, you MIGHT be using the * A record. I am not a fan of this because as you see it matches everything. Personally, I think it is kind of lazy and one could use a script generator to add aliases.

The CNAME, definitely wrong.

 

[BCC1Tech]

I went ahead and added back the * record because they do host for many customers. I'm still waiting to hear back from them on the SOA.

Can you tell me what tool you used to see if I had updated things properly? I'd like to be able to go take a look and understand this better.

 

[elgrandeperro]

Your tool should be able to update the SOA for bouldercounty.com, just as you were able to update your A records. Some people hand edit it, some people use a mksoa tool, but as long as each change increases the SOA serial it will work fine. General format is
YYYYMMDDXX YYYY=year 2008, Month (with leading 0 padding, Day with 0 padding and XX for the revision of the day.
So today would be
2008041601 for the 1st revision today.