DNS moron strikes again...

Ok fellas, help me out here... DNS just doesn't make sense to me sometimes.

I registered a domain to test out my new Exchange 2k server. The domain name is "aberrancy.com". I had a friend create an MX record on a DNS box that he manages (*that I know works properly*) and he pointed it to my Exchange box's public IP which is Now, he can send e-mail to grivera@aberrancy.com and it comes through just fine. When I send e-mail to that address from my current e-mail address here at work, it gets lost in "unable to resolve DNS land".

If I ping that address, it won't resolve. If you ping it from outside of this office, it resolves just fine. What the hell is going on here?
Who is Participating?
NevaarConnect With a Mentor Commented:
OK, since the world at large can reach aberrancy.com, but your ISP's email server can't, I'd ask your ISP to double check that it's server can see the see the MX record for aberrancy.com and is able to resolve mail.aberrancy.com without any difficulty.

That's the only thing that I can think of at the moment.
Is your DNS set up to resolve for the internal network?
Gabe_RiveraAuthor Commented:
Not sure I understand your question...
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Gabe_RiveraAuthor Commented:
I guess I should give a little more background too.

I have (1) Win2k server acting as a router... it has two NIC's in it. (1) for internal access to the network and the other is configured with a public IP. This is the box that allows everything to get out to the Internet, and it's also the box that I used to NAT out my Exchange server, thus giving it the address.

I have 3 internal servers (including the Exchange box) that all have private addresses. All three of these boxes are DC's and are running DNS.

All the clients on my network are getting their IPs and network credentials from a DHCP box that is one of the three servers mentioned above.

All workstations and the three servers mentioned above are members of the same domain. The server acting as a router/DNS/gateway/NAT box is not a member of the said domain, it is a stand alone server.
"If I ping that address, it won't resolve. If you ping it from outside of this office, it resolves just fine. What the hell is going on here? "

DNS names resolve to IP addresses and IP addresses resolve to DNS Names. Unless you are trying to do a reverse lookup by pinging -a, you won't be able to RESOLVE anything. Do you mean you can't PING the IP address? The ping does not respond?
Gabe_RiveraAuthor Commented:
Yes, the ping doesn't respond...
From inside your office, try this:

Get to a command prompt:

Type: EXIT

Let us know all the responses from the typed commands.
Actually, you should execute those commands on tpye Exchange server.
You are no more moron than big salary Exchange AND Networking admins at large site. What you have is multiple questions across several TAs. In EE, for example, some parts of your interest could be satisfied better under eMail TA and others in Networking TA, where multiple OS's are supported.

> What the hell is going on here?

The system is operating as it should. Try pinging another? Like Microsoft? Imagine, if you would, that every newbie and script kiddie could have freedom to ping while cloaked. Not good. Want your desktops open to an attack of "the ping of death"? In this situation, DNS is not so relevant, the function of translation is in the proxy system you refer to as NAT.

You could get more info in Networking TA. Essentially, from internet, public, your LAN/intranet cannot be 'seen'. Similarly, your desktops on LAN cannot 'see' the desktops on my LAN. This is a good thing, trust me on that.

Similarly, your Exchange Box should have a public AND a private IP. It should not know the public one. It should have an IP address for local LAN. That address should be recorded in local DNS for your LAN users, preferably using the server's name. Now your Exchange box gives you improved control over access of local users (who may or may not send EM out) and foreign users (who may only send mail in).

For better answers on EM, consider posing Q's in eMail, Outlook, or Exchange TA's, as appropriate.

If your users roam, you may actually want them to get in from internet. You may need to further address what IDs and protocols they have. For example, on my system, local access is usually enabled through a 'readable' user name. But foreigners do not know this name. Some users are set up with their NT Login name. Not as readable, but also not their internet name.

If I (you?) go into Outlook, check address book for my username, under properties|E-Mail Addresses, I can call up multiple addresses, all of which are known (by Exchange) as me. One for SMTP protocol, is the typical internet (not LAN) format of username@(server).domain. I've some others for X400, for X500, and for other corporate servers, to help perform the mapping between the different formats of the different directory lookup schemes involved, such as Lotus/IBM.

But this is all about configuring eMail specifically for Exchange users, and has nothing to do with ICMP (ping), or DNS (name|IP).

Possibly, quickbyte answered you main question, make sure your local users have access a local name by having server address in a local DNS. Users do not need to have their desktops in DNS.

> All three of these boxes are DC's and are running DNS

btw, with MS, it is NOT good to mix multiple apps on servers. For Exchange, it is considered better to keep it a standalone, don't be adding things to it like DC or SQL or anything. Unless you have only three users and won't expand or do much of anything with it.

> getting their IPs and network credentials from a DHCP

warning, remove term "credentials" from that kind of talk or it may add confusion when you address topics of security. Better to think of DHCP as only dealing out addresses. Some fixed addresses for defining user, and some diverse addresses as defaults for where users may want to go (whether they are actually aware of the need or not).
As Nevaar just indicated, for dealing w/ EM you should replace your ping command with the NsLookup command. Name queries can be run from your desktop, for validation when not near server. They should resolve consistently according to rules of game, and give you more precise feedback on what is defined (and contrarily, what may be missing that you thought had been defined).
Gabe_RiveraAuthor Commented:
First off, thanks for everyone's comments... I have some updates:

I called my friend who happens to be a UNIX admin, and is very DNS savvy. After he talked a bunch of trash about Windows sucking, he connected to my Exchange box and took a look at my DNS setup.

He created a forward lookup zone for aberrancy.com, created an alias for mail.aberrancy.com and pointed it to the Exchange server's internal IP. So now when you ping mail.aberrancy.com from any machine on this network, it resolves properly to the Exchange server's internal address.

I now understand the reason I couldn't resolve the Exchange server's public IP. It is clear that this is a feature/function/design aspect of a NAT'd IP. Please correct me if I'm wrong in that statement.

My only problem to work out now is figuring out why e-mails sent from everywhere else on the planet to my @aberrancy.com addresses arrive almost instantaneously, but when I send mail from my account here at work, they don't arrive at all.

Our mail (currently POP) is being handled by our web host, so it's obviously off site. When I decided to create my first forward lookup zone, I named it mycompany.com. So my guess is that when I ping mail.mycompany.com, it's looking internally to resolve the address and it can't find it. So I guess my question now (if I have this whole thing straightened out in my head) is: can I create an entry in the mycompany.com forward lookup zone that points people pinging mail.mycompany.com to my web hosts mail server?
Gabe_RiveraAuthor Commented:
By the way, when you ping mail.mycompany.com from any of the servers, it resolves like a champ.

Ping it from a workstation, and it's no good, can't reach the destination.

The workstations are getting their address assignments from the DHCP server. The DNS entries they're being handed are for 2 of the 3 internal servers. The 3 internal servers have their own internal IP configured as the first DNS entry, and they have the 2k server acting as a router as their second DNS entry. If you remove the router's internal IP from the second DNS entry space, then they can't resolve mail.mycompany.com either.

When you registered your domain, did you specify which DNS servers should resolve queries for it.

You have to specify two name servers with the registrar. Sometimes, you can get away with one, but often two is a minimum.

Only when you've done that, can the remainder of the Internet name space be updated to include aberrancy.com domain name.
OK, I'm a little hazy here...

Do you have any DNS servers iside your organization?  If so, what are the IP addresses, what forward lookup zones are defined and are they using a forwarder?

What DNS server addresses are you handing out to your clients?  What DNS server addresses are configured for your internal email server?

I think the problem is that you are missing information in your DNS records.

1) The MX record is found:


> set type=mx
> aberrancy.com

aberrancy.com   MX preference = 10, mail exchanger = mail.aberrancy.com
aberrancy.com   nameserver = ns1

that's good, there IS an MX record for this domain pointing to mail.aberrancy.com.  But for mail to work, the hostname mail.aberrancy.com must resolve.

2) Lookup the A (address) record for mail.aberrancy.com...

> set type=a
> mail.aberrancy.com

Name:    aberrancy.com
Aliases:  mail.aberrancy.com

Well it worked this time.  A couple of minutes ago I got:

DNS request timed out.
    timeout was 2 seconds.

Maybe you fixed the problem just now??
Gabe_RiveraAuthor Commented:
Nenadic: Yes, I did register 2 DNS servers to handle the queries. Both entries are for DNS boxes that my friend runs.

Nevaar: Yes, as I mentioned earlier, I have 4 boxes running DNS. 3 of which are DC's and members of the same domain, the last 1 is a stand alone server, not a member of the same domain, and is acting as our router... so he has a public NIC as well as an internal.

The 3 internal DNS boxes are:
Ares -
Atlas (the Exchange server) -
Hera -

The lone server acting as a router and also serving DNS:
Chronos -

The 3 internal boxes have their IP properties configured in the following manner: Preferred DNS entry is their own internal IP address, alternate is Chronos' internal address. So Ares' DNS config looks like this:

Preferred DNS Server:
Alternate DNS Server:

I have two forward lookup zones created that run on my three internal DNS boxes:

I have one forward lookup zone created on Chronos:

And I am not using forwarders except on Chronos, and those point to our ISP's DNS boxes. And Ares and Atlas' IP's are handed out by DHCP for DNS resolution to the workstations.

If I failed to answer everyone's question, please let me know.

Am I having problems because my internal boxes are pointing to Chronos, and in turn, Chronos isn't routing things properly because his zones are totally different? Does the fact that Chronos is not a member of the domain have any impact on any of this?
Gabe_RiveraAuthor Commented:
By the way, I'm increasing the points here and I will be awarding points to everyone that has been helping. I really appreciate the feedback... I'm learning more and more about DNS just from y'alls responses and input. Can't thank you enough.
Ah ha!!!

Do you have mail.mycompany.com & mail.aberrancy.com A records defined on your internal DNS servers?

Do you have their MX records set up on your internal DNS servers?

Are you using the internal IP addresses or the public one(s)?
Gabe_RiveraAuthor Commented:
Oh yeah, and I sent a bunch of test e-mails yesterday from my office to my test domain (aberrancy.com) and they were all delivered... it just takes between 12-16 hours for the e-mails to get to where they were supposed to go.

E-mails I had sent through 9am-11am yesterday (Thursday) were delivered around midnight that same day.

How weird is this!?!
Gabe_RiveraAuthor Commented:
- Do you have mail.mycompany.com & mail.aberrancy.com A records defined on your internal DNS servers?

Well I have CNAME records for mail.aberrancy.com (in the aberrancy.com forward lookup zone) and mail.mycompany.com (in the mycompany.com forward lookup zone). And yes, they are active directory integrated zones that allow dynamic updates, so all three internal DNS servers have the same records.

- Do you have their MX records set up on your internal DNS servers?

No, I do not. All I have are CNAME records.

- Are you using the internal IP addresses or the public one(s)?

Internal IP addresses for what? All three DNS servers have only internal IP's, and the Exchange box, Atlas, has a public address through a NAT that is setup on Chronos.
Add the MX records for aberrancy.com & mycompany.com to your internal DNS zervers.  I believe that the names used in the MX records (mail.aberrancy.com & mail.mycompany.com) need to have A records (they shouldn't be CNAME records).

Basically, I'm suprised that email is going thru at all considering that your email server can't get an MX record for aberrancy.com (since it's using the internal zone for lookups).
Gabe_RiveraAuthor Commented:
Ok so do I create MX records or A records, or both?

Create the A records first so that mail.aberrancy.com has an IP address.

Then create the MX record which points to mail.aberrancy.com (which will resolve because of the A record)

Now, your attempts to ping mail.aberrancy.com from inside your office should work.  Also your attempts to send mail from inside should be a good deal faster.
Gabe_RiveraAuthor Commented:
I figured that would be your response, so I went ahead and did it.

I created an A record in the aberrancy.com lookup zone for "mail" and pointed the IP to, which of course is the internal IP for my Exchange server.

I did the same thing for mycompany.com except I pointed the IP to our current web host's mail server since that's where we're pulling our mail from.

I replicated the changes to the other DNS boxes, flushed my DNS at my workstation, made sure I could ping both addresses and they responded correctly. I then fired off an e-mail to my grivera@aberrancy.com address and I am still waiting for it to arrive (it's been 20 minutes as I write this).

So basically it's still working the way it should... what's up?
On your friend's DNS server, your MX record is fine for aberrancy.com. However, there is no A record for mail.aberrancy.com.  You really shouldn't be using a CNAME for defining mail.aberrancy.com. I think it violates a DNS/BIND rule.  It really should be an A record.
Gabe_RiveraAuthor Commented:
I deleted the CNAME records and created an A, as well as a MX reocrd on my DNS servers... are you saying that he needs to make modifications of his DNS box, or were you referring to mine?

I also noticed that when I created the MX record on the aberrancy.com forward lookup zone, it made the FQDN atlas.aberrancy.com. That didn't seem right, so I changed it back to "atlas.mycompany.com" since that is what this machine's FQDN really is anyways... was that the correct thing to do or was that a mistake?
I was referring to his DNS servers.

As far as Atlas' FQDN, it really doen't matter as long as it ends up with an A record and the proper IP address.  My preference would be to have left it as altas.aberrancy.com, that way I could see the all the resolution records in one zone file and not have to hunt for them. I makes troubleshooting and changes go faster.
> I now understand the reason I couldn't resolve the Exchange server's public IP. It is clear that this is a feature/function/design aspect of a NAT'd IP.

  : - )    yup

I don't think this is it, but am not clear from above so here's two more:

1) A workstation config will override any dhcp setting. So on occasion we have to ensure that any prior entries, such as for dns, router, etc, are wiped out on the desktop. You should only have to visit one of them to see if this is the case.

2) The location that dhcp is handing down to the desktop should be the hard-coded IP address of the router, the servers, never a name. You don't let dns lookup be a requirement there.

My assumption is that all the pieces you call local are on the same physical wire, LAN, with no intervening closets or switches or filters or forwarding. You should ensure that this remains case and beware of any units pulgging into LAN with multiple NICs, and beware of any setups relevant to forwarding of packets off the lan.

You've interesting developments on DNS, but I suspect you've still got work left for eMail system Outlook/Exchange, as if the configuration is trying to go out to the internet for your users to find your local servers. Users should have local accounts to local server (Type=Exchange). Server should allow local access. User should not select pop3 to local mail server, but rather, MS Exchange.
Gabe_RiveraAuthor Commented:
Ok well as of today it's still taking about 12 hours to get e-mails to where they're supposed to go...

Anyone have any ideas?
I trying to recap so info, so:

How long does it take when a message is sent from the outside world to grivera@aberrancy.com?

How long does it take when a message is sent from inside your office (which I'm assuming has atlas as a DNS server) to grivera@aberrancy.com?

Also when you send a message from your office, is it going from your Outlook client to your ISP (via SMTP) for delivery or is it going from your Outlook client to your internal Exchange box for delivery?

I sent an email to you at 7:44PM EST - When did you get it?

When I lookup your domain registration record on Dotster.com, it show the DNS servers by name (ns1.rightcomputer.com).  You should change them to use the IP addresses instead of the names.

I'm having a difficult time getting a name resolution on mail.aberrancy.com.
Gabe_RiveraAuthor Commented:
- How long does it take when a message is sent from the outside world to grivera@aberrancy.com?

Most of the time it takes a matter of seconds. I've sent mail from Yahoo, Hotmail, as well as a few other places from the outside and the e-mail shows up almost instantly.

- How long does it take when a message is sent from inside your office (which I'm assuming has atlas as a DNS server) to grivera@aberrancy.com?

Usually about 12 hours, sometimes more.

- Also when you send a message from your office, is it going from your Outlook client to your ISP (via SMTP) for delivery or is it going from your Outlook client to your internal Exchange box for delivery?

It is going from Outlook, to our ISP's mail server (via SMTP) and then back to our Exchange server here in our office.

- I sent an email to you at 7:44PM EST - When did you get it?

6:46PM CST... so about two minutes after you sent yours, assuming our clocks are exactly the same.

PS: Dotster's DNS server management won't let you put IP addresses in, only names...
Gabe_RiveraAuthor Commented:
Wanted to thank everyone for their input on this very tedious issue. I'm going to award the points to Nevaar for being so active in this trouble shooting process.

I really learned a lot about DNS through this little episode and from everyone's input, can't thank you guys enough!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.