Solved

DNS woes!

Posted on 2004-08-28
14
377 Views
Last Modified: 2010-04-11

Hi,
We are hosting some mail accounts/websites with 123-reg and because their TTL is so poor we wanted to utilise dyndns.org to ensure we can quickly change the IP addresses should the worse occur.

This is the domain and associated records,

mydomain.co.uk
www CNAME webserver.dyndns.org
10 MX mailserver.dyndns.org

and then at dyndns.org I have the appropriate A records, we want all our domains are set up this way, then should one fail I can just change one record at dyndns.org and it will change quickly as it's TTL is just 60 seconds.

If I email from my hotmail account all works fine but if I email from my yahoo account then I get error message returned.  On looking at the debug monitor I see the SMTP session connecting and the line
"RCPT TO: bob@mailserver.dyndns.org"
which obviously does not exist.

Hoever a Hotmail trace correctly shows the line as
"RCPT TO: bob@mydomain.co.uk"

Questions really are
1) Can I configure my DNS in this way?
2) How come different ISPs are solving the recipients email address in different ways?  Yahoo don't seem to be realising the MX record is a CNAME which needs resolving also.

Thanks!




0
Comment
Question by:carillian
  • 9
  • 5
14 Comments
 

Author Comment

by:carillian
ID: 11920556
Apologies, the yahoo is trying to send email as follows
"RCPT TO: bob@webserver.dyndns.org"
0
 
LVL 36

Expert Comment

by:grblades
ID: 11920563
Hi carillian,
Technically according to internet standards an MX entry should only point to a hostname which has an A record. It should not point to a hostname which is a CNAME alias. I expect because you are breaking this standard you are running into these incompatibility problems.

There is no reason wny you cannot have :-
mydomain.co.uk. MX 10 mailserver.dyndns.org.
0
 

Author Comment

by:carillian
ID: 11920632

I do have the MX record pointing to a host which it outside of the current domain (I thought this would be a CNAME also).
The host outside of the domain at dyndns.org is an A record.

Does this scenarion conform?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11920654
That should be fine.

You can do the following which is what you say you are doing.
yourdomain.com. IN MX 10 mailserver.dyndns.org.
mailserver.dyndns.org. IN A 1.2.3.4

What you cannot do is :-
yourdomain.com. IN MX 10 mail.yourdomain.com.
mail yourdomain.com. IN CNAME mailserver.dyndns.org.
mailserver.dyndns.org. IN A 1.2.3.4
0
 

Author Comment

by:carillian
ID: 11920704
Okay if that's fine then great.
BUT, I also had an A record called @ pointing to the IP address, I have changed this record to a CNAME pointing to webserver.dyndns.org - could this be where yahoo is getting the email appendage from?

Do you know what the @ record is and why I would require it?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11920788
'@' basically means myself. So for example if you have the settings for mydomain.co.uk then setting:-
@ IN A 1.2.3.4
would define http://mydomain.co.uk to point to 1.2.3.4

It could be where yahoo is getting the name from. You could probably remove the entry and it would just mean people could not access your website using http://mydomain.com and so they would have to use http://www.mydomain.com which is probably what you want anyway.
0
 

Author Comment

by:carillian
ID: 11920867
Okay thanks for the info
Have tried removing the @ record for one domain to see whether this makes a difference.

Just got to wait for the great DNS god in the sky to dump and reload.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:carillian
ID: 11924820
Okay, 3 scenarios to consider here, v.strange what's happening though

1)
www CNAME webserver.dyndns.org
5 MX mailserver.dyndns.org

2)
@ A 1.2.3.4
www CNAME webserver.dyndns.org
5 MX mailserver.dyndns.org

3)
@ CNAME webserver.dyndns.org
www CNAME webserver.dyndns.org
5 MX mailserver.dyndns.org

the results as follows, yahoo can successfully email websites 1 & 2 but fails on no.3 and attempts to email user@webserver.dyndns.org rather than user@theirdomain.com

hotmail can successfully email all 3 accounts

lycos can sucessfully email all 3 accounts

mail.com can successfully email all 3 accounts

just seems that yahoo cannot - but is the problem their end or could this problem be somewhere else?

will wait another 24 hours and retest
confused!

0
 

Author Comment

by:carillian
ID: 11924845

Looking at dnsreport.com I get the following failure message, seems that this is not compliant with a RFC somewhere

FAIL No CNAMEs for domain ERROR: mydomain.co.uk has a CNAME entry (mailserver.dyndns.org.); it is not valid to have a CNAME entry and NS entries for 1.2.3.4. See RFC1912 2.4 and RFC2181 10.3 for more information.

0
 

Author Comment

by:carillian
ID: 11924870
RFC1912 2.4

2.4 CNAME records

   A CNAME record is not allowed to coexist with any other data.  In
   other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
   can't also have an MX record for suzy.podunk.edu, or an A record, or
   even a TXT record.  Especially do not try to combine CNAMEs and NS
   records like this!:

           podunk.xx.      IN      NS      ns1
                           IN      NS      ns2
                           IN      CNAME   mary
           mary            IN      A       1.2.3.4

   This is often attempted by inexperienced administrators as an obvious
   way to allow your domain name to also be a host.  However, DNS
   servers like BIND will see the CNAME and refuse to add any other
   resources for that name.  Since no other records are allowed to
   coexist with a CNAME, the NS entries are ignored.  Therefore all the
   hosts in the podunk.xx domain are ignored as well!

   If you want to have your domain also be a host, do the following:

           podunk.xx.      IN      NS      ns1
                           IN      NS      ns2
                           IN      A       1.2.3.4
           mary            IN      A       1.2.3.4

   Don't go overboard with CNAMEs.  Use them when renaming hosts, but
   plan to get rid of them (and inform your users).  However CNAMEs are
   useful (and encouraged) for generalized names for servers -- `ftp'
   for your ftp server, `www' for your Web server, `gopher' for your
   Gopher server, `news' for your Usenet news server, etc.

   Don't forget to delete the CNAMEs associated with a host if you
   delete the host it is an alias for.  Such "stale CNAMEs" are a waste
   of resources.

   Don't use CNAMEs in combination with RRs which point to other names
   like MX, CNAME, PTR and NS.  (PTR is an exception if you want to
   implement classless in-addr delegation.)  For example, this is
   strongly discouraged:

           podunk.xx.      IN      MX      mailhost
           mailhost        IN      CNAME   mary
           mary            IN      A       1.2.3.4

   [RFC 1034] in section 3.6.2 says this should not be done, and [RFC
   974] explicitly states that MX records shall not point to an alias
   defined by a CNAME.  This results in unnecessary indirection in
   accessing the data, and DNS resolvers and servers need to work more
   to get the answer.  If you really want to do this, you can accomplish
   the same thing by using a preprocessor such as m4 on your host files.

   Also, having chained records such as CNAMEs pointing to CNAMEs may
   make administration issues easier, but is known to tickle bugs in
   some resolvers that fail to check loops correctly.  As a result some
   hosts may not be able to resolve such names.

   Having NS records pointing to a CNAME is bad and may conflict badly
   with current BIND servers.  In fact, current BIND implementations
   will ignore such records, possibly leading to a lame delegation.
   There is a certain amount of security checking done in BIND to
   prevent spoofing DNS NS records.  Also, older BIND servers reportedly
   will get caught in an infinite query loop trying to figure out the
   address for the aliased nameserver, causing a continuous stream of
   DNS requests to be sent.

RFC2181 10.3

10.3. MX and NS records

   The domain name used as the value of a NS resource record, or part of
   the value of a MX resource record must not be an alias.  Not only is
   the specification clear on this point, but using an alias in either
   of these positions neither works as well as might be hoped, nor well
   fulfills the ambition that may have led to this approach.  This
   domain name must have as its value one or more address records.
   Currently those will be A records, however in the future other record
   types giving addressing information may be acceptable.  It can also
   have other RRs, but never a CNAME RR.

   Searching for either NS or MX records causes "additional section
   processing" in which address records associated with the value of the
   record sought are appended to the answer.  This helps avoid needless
   extra queries that are easily anticipated when the first was made.

   Additional section processing does not include CNAME records, let
   alone the address records that may be associated with the canonical
   name derived from the alias.  Thus, if an alias is used as the value
   of an NS or MX record, no address will be returned with the NS or MX
   value.  This can cause extra queries, and extra network burden, on
   every query.  It is trivial for the DNS administrator to avoid this
   by resolving the alias and placing the canonical name directly in the
   affected record just once when it is updated or installed.  In some
   particular hard cases the lack of the additional section address
   records in the results of a NS lookup can cause the request to fail.
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11924915
Yes it is RFC1912 2.4 that you are not compliant with.

Your domain has an '@ NS x.x.x.x' record so which is not shown to you in your admin interface so according to this RFC you cannot have an '@ CNAME' record.

Because having both is not valid it is not defined what a client should do if it finds the entry. Most mail systems seem to be ignoring the CNAME entry but Yahoo it seems appears to be treating the CNAME as an alias for the entire domain and so it changes the email address.

I suggest you just use configuration (1). All you loose is people being able to go to your website using http://mydomain.co.uk which people dont really do. If they do they will get an error and reasise they forgot to put the www infront anyway.
0
 

Author Comment

by:carillian
ID: 11929179

Okay, another day, have tried the following

4)
@ CNAME www
www CNAME webserver.dyndns.org
5 MX mailserver.dyndns.org

but this didn't work either, guess it wouldn't from your explanation either but needed to try it!

It seems that we will remove the "@" record and ensure users enter the website address correctly, like you say people soon realise and correct it.

I'll award the points obviously to grblades but while I'm on the thread is this the way you would have tackled this youself in order of getting a small TTL value but without hosting a DNS server?

thanks
0
 
LVL 36

Expert Comment

by:grblades
ID: 11929454
I would have used a friends company - https://dns.gdns.com/

You can setup a domain on their DNS servers via the web interface and then change the information for your domain to point to their nameservers. GDNS allow you to change the SOA record which contains all the TTL values.
I am not sure how long it takes after changing the information from the web interface until the nameservers are modified.
0
 

Author Comment

by:carillian
ID: 11956956
Just to let everybody know, I've managed to solve the email problem but now seem to be up against a problem with http now!  seems I have a particular customer using tiscali (i think!) which can not connect to any of our hosted websites.   The only change I made was to remove the '@' record, the customer is connecting to www.mycompany.co.uk and can see other of our domains hosted on the same server but without the '@' DNS record removed!

seems like I can't win!

Will have to host my own DNS I guess
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now