Solved

Reverse DNS Question

Posted on 2004-10-02
15
17,513 Views
Last Modified: 2008-09-03
Emails are failing to one of our customers. The returned email reflects the public ip, but not the host name (smith.com). I'm confident this is reverse dns issue. I need to contact my ISP, but I need some advice before doing so.

Our registed domain smith.hst.com is different from our mail domain which is smith.com.


Our ns1 record, "ns1.smithhst.com" is pointed to 65.175.184.129. This is only an example and not our actual company name or ip address. The referenced public ip is the outside interface of our fatpipe running SmartDNS, but is the ip that reflects in the mail headers on the failed email transmissions. Outgoing internet email goes across our internet T1 out to the internet. All incoming internet email, bound for smith.com, comes back, accross the internet to our corporate headquarters, across our frame connection to our local mail server located inside our network. That local mail server is on the smith.com domain. An example of our email address would be "jdoe@smith.com"

Would I setup reverse dns as follows:

129.184.175.65     IN        PTR   ns1.smithhst.com

I want to make sure that the mail  continues to be associated with the smith.com domain.
Currently the ISP is listed as the Primary DNS. At least that's what I noted a few minutes ago when I was doing an automated request for a Reverse DNS change. Perhaps I need to change the primary to our fatpipe. I may also need to create an MX record and point it back to the vestcom domain. I could create a seperate public IP just for the mail server and enter this on the fatipe.

Any suggestios?


0
Comment
Question by:jhhaley
  • 5
  • 5
  • 2
  • +2
15 Comments
 
LVL 20

Expert Comment

by:ikm7176
ID: 12210514
Quick overview of using Reverse DNS in exchange server

http://support.microsoft.com/default.aspx?scid=kb;EN-US;297412

you have to create a ptr record for your exchange server in the reverse-DNS zone for your 65.175.184-in-addr.arpa zone (assuming this is the Class A address with standard subnet mask). These changes will be handled by your ISP. you need to coordinate with your ISP to make the changes.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12210618
>I'm confident this is reverse dns issue.

Cool.  Can you post the exact error message you are getting (or the actual bounced message?)

Cheers,
-Jon

0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12211086
0
 
LVL 1

Author Comment

by:jhhaley
ID: 12213153


Here is an example of the returned message:

 xxxx.xxxxxxx@xxxxxxxxxxxx.com on 9/29/2004 3:44 PM
            The message was undeliverable because the recipient specified in the recipient postal address was not known at this address
      The MTS-ID of the original message is: c=US;a= ;p=smith;l=MAILXXXX-040928204356Z-28801
            MSEXCH:IMS:smith:Mid South:MAILXXXX 3450 (000B09AA) 450 Client host rejected: cannot find your hostname, [65.175.184.129]

I just received a phone call from the company stating it bounced because because there was no reverse translation. I've got two weeks to get this fixed. I contacted my ISP yesterday and it will be Monday before they call me back.

I do appreciate the help. I guess my primary concern was not just setting up the reverse translation and the MX record but making sure the email goes back thru the corporate domain "smith.com" instead of my returning to my domain "ns1.smithhst.com"

I'll also VPN into work and look at the Exchange DNS settings. We're still on Exchange 5.5.

Thanks a Heap!

 
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12219639
> 450 Client host rejected: cannot find your hostname, [65.175.184.129]

You need to arrange with whoever hosts reverse DNS for 65.175.184.* (184.175.65.in-addr.arpa domain) to insert a PTR record for 129, or delegate 129 to another server where you can arrange this.

In most cases, it won't matter what host name that PTR record returns, as long as it exists *where remote systems will look for it*.

0
 
LVL 12

Assisted Solution

by:Mazaraat
Mazaraat earned 100 total points
ID: 12219882
I see another potential problem, do you actually own the "smith.com" domain, or just the "smithhst.com" or "smith.hst.com" domain>?

If not, anytime they try to lookup who owns the "smith.com" domain they will get the wrong DNS information.  If you do own the "smith.com" domain I agree with the above posts, that you need to coordinate with your ISP on creating the proper DNS entries.

Also verify that your MX record(s) is pointing to the proper IP address(es).
0
 
LVL 1

Author Comment

by:jhhaley
ID: 12220507
PennGwyn

Thanks PennGwyn - I can see the immediate need for Reverse DNS. I'm trying however to understand the need for an MX record.

The mail will not return back to my domain, by design it all goes across an SMTP gateway at the corporate headquarters back across the frame to our local exchange server.

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 16

Accepted Solution

by:
The--Captain earned 250 total points
ID: 12222593
>I want to make sure that the mail  continues to be associated with the smith.com domain.

What do you mean by that, exactly?

As long as you set your return address and Reply-To fields to be someone at smith.com, you won't have to worry about mail getting returned to some other domain (like hst.com), unless it is bouncing when you attempt the initial delivery (at which point it *should* bounce to hst.com, so that the delivery error can be corrected).

That being said, I don't think you need to worry about MX records - obviously one exists for smith.com and is pointing to the proper server, otherwise you wouldn't be getting a bounce (unless the MX is pointing to the *wrong* server, and then everyone at smith.com would be screaming about not being able to get their email, so that's obviously not the case).

You *do* need to get a PTR record added to the proper in-addr.arpa zone (184.175.65.in-addr.arpa domain , as PennGwyn points out) - if your ISP is handling your DNS, then I'd get them to add something like

129     IN     PTR     client1.smith.hst.com.

to their in-addr.arpa zonefile (it won't help to setup DNS locally, unless your ISP is willing to delegate authority for the proper in-addr.arpa zone, or subset thereof).

Also, I'd make sure that client1.smith.hst.com resolves to 65.175.184.129 - some mailservers check the PTR and A records to be sure that they match.

Cheers,
-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12222599
Of course, you could always just setup a VPN and have smith.com route some of their address space to you over the VPN, which should eliminate all of these problems.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:jhhaley
ID: 12222729
The--Captain
You are right an MX record does already exist for the smith.com domain, so in my instance the MX record is not necessary. I definitely need the reverse dns association on my domain. Thanks for the confirmation.

Mazaraat
The domain at my company is the smithhst.com. That domain, at this time does not support an email server.  The smith.com is registered by corporate headquarters and is the domain for our internal exchange servers spread out across the United States and Canada.

The MX record is already setup for the smith.com domain.

However, could you please clarify what you mean by your statement "anytime they try to lookup who owns the smith.com domain they will get the wrong DNS information.  If you do own the smith.com domain I agree with the above posts, that you need to coordinate with your ISP on creating the proper DNS entries."

If the email recipent requires reverse dns, then I've to setup reverse dns or the email will bounce.

I appreciate your input, I just want to better understand why you think I may encounter a problem. You may have a valid point.

Thanks for the help.
0
 
LVL 1

Author Comment

by:jhhaley
ID: 12222829
The-Captain

I was reading your following statements:

Your statement: to their in-addr.arpa zonefile (it won't help to setup DNS locally, unless your ISP is willing to delegate authority for the proper in-addr.arpa zone, or subset thereof).

- The ISP currently provides Primary DNS. Give me some examples of why I might want setup DNS locally outside my firewall. At the moment I use the FatPipe to advertise our ftp servers on the DMZ.
I do have an internal DNS server inside our network.

Your statement: Also, I'd make sure that client1.smith.hst.com resolves to 65.175.184.129 - some mailservers check the PTR and A records to be sure that they match.

_ As I mentioned above .129 is actually the outside interface of our FatPipe. I wonder if it would be best to   setup a seperate public ip, on the pix, for the email server and pointing it back toward the inside exchange server. Actually this might only be required if I was going to setup an MX record. Currently if an email recipient does not require reverse dns then we've no problem recieving their email.  
 
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12228762
You clarified my question =)  I wasn't sure what domains you had registered, and I agree with penn and The-Captain, have the ISP make that entry.  As a side note, where are your MX records pointing?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12232788
OK, I think I finally understand your problem, and your config completely - may I rephrase?

You have a central office with it's own connection(s), and branch offices with their own connections.  The central office provides an inbound SMTP server which receives mail for smith.com - the MX is obviously correct since inbound mail for smith.com works great.  Each branch is responsible for it's own outbound SMTP , and each branch has it's own registered domain (not smith.com) for whatever services it might want to host locally.  One of your branches has no (or incorrect) reverse DNS, and outbound SMTP delivery is failing because of this.  

Is this correct?

In any case, I find this new statement confusing:

>Currently if an email recipient does not
>require reverse dns then we've no problem
>recieving their email

Did you mean to say "sending them email"?  Otherwise, I'm not sure I follow you...

>The ISP currently provides Primary DNS. Give me
>some examples of why I might want setup DNS
>locally outside my firewall.

You generally wouldn't, unless you are dissatisfied with the response time of your ISP regarding DNS additions/updates (and in that case you'd run it in a DMZ, not on your external connection).

>_ As I mentioned above .129 is actually the
>outside interface of our FatPipe. I wonder if
>it would be best to   setup a seperate public
>ip, on the pix, for the email server and
>pointing it back toward the inside exchange
>server

I don't think that's necessary - just make sure you have properly matching forward and reverse DNS entries for your primary IP (.129) that use smithhst.com, and your mail will still reflect smith.com if you configure your mail client properly as I previously mentioned.

>As a side note, where are your MX records
>pointing?

-Mazaraat,
Unless we're talking about an inbound mail problem (and I don't think we are), can you explain how that info is relevant?

Cheers,
-Jon

0
 
LVL 1

Author Comment

by:jhhaley
ID: 12268847
I meant to give 250 points to The--Captain and 100 to Mazaraat. Can this be changed?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12269214
Voila!

Cheers,
-Jon
Your friendly neighboorhood EE Networking PE (One of them, anyway)...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now