[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Need to know how to configure Reverse DNS on a windows 2000 to stop Reverse DNS mail rejection

Posted on 2005-05-12
5
Medium Priority
?
201 Views
Last Modified: 2008-02-01
I just had a client send me a rejected email message that read as follows....

            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <EX-SRV1.Zantis.Zantisworks.com #5.7.1 smtp;554 5.7.1 The server sending your mail [216.160.67.117] does not have a reverse DNS entry. Connection Rejected. Please contact your Dial-Up/DSL/Network ISP Provider. Default Reject!>

I have read many posts about what to do and most of them say "ask your ISP to configure the reverse DNS" which I'm sure that I'm the one that needs to correctly enter this into my server.  I have a windows 2000 server running DNS and points the Host and MX records to the correct IP addresses for both the websites and the email.  I read the following post.....

<<<<<<<<<<<<<<  You cannot resolve this by going to your server. You will need to contact your ISP and have them setup a reverse DNS entry for
your mail server. If your server is 'mail.yourdomain.com', then you need to have them set the reverse IP for 123.45.678.90 to mail.yourdomain.com.>>>>>>>>>>>>

Where in the DNS does this get set?  I have tried a couple of entries and haven't set it up correctly yet.

I tired to put some entries in the Reverse Lookup Zones but without any luck.  Is this where this would go?

0
Comment
Question by:Zantis
  • 3
  • 2
5 Comments
 
LVL 20

Accepted Solution

by:
ikm7176 earned 2000 total points
ID: 13984543
you have right information. These changes should be made by your ISP and not you, unless you are hosting a public DNS server.

"which I'm sure that I'm the one that needs to correctly enter this into my server" - are you hosting your own DNS server ?

REASON: your mail server will have an MX record registered at the Public DNS server (generally the ISP). This ISP also holds the A record for your MX record in thier DNS server. The same A  record should have a reverse-DNS entry in the same DNS server.

In short your ISP should configure the Reverse-DNS entry for your A record in thier DNS server

Ask for more information if required
0
 

Author Comment

by:Zantis
ID: 13989474
Yes, I'm hosting my own DNS server.... as explained above.  I have been doing all the DNS entries.  I just need to know how to correctly enter the Reverse DNS entry on my DNS server as it looks like  I haven't done it yet.

I have the MX records pointing to the email server for each hosted domain also including my own domain.  

In the above comment I should make an A record for my MX record?  I do have A records that point to the mail servers ip address

zantis.zantisworks.com                        ex-srv1                           A                         216.160.67.117
                                                         (same as parent folder)   MX                       216.160.67.117

under the
Reverse Lookup Zones it reads

0.in-addr.arpa
127.in-addr.arpa
255.in-addr-arpa

I tried putting my IP address for the email server in the "Network ID" when creating a Reverse Lookup Zone and without any luck.  And it seems there isn't much to the reverse lookup zones either.  Not too many options there.


0
 
LVL 20

Expert Comment

by:ikm7176
ID: 14001427
what is ur subnet mask? Reverse-Dns works at IP level. Did your ISP delegated your DNS server to be responsible  for the range of IP addresses?

Read this !

Reverse-lookup uses the same principal of regular DNS but has a couple of special attributes.
1.      All IP addresses are part of one domain called "in-addr.arpa".
2.      Reverse-Lookup is delegated like regular DNS but it must be delegated all the way down to your DNS server and this is more complicated because the delegation design uses the octet level of the IP address. The reason this is more difficult is that many domains with controlling DNS servers do not have a full octet of IP addresses as they are sub-netted to a smaller number, such as 128, 64, 32, 16, or 8.
Prerequisites:
ARIN is the (American Registry for Internet Numbers) registry for DNS numbers in the U.S. and some other continents.
How it actually works:
1.      Some client or server on the Internet wants to know who 204.203.202.201 (random address) is. They want to know the name this translates to. Some mail services do a reverse lookup on the email domain to be sure it really exists before they will accept the email.
2.      That client or server asks the question, "Who is 201.202.203.204.in-addr.arpa.?" This goes to their DNS server. Their DNS server will act a the "agent" that resolves this thing and only sends back the finished query.
3.      Or, if they are a DNS server, it goes to the root server and the root server replies with an NS record of the server who has been delegated the reverse lookup for that subnet. And, since it is acting as the "agent", it does all of the work.
4.      Let's say that the Root server sends back a reply that says, "Well, I know that 0.0.0.204.in-addr.arpa. is delegated to Great Big ISP and his DNS server's IP address is ....."
5.      So now the querying DNS server sends a query to Great Big ISP's DNS server, of record, and says the same thing again, "Who is 201.202.203.204.in-addr.arpa.?"
6.      Great Big ISP's DNS server replies, "Well, I don't know that one, but I do know that I own 204.in-addr.arpa. and I have delegated 0.0.203.204.in-addr.arpa. to Regular Big ISP and here's their DNS server's IP address....."
7.      So now your DNS server sends a request to Regular Big ISP and asks the same question yet again, "Who is 201.202.203.204.in-addr.arpa.?".
8.      Regular Big ISP says, "I don't know who that is but I do know that I delegated 0.202.203.204.in-addr.arpa. to Little ISP so ask him. Here's his DNS server's IP address...."
9.      Now your DNS server asks Little ISP's DNS server the same question, "Who is 201.202.203.204.in-addr.arpa.?"
10.      Little ISP's DNS server replies, "HEY, I KNOW THAT! That's mail.somedomain.com.!"
11.      Your DNS server now has the name for that IP address and uses it, or returns it to the client who requested it.
    This becomes somewhat more complicated when it is done on a non-octet boundary since you have to create several zones for one Class C subnet, but this representation is accurate down to a Class C (256 addresses) subnet.
 
    ARIN was formed as a result of discussions between the large Internet registration entities such as IANA, RIPE, IETF, APNIC, NSF, and FNC. You can learn more about these organizations by using the links of the names above.
    You can do your own lookup at the ARIN Whois page. This page shows the delegation to the big providers and does not necessarily go all the way down to the IP address in question since it actually gives names and contacts for the subnets and no actual host names for an IP address. Usually you will only get down to the Class C subnet that the IP address  you are looking for is part of. NSLookup will have to be used if you want to go farther down.
0
 

Author Comment

by:Zantis
ID: 14003854
ikm1716,

My submet mask is 255.255.255.248  I have IP address 216.160.67.113 - 216.160.67.117 with a gateway at 216.160.67.118

I have a better understanding from the list above but this is what my server has listed under reverse DNS on the DNS server...

0.in-addr.arpa
127.in-addr.arpa
255.in-addr-arpa

This is the list the that server created when it was installed.  Nothing has been changed in the Reverse DNS area.  I just need to make whatever entry for IP address 216.160.67.117 to point to ex-srv1.zantis.zantisworks.com and whatever record that would be.
0
 

Author Comment

by:Zantis
ID: 14123266
I did end up having Qwest adding a Reverse-DNS entry to route my IP address and all is good.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question