mslibrarycommission
asked on
Reverse DNS
When I go to places like www.dnsstuff.com and do a reverse lookup on my mail relay it will work sometimes and a lot of times it will give timeouts trting to reach it. This is causing me problems sendiing emails to some ISP's because they do reverse lookups for your host name and it does not work half the time. I am using a Sunfire v210 with Solaris 10 as my outside DNS server with a PIX 535 firewall.
ASKER
Here are the resultls from that, it worked the first time and failed the next two times.
C:\dig>dig -x 216.79.153.204
; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1539
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;204.153.79.216.in-addr.ar
;; ANSWER SECTION:
204.153.79.216.in-addr.arp
;; Query time: 234 msec
;; SERVER: 205.152.37.23#53(205.152.3
;; WHEN: Tue Oct 24 09:22:26 2006
;; MSG SIZE rcvd: 77
C:\dig>dig -x 216.79.153.204
; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;204.153.79.216.in-addr.ar
;; Query time: 187 msec
;; SERVER: 205.152.37.23#53(205.152.3
;; WHEN: Tue Oct 24 09:22:43 2006
;; MSG SIZE rcvd: 45
C:\dig>dig -x 216.79.153.204
; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 85
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;204.153.79.216.in-addr.ar
;; Query time: 187 msec
;; SERVER: 205.152.37.23#53(205.152.3
;; WHEN: Tue Oct 24 09:22:53 2006
;; MSG SIZE rcvd: 45
C:\dig>
C:\dig>dig -x 216.79.153.204
; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1539
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;204.153.79.216.in-addr.ar
;; ANSWER SECTION:
204.153.79.216.in-addr.arp
;; Query time: 234 msec
;; SERVER: 205.152.37.23#53(205.152.3
;; WHEN: Tue Oct 24 09:22:26 2006
;; MSG SIZE rcvd: 77
C:\dig>dig -x 216.79.153.204
; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;204.153.79.216.in-addr.ar
;; Query time: 187 msec
;; SERVER: 205.152.37.23#53(205.152.3
;; WHEN: Tue Oct 24 09:22:43 2006
;; MSG SIZE rcvd: 45
C:\dig>dig -x 216.79.153.204
; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 85
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;204.153.79.216.in-addr.ar
;; Query time: 187 msec
;; SERVER: 205.152.37.23#53(205.152.3
;; WHEN: Tue Oct 24 09:22:53 2006
;; MSG SIZE rcvd: 45
C:\dig>
SERVFAIL indicates an error on the nameserver (205.152.37.23)
not a timeout problem.
You need to inspect it's logfiles to see what the error actualy is.
I do get back some config errors:
The soa record in:
dig -t ns -x 216.79.153.204
returns:
153.79.216.in-addr.arpa. 10574 IN SOA mercury. smason.mlc.lib.ms.us. 2005101304 10800 3600 604800 38400
This should have been:
153.79.216.in-addr.arpa. 10574 IN SOA mercury.mlc.lib.ms.us. smason.mlc.lib.ms.us. 2005101304 10800 3600 604800 38400
I guess there are some configuration problems in the nameserver
as it is not authoritive... (no ns records for its own domains).
Authority has not been setup correctly (ns record within the domains)...
The authority is delegated to:
ns1.msstate.edu. (returns SERVFAIL)
sun1.its.state.ms.us. (returns REFUSED)
mercury.mlc.lib.ms.us. (cannot resolve the hostname:
mercury.mlc.lib.ms.us)
Look into the logfiles of the name servers involved
and smason on that domain (mlc.lib.ms.us) should be able to correct things
or that mail address is not configured correctly either.
not a timeout problem.
You need to inspect it's logfiles to see what the error actualy is.
I do get back some config errors:
The soa record in:
dig -t ns -x 216.79.153.204
returns:
153.79.216.in-addr.arpa. 10574 IN SOA mercury. smason.mlc.lib.ms.us. 2005101304 10800 3600 604800 38400
This should have been:
153.79.216.in-addr.arpa. 10574 IN SOA mercury.mlc.lib.ms.us. smason.mlc.lib.ms.us. 2005101304 10800 3600 604800 38400
I guess there are some configuration problems in the nameserver
as it is not authoritive... (no ns records for its own domains).
Authority has not been setup correctly (ns record within the domains)...
The authority is delegated to:
ns1.msstate.edu. (returns SERVFAIL)
sun1.its.state.ms.us. (returns REFUSED)
mercury.mlc.lib.ms.us. (cannot resolve the hostname:
mercury.mlc.lib.ms.us)
Look into the logfiles of the name servers involved
and smason on that domain (mlc.lib.ms.us) should be able to correct things
or that mail address is not configured correctly either.
BTW Comands used were:
dig -t ns mail.mlc.lib.ms.us @205.152.37.23
dig -t ns lib.ms.us @205.152.37.23
dig -x 216.79.153.204 @ns1.msstate.edu.
dig -x 216.79.153.204 @sun1.its.state.ms.us.
dig -x 216.79.153.204 @mercury.mlc.lib.ms.us
the 205.152.37.23 btw is dns.asm.bellsouth.net.
and probably asks one of the above three for the reverse address and
either gets an error return or another failure and occasionaly
a normal answer...
dig -t ns mail.mlc.lib.ms.us @205.152.37.23
dig -t ns lib.ms.us @205.152.37.23
dig -x 216.79.153.204 @ns1.msstate.edu.
dig -x 216.79.153.204 @sun1.its.state.ms.us.
dig -x 216.79.153.204 @mercury.mlc.lib.ms.us
the 205.152.37.23 btw is dns.asm.bellsouth.net.
and probably asks one of the above three for the reverse address and
either gets an error return or another failure and occasionaly
a normal answer...
ASKER
I made the change to host file 216.79.153.rev on mercury.mlc.lib.ms.us. You should now be getting back 153.79.216.in-addr.arpa. 10574 IN SOA mercury.mlc.lib.ms.us.
what do you see wrong now. I'm responible for just mercury . Thanks!
what do you see wrong now. I'm responible for just mercury . Thanks!
Even the forward lookup of mercury.mlc.lib.ms.us fails....
Anybody asking for a name needing "authoritive" to be checked ends up with a
unresolvable ns record.
Before fixing reverse lookup dor the forwards first.
dig mercury.mlc.lib.ms.us +trace
; <<>> DiG 9.3.2 <<>> mercury.mlc.lib.ms.us +trace
;; global options: printcmd
. 18759 IN NS i.root-servers.net.
. 18759 IN NS j.root-servers.net.
. 18759 IN NS k.root-servers.net.
. 18759 IN NS l.root-servers.net.
. 18759 IN NS m.root-servers.net.
. 18759 IN NS a.root-servers.net.
. 18759 IN NS b.root-servers.net.
. 18759 IN NS c.root-servers.net.
. 18759 IN NS d.root-servers.net.
. 18759 IN NS e.root-servers.net.
. 18759 IN NS f.root-servers.net.
. 18759 IN NS g.root-servers.net.
. 18759 IN NS h.root-servers.net.
;; Received 436 bytes from 192.168.6.1#53(192.168.6.1
us. 172800 IN NS A.GTLD.BIZ.
us. 172800 IN NS B.GTLD.BIZ.
us. 172800 IN NS C.GTLD.BIZ.
;; Received 143 bytes from 192.36.148.17#53(i.root-se
lib.ms.us. 900 IN NS mercury.mlc.lib.ms.us.
lib.ms.us. 900 IN NS SUN1.ITS.STATE.ms.us.
;; Received 114 bytes from 209.173.53.162#53(A.GTLD.B
dig: couldn't get address for 'mercury.mlc.lib.ms.us': not found
And there it goes wrong...
For lib.ms.us two name servers are appointed:
- mercury.mlc.lib.ms.us
- sun1.its.state.ms.us
And no address for mercury.mlc.lib.ms.us can be resolved.
Anybody asking for a name needing "authoritive" to be checked ends up with a
unresolvable ns record.
Before fixing reverse lookup dor the forwards first.
dig mercury.mlc.lib.ms.us +trace
; <<>> DiG 9.3.2 <<>> mercury.mlc.lib.ms.us +trace
;; global options: printcmd
. 18759 IN NS i.root-servers.net.
. 18759 IN NS j.root-servers.net.
. 18759 IN NS k.root-servers.net.
. 18759 IN NS l.root-servers.net.
. 18759 IN NS m.root-servers.net.
. 18759 IN NS a.root-servers.net.
. 18759 IN NS b.root-servers.net.
. 18759 IN NS c.root-servers.net.
. 18759 IN NS d.root-servers.net.
. 18759 IN NS e.root-servers.net.
. 18759 IN NS f.root-servers.net.
. 18759 IN NS g.root-servers.net.
. 18759 IN NS h.root-servers.net.
;; Received 436 bytes from 192.168.6.1#53(192.168.6.1
us. 172800 IN NS A.GTLD.BIZ.
us. 172800 IN NS B.GTLD.BIZ.
us. 172800 IN NS C.GTLD.BIZ.
;; Received 143 bytes from 192.36.148.17#53(i.root-se
lib.ms.us. 900 IN NS mercury.mlc.lib.ms.us.
lib.ms.us. 900 IN NS SUN1.ITS.STATE.ms.us.
;; Received 114 bytes from 209.173.53.162#53(A.GTLD.B
dig: couldn't get address for 'mercury.mlc.lib.ms.us': not found
And there it goes wrong...
For lib.ms.us two name servers are appointed:
- mercury.mlc.lib.ms.us
- sun1.its.state.ms.us
And no address for mercury.mlc.lib.ms.us can be resolved.
dig mail.mlc.lib.ms.us @ns1.msstate.edu. +trace
; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @ns1.msstate.edu. +trace
; (1 server found)
;; global options: printcmd
. 358555 IN NS K.ROOT-SERVERS.NET.
. 358555 IN NS L.ROOT-SERVERS.NET.
. 358555 IN NS M.ROOT-SERVERS.NET.
. 358555 IN NS A.ROOT-SERVERS.NET.
. 358555 IN NS B.ROOT-SERVERS.NET.
. 358555 IN NS C.ROOT-SERVERS.NET.
. 358555 IN NS D.ROOT-SERVERS.NET.
. 358555 IN NS E.ROOT-SERVERS.NET.
. 358555 IN NS F.ROOT-SERVERS.NET.
. 358555 IN NS G.ROOT-SERVERS.NET.
. 358555 IN NS H.ROOT-SERVERS.NET.
. 358555 IN NS I.ROOT-SERVERS.NET.
. 358555 IN NS J.ROOT-SERVERS.NET.
;; Received 436 bytes from 130.18.80.12#53(130.18.80.
us. 172800 IN NS a.gtld.biz.
us. 172800 IN NS b.gtld.biz.
us. 172800 IN NS c.gtld.biz.
;; Received 140 bytes from 193.0.14.129#53(K.ROOT-SER
lib.ms.us. 900 IN NS SUN1.ITS.STATE.ms.us.
lib.ms.us. 900 IN NS MERCURY.mlc.lib.ms.us.
;; Received 119 bytes from 209.173.53.162#53(a.gtld.b
mail.mlc.lib.ms.us. 38400 IN A 216.79.153.204
lib.ms.us. 38400 IN NS ns1.msstate.edu.
lib.ms.us. 38400 IN NS sun1.its.state.ms.us.
lib.ms.us. 38400 IN NS mercury.mlc.lib.ms.us.
;; Received 148 bytes from 192.42.4.39#53(SUN1.ITS.ST
--------------------------
Or spot the difference in these (all authoritive for your domain):
--------------------------
dig mail.mlc.lib.ms.us @ns1.msstate.edu.
; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @ns1.msstate.edu.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30586
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.mlc.lib.ms.us. IN A
;; ANSWER SECTION:
mail.mlc.lib.ms.us. 38237 IN A 216.79.153.204
;; AUTHORITY SECTION:
lib.ms.us. 36376 IN NS ns1.msstate.edu.
lib.ms.us. 36376 IN NS sun1.its.state.ms.us.
lib.ms.us. 36376 IN NS mercury.mlc.lib.ms.us.
;; ADDITIONAL SECTION:
ns1.msstate.edu. 7200 IN A 130.18.80.12
sun1.its.state.ms.us. 86400 IN A 192.42.4.39
;; Query time: 158 msec
;; SERVER: 130.18.80.12#53(130.18.80.
;; WHEN: Tue Oct 24 20:31:33 2006
;; MSG SIZE rcvd: 164
------------------
dig mail.mlc.lib.ms.us @MERCURY.mlc.lib.ms.us.
dig: couldn't get address for 'MERCURY.mlc.lib.ms.us.': not found
-------------------
dig mail.mlc.lib.ms.us @SUN1.ITS.STATE.ms.us.
; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @SUN1.ITS.STATE.ms.us.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43385
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.mlc.lib.ms.us. IN A
;; ANSWER SECTION:
mail.mlc.lib.ms.us. 38400 IN A 216.79.153.204
;; AUTHORITY SECTION:
lib.ms.us. 38400 IN NS sun1.its.state.ms.us.
lib.ms.us. 38400 IN NS mercury.mlc.lib.ms.us.
lib.ms.us. 38400 IN NS ns1.msstate.edu.
;; ADDITIONAL SECTION:
sun1.its.state.ms.us. 86400 IN A 192.42.4.39
--------------------------
Upper/lowercase is no issue in DNS,
missing forward resolutions doesn't work.
After that reverse lookups sometimes don't work.
BTW, if a host has more than one name use CNAME's for all but the one that should
fit the PTR, the PTR has an A associated and vica versa.
; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @ns1.msstate.edu. +trace
; (1 server found)
;; global options: printcmd
. 358555 IN NS K.ROOT-SERVERS.NET.
. 358555 IN NS L.ROOT-SERVERS.NET.
. 358555 IN NS M.ROOT-SERVERS.NET.
. 358555 IN NS A.ROOT-SERVERS.NET.
. 358555 IN NS B.ROOT-SERVERS.NET.
. 358555 IN NS C.ROOT-SERVERS.NET.
. 358555 IN NS D.ROOT-SERVERS.NET.
. 358555 IN NS E.ROOT-SERVERS.NET.
. 358555 IN NS F.ROOT-SERVERS.NET.
. 358555 IN NS G.ROOT-SERVERS.NET.
. 358555 IN NS H.ROOT-SERVERS.NET.
. 358555 IN NS I.ROOT-SERVERS.NET.
. 358555 IN NS J.ROOT-SERVERS.NET.
;; Received 436 bytes from 130.18.80.12#53(130.18.80.
us. 172800 IN NS a.gtld.biz.
us. 172800 IN NS b.gtld.biz.
us. 172800 IN NS c.gtld.biz.
;; Received 140 bytes from 193.0.14.129#53(K.ROOT-SER
lib.ms.us. 900 IN NS SUN1.ITS.STATE.ms.us.
lib.ms.us. 900 IN NS MERCURY.mlc.lib.ms.us.
;; Received 119 bytes from 209.173.53.162#53(a.gtld.b
mail.mlc.lib.ms.us. 38400 IN A 216.79.153.204
lib.ms.us. 38400 IN NS ns1.msstate.edu.
lib.ms.us. 38400 IN NS sun1.its.state.ms.us.
lib.ms.us. 38400 IN NS mercury.mlc.lib.ms.us.
;; Received 148 bytes from 192.42.4.39#53(SUN1.ITS.ST
--------------------------
Or spot the difference in these (all authoritive for your domain):
--------------------------
dig mail.mlc.lib.ms.us @ns1.msstate.edu.
; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @ns1.msstate.edu.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30586
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.mlc.lib.ms.us. IN A
;; ANSWER SECTION:
mail.mlc.lib.ms.us. 38237 IN A 216.79.153.204
;; AUTHORITY SECTION:
lib.ms.us. 36376 IN NS ns1.msstate.edu.
lib.ms.us. 36376 IN NS sun1.its.state.ms.us.
lib.ms.us. 36376 IN NS mercury.mlc.lib.ms.us.
;; ADDITIONAL SECTION:
ns1.msstate.edu. 7200 IN A 130.18.80.12
sun1.its.state.ms.us. 86400 IN A 192.42.4.39
;; Query time: 158 msec
;; SERVER: 130.18.80.12#53(130.18.80.
;; WHEN: Tue Oct 24 20:31:33 2006
;; MSG SIZE rcvd: 164
------------------
dig mail.mlc.lib.ms.us @MERCURY.mlc.lib.ms.us.
dig: couldn't get address for 'MERCURY.mlc.lib.ms.us.': not found
-------------------
dig mail.mlc.lib.ms.us @SUN1.ITS.STATE.ms.us.
; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @SUN1.ITS.STATE.ms.us.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43385
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.mlc.lib.ms.us. IN A
;; ANSWER SECTION:
mail.mlc.lib.ms.us. 38400 IN A 216.79.153.204
;; AUTHORITY SECTION:
lib.ms.us. 38400 IN NS sun1.its.state.ms.us.
lib.ms.us. 38400 IN NS mercury.mlc.lib.ms.us.
lib.ms.us. 38400 IN NS ns1.msstate.edu.
;; ADDITIONAL SECTION:
sun1.its.state.ms.us. 86400 IN A 192.42.4.39
--------------------------
Upper/lowercase is no issue in DNS,
missing forward resolutions doesn't work.
After that reverse lookups sometimes don't work.
BTW, if a host has more than one name use CNAME's for all but the one that should
fit the PTR, the PTR has an A associated and vica versa.
ASKER
I don't understand, I have both these entries in the host and reverse lookup files:
54.153.79.216.in-addr.arpa
mercury.mlc.lib.ms.us IN A 216.79.153.254
54.153.79.216.in-addr.arpa
mercury.mlc.lib.ms.us IN A 216.79.153.254
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I appreciate your help noci, I have just taken over DNS here a year ago and I'm still learning. Anything else will be appreciated. It looks like I need to get efficient with "DIG".
And make sure you can test your DNS setup through extern connections.
Your view on the inside might not be the same as on the outside.
And yes, dig is you dns tracing tool.
'man dig' is a good starter, happy ns'ing
Your view on the inside might not be the same as on the outside.
And yes, dig is you dns tracing tool.
'man dig' is a good starter, happy ns'ing
try to find out where it fails.
dig -x <yourip>
should tell you the whole story, if not try it up one higher in the tree.
dig -x just means your address 1.2.3.4 is transformed
to: 4.3.2.1.in-addr.arpa.
ask for 4.3.2.1.in-addr.arpa, then 3.2.1.in-addr.arpa
check ns servers (-t ns) for the same and see where it all goes wrong.