Solved

Resolving DNS issues on Exchange

Posted on 2007-11-28
12
984 Views
Last Modified: 2008-05-28
Hi Folks,

I'm a newbie at exchange and could use some assistance in making sure everything is working properly.  I hate seeing failures and errors, i used http://www.dnsstuff.com/ and found some issues with my entry, can someone help me out?

We are also using a product called ActiveFax that send automated faxes and emails that is required for our business, the only thing we can do with it is to move to another machine, but it must remain.

Here is the actual report, http://www.dnsstuff.com/tools/dnsreport.ch?domain=automationsolutionsinc.com

FAIL Missing (stealth) nameservers FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNSreport will not query these servers, so you need to be very careful that they are working properly.

ns1.onecommunications.net.
ns2.onecommunications.net.
ns3.onecommunications.net.
This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).  

FAIL Missing nameservers 2 ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:
ns1.conversent.net.
ns2.conversent.net.


FAIL Stealth NS record leakage Your DNS servers leak stealth information in non-NS requests:

Stealth nameservers are leaked [ns1.onecommunications.net.]!
Stealth nameservers are leaked [ns2.onecommunications.net.]!
Stealth nameservers are leaked [ns3.onecommunications.net.]!

This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries.

WARN SOA MNAME Check WARNING: Your SOA (Start of Authority) record states that your master (primary) name server is: ns1.onecommunications.net.. However, that server is not listed at the parent servers as one of your NS records! This is legal, but you should be sure that you know what you are doing.  

WARN Mail server host name in greeting WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

asimail01.automationsolutionsinc.com claims to be non-existent host asidc01.AutomationSolutionsInc.local: <br /> 220 asidc01.AutomationSolutionsInc.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Wed, 28 Nov 2007 06:30:17 -0500 <br />

FAIL Acceptance of postmaster address ERROR: One or more of your mailservers does not accept mail to postmaster@automationsolutionsinc.com. Mailservers are required (RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1) to accept mail to postmaster.

spool.conversent.net's postmaster response:<br /> >>> RCPT TO:<postmaster@automationsolutionsinc.com><br /> <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) <br /> asimail01.automationsolutionsinc.com's postmaster response:<br /> >>> RCPT TO:<postmaster@automationsolutionsinc.com><br /> <<< 550 5.1.1 User unknown <br />  
WARN Acceptance of abuse address WARNING: One or more of your mailservers does not accept mail to abuse@automationsolutionsinc.com. Mailservers are expected by RFC2142 to accept mail to abuse.

spool.conversent.net's abuse response:<br /> >>> RCPT TO:<abuse@automationsolutionsinc.com><br /> <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) <br /> asimail01.automationsolutionsinc.com's abuse response:<br /> >>> RCPT TO:<abuse@automationsolutionsinc.com><br /> <<< 550 5.1.1 User unknown <br />  

FAIL Open relay test WARNING: One or more of your mailservers appears to be an open relay. If so, this means that you are allowing spammers to freely use the mailserver to send out spam! It is possible that your mailserver accepts all E-mail and later bounces it, or accepts the relay attempt and then deletes the E-mail, but this is not common.

WARNING: asimail01.automationsolutionsinc.com appears to be an open relay: 250 2.1.5 Not.abuse.see.www.DNSreport.com.from.IP.72.93.119.140@DNSreport.com <br />
WARN SPF record Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).  

0
Comment
Question by:mcioffi209
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
12 Comments
 
LVL 12

Accepted Solution

by:
Network_Data_Support earned 500 total points
ID: 20365057
first thing first get that open relay closed

   1. Start Exchange System manager (ESM)
   2. Expand Servers, <your server>, Protocols, SMTP.
   3. Right click on "Default SMTP Virtual Server" and choose Properties.
   4. Click on the "Access" Tab.
   5. There are four buttons, click on "Relay..." at the bottom.
   6. Ensure that "Only the list below" is enabled and the list is empty.
   7. If you don't have users sending email through your email server with Outlook Express or another POP3 client then you can disable "Allow all users that successfully authenticate to relay regardless of the list above".
   8. Apply/OK until all windows are closed.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20365087
looks like DNS problems

ns1.conversent.net.
ns2.conversent.net

have no entries

0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20365115
You have listed only one of the three onecommunications.net. nameservers with your domain registrar (some only allow two). This means the root nameservers (essentially, the world) only see one DNS servers listed for your domain.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:mcioffi209
ID: 20365199
How do i resolve the issue?
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20365234
You need to add NS records for

ns1.conversent.net.
ns2.conversent.net
0
 
LVL 12

Assisted Solution

by:Network_Data_Support
Network_Data_Support earned 500 total points
ID: 20365250
once ns1 has been added that will clear up the SOA problem too by the looks of it
0
 

Author Comment

by:mcioffi209
ID: 20366436
I'm guessing that I need the folks that host the MX record to do that right?  What do I tell them to add?  I apologize for the basic questions, but I want to ensure that I get this nailed soon and I do not want to keep making mistakes.

Thanks for the help.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20366635
yes you will have to get your external dns registar to key in the Nameservers for ns1 and ns2 as namesevers they are missing

and as your SOA is ns1 and is not visiable that is why you are getting the SOA error too
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20366641
some isp's tho will only allow two nameservers  so you better check that
0
 

Author Comment

by:mcioffi209
ID: 20387898
Sorry to be so slow on this issue, but if you called your ISP what exactly would you tell them to do?  They are a bit reluctant to make changes and I want to be sure I have the full and proper information to give them.

Thanks.

Please as much detail and specifics as possible woule be great.
0
 

Author Comment

by:mcioffi209
ID: 20509306
I have not given up on this. We have had some other issues that have been hhigher on the priority list.  We are looking into this now.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20816150
ummmm what was the solution????

if it was nothing i helped with please post the answer as it may help other users
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changing email address in Exchange 2010 2 46
active directory, exhange 12 56
Exchange Certification Training 5 55
Exchange 2013 Message Tracking 3 29
Find out what you should include to make the best professional email signature for your organization.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question