Solved

Resolving DNS issues on Exchange

Posted on 2007-11-28
12
974 Views
Last Modified: 2008-05-28
Hi Folks,

I'm a newbie at exchange and could use some assistance in making sure everything is working properly.  I hate seeing failures and errors, i used http://www.dnsstuff.com/ and found some issues with my entry, can someone help me out?

We are also using a product called ActiveFax that send automated faxes and emails that is required for our business, the only thing we can do with it is to move to another machine, but it must remain.

Here is the actual report, http://www.dnsstuff.com/tools/dnsreport.ch?domain=automationsolutionsinc.com

FAIL Missing (stealth) nameservers FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNSreport will not query these servers, so you need to be very careful that they are working properly.

ns1.onecommunications.net.
ns2.onecommunications.net.
ns3.onecommunications.net.
This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).  

FAIL Missing nameservers 2 ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:
ns1.conversent.net.
ns2.conversent.net.


FAIL Stealth NS record leakage Your DNS servers leak stealth information in non-NS requests:

Stealth nameservers are leaked [ns1.onecommunications.net.]!
Stealth nameservers are leaked [ns2.onecommunications.net.]!
Stealth nameservers are leaked [ns3.onecommunications.net.]!

This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries.

WARN SOA MNAME Check WARNING: Your SOA (Start of Authority) record states that your master (primary) name server is: ns1.onecommunications.net.. However, that server is not listed at the parent servers as one of your NS records! This is legal, but you should be sure that you know what you are doing.  

WARN Mail server host name in greeting WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

asimail01.automationsolutionsinc.com claims to be non-existent host asidc01.AutomationSolutionsInc.local: <br /> 220 asidc01.AutomationSolutionsInc.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Wed, 28 Nov 2007 06:30:17 -0500 <br />

FAIL Acceptance of postmaster address ERROR: One or more of your mailservers does not accept mail to postmaster@automationsolutionsinc.com. Mailservers are required (RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1) to accept mail to postmaster.

spool.conversent.net's postmaster response:<br /> >>> RCPT TO:<postmaster@automationsolutionsinc.com><br /> <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) <br /> asimail01.automationsolutionsinc.com's postmaster response:<br /> >>> RCPT TO:<postmaster@automationsolutionsinc.com><br /> <<< 550 5.1.1 User unknown <br />  
WARN Acceptance of abuse address WARNING: One or more of your mailservers does not accept mail to abuse@automationsolutionsinc.com. Mailservers are expected by RFC2142 to accept mail to abuse.

spool.conversent.net's abuse response:<br /> >>> RCPT TO:<abuse@automationsolutionsinc.com><br /> <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) <br /> asimail01.automationsolutionsinc.com's abuse response:<br /> >>> RCPT TO:<abuse@automationsolutionsinc.com><br /> <<< 550 5.1.1 User unknown <br />  

FAIL Open relay test WARNING: One or more of your mailservers appears to be an open relay. If so, this means that you are allowing spammers to freely use the mailserver to send out spam! It is possible that your mailserver accepts all E-mail and later bounces it, or accepts the relay attempt and then deletes the E-mail, but this is not common.

WARNING: asimail01.automationsolutionsinc.com appears to be an open relay: 250 2.1.5 Not.abuse.see.www.DNSreport.com.from.IP.72.93.119.140@DNSreport.com <br />
WARN SPF record Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).  

0
Comment
Question by:mcioffi209
  • 8
  • 4
12 Comments
 
LVL 12

Accepted Solution

by:
Network_Data_Support earned 500 total points
ID: 20365057
first thing first get that open relay closed

   1. Start Exchange System manager (ESM)
   2. Expand Servers, <your server>, Protocols, SMTP.
   3. Right click on "Default SMTP Virtual Server" and choose Properties.
   4. Click on the "Access" Tab.
   5. There are four buttons, click on "Relay..." at the bottom.
   6. Ensure that "Only the list below" is enabled and the list is empty.
   7. If you don't have users sending email through your email server with Outlook Express or another POP3 client then you can disable "Allow all users that successfully authenticate to relay regardless of the list above".
   8. Apply/OK until all windows are closed.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20365087
looks like DNS problems

ns1.conversent.net.
ns2.conversent.net

have no entries

0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20365115
You have listed only one of the three onecommunications.net. nameservers with your domain registrar (some only allow two). This means the root nameservers (essentially, the world) only see one DNS servers listed for your domain.
0
 

Author Comment

by:mcioffi209
ID: 20365199
How do i resolve the issue?
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20365234
You need to add NS records for

ns1.conversent.net.
ns2.conversent.net
0
 
LVL 12

Assisted Solution

by:Network_Data_Support
Network_Data_Support earned 500 total points
ID: 20365250
once ns1 has been added that will clear up the SOA problem too by the looks of it
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mcioffi209
ID: 20366436
I'm guessing that I need the folks that host the MX record to do that right?  What do I tell them to add?  I apologize for the basic questions, but I want to ensure that I get this nailed soon and I do not want to keep making mistakes.

Thanks for the help.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20366635
yes you will have to get your external dns registar to key in the Nameservers for ns1 and ns2 as namesevers they are missing

and as your SOA is ns1 and is not visiable that is why you are getting the SOA error too
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20366641
some isp's tho will only allow two nameservers  so you better check that
0
 

Author Comment

by:mcioffi209
ID: 20387898
Sorry to be so slow on this issue, but if you called your ISP what exactly would you tell them to do?  They are a bit reluctant to make changes and I want to be sure I have the full and proper information to give them.

Thanks.

Please as much detail and specifics as possible woule be great.
0
 

Author Comment

by:mcioffi209
ID: 20509306
I have not given up on this. We have had some other issues that have been hhigher on the priority list.  We are looking into this now.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20816150
ummmm what was the solution????

if it was nothing i helped with please post the answer as it may help other users
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now