Solved

How PTR record should be configured on a Windows 2003 Server?

Posted on 2008-06-24
16
3,333 Views
Last Modified: 2013-12-09
We are having a problem with getting emails kicked back to us with errors of no PTR record found, now that we have switched to AT&T for our Internet provider.  AT&T flatly refuses to add a PTR on their end, since we host the Domains, and the public DNS servers.

We host about 5 domains, and our own public DNS on two Windows 2003servers.  The email is on an in-house Exchange 2003 server.

We have added (and perhaps not correctly) PTR records for each domain into both public DNS servers.

I have done a test using DNSStuff.com to check for a PTR record for each domain, and it shows one was found.

Ive done a ton of Google search and have not been able to located exactly where it needs to go, and the exact syntax it needs to have.  I have also searched and read everything I could find on the experts-exchange.com site.

I have added a PTR into the root of each domain listed in DNS, and left the IP address black and so the server lists the IP address as Same as parent.  Im not sure if this is correct or not, but we are still getting failures.

Is there a source out there or can someone tell me, exactly how we should go about adding a PTR record on a Windows 2003 DNS server and what the syntax should be?

Thanks!

Peter
0
Comment
Question by:RTCexpert
  • 8
  • 8
16 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
I'm not clear on what you've done. When you say you "added a PTR into the root of each domain," do you mean that you created a reverse DNS zone?  That is what you would need to do - create a reverse DNS zone for each forward zone and then add the required PTR records to that reverse zone. In Windows 2003 DNS, you can set your forward zone so that reverse DNS records are created automatically - this is an attribute that you set on the records in the forward zone that you want to have PTR records for.  IOW, you would want to go to the host record for your Exchange server, open the properties and check box that says "Update associated PTR record." That should force the creation of the PTR records.  Or, you can create them manually.
0
 

Author Comment

by:RTCexpert
Comment Utility
Do I need to have manually created a PTR record in each of the Forward Lookup Zones, or since they (the forward zones) all use the same Exchange server remove the manually added PTR in each forward lookup zone, and just right click on the mail host record on one of them, and check the box to "Update the associated pointer (PTR) record"?

Part of my confusion is coming from three things.

1) Do I need to have an entry in both the Forward Lookup Zone and the Reverse Lookup Zone, for each Forward Lookup Entry?

2) The only Forward Lookup Zone that we have that is working for reverse lookup (but shows failed per DNSStuff.com PTR test), has two PTR entries in the Forward Lookup Zone.  One of them says Same as parent for the IP Address and the second PTR has the full IP address typed in for the Exchange server.  It also has an entry in the Reverse Lookup Zone within the 155.171.12.in-addr.arpa.

3) Should the Host Name in the Reverse Lookup Record be MAIL.DOMAINNAME.COM or should it be just DOMAINNAME.COM?

Thanks for the help!
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
OK - I think you're confused about the definition of a PTR record.  PTR records belong only in the reverse lookup zone.  The forward lookup zone should only contain SRV, NS, A, CNAME and MX records.  For each A record in the forward lookup zone that requires a PTR record, that record is added to the reverse lookup zone - the 155.171.12.in-addr.arpa zone. You do not necessarily have to have a reverse DNS record for each host in your forward lookup zone.  In this case, though, you need one for the host that your MX record points to.

For example, let's say your mail server host name is mail.mydomain.com and its IP address is 12.171.155.100.

The forward lookup zone has only these records (assuming this server is not a DC or DNS server):

"A" record with host name of mail, FQDN of mail.mydomain.com, and IP address of 12.171.155.100.
"MX" record with the FQDN of the mail server, mail.mydomain.com.

The reverse lookup zone has this:

"PTR" record for the Host IP address of 12.171.155.100 with the domain FQDN of 155.171.12.in-addr.arpa and host name of mail.mydomain.com.

Does that clear thing up?
0
 

Author Comment

by:RTCexpert
Comment Utility
That does make more sense now.

To see if I could have the system add the reverse lookup when the mail.domainname.com A record is created, I deleted the A record and added it back with the checkbox check to create associated pointer record, but I then recieved the following error.

Warning: The associated pointer (PTR) record cannot be created, probably because the referenced reverse lookup zone cannot be found.

Do I first need to create this somehow, before it will add the correct pointer on its own, when I add the A record?

Thanks!

Peter
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
Yes, you have to create the reverse lookup zone manually first.  After that, you can check that box when you create a new A record to create the PTR automatically.  To create the reverse DNS zone, just right-click on the DNS server, select New Zone, then on the third or fourth screen (I don't remember exactly) you get the option to create a reverse lookup zone.
0
 

Author Comment

by:RTCexpert
Comment Utility
OK, I removed the manually created PTR records.

I added a reverse lookup zone for our mail server's IP address.

I deleted and added the mail host A recond with the create PTR record checked and this time I didn't get an error on creating the corisponding reverse lookup record.

The issue I still see, is that I don't see this forward lookup zone name listed any where in the Reverse Lookup Zone, and when I test the domain's PTR record using DNSStuff.com I still get an error that no PTR record is found.

Any ideas?

Thanks!
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
Well, I have to say that I'm not 100% sure about automatically created PTR records - i.e., when exactly they get created.  What do you see in your reverse look up zone at this point? Do the subnets on your forward and reverse lookup zones match - i.e., are they both 12.171.155.x with the same subnet mask?  I would say that you can just create a reverse lookup record manually; it certainly won't hurt anything.  As far as DNSStuff goes, I'm assuming your DNS server is the one that is listed as the authoritative DNS server for your domain at the domain registry.  Also be sure when you use DNSStuff that it is doing a fresh query - they cache information so sometimes you have to force it to do a fresh lookup.
0
 

Author Comment

by:RTCexpert
Comment Utility
Yes, the Forward and Reverse lookups match as far as 12.171.155.x goes.

Yes, the subnet mask is also correct.

Yes, both of our public DNS servers are the authoritative DNS servers registered at the domain registry and set as pass through servers with our Internet provider (AT&T).

They still are not showing up in the reverse lookup zone.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
Maybe restarting the DNS server service would do it, I'm not sure why it's not showing up.  Like I said, I would just go in to the reverse lookup zone and add it manually.
0
 

Author Comment

by:RTCexpert
Comment Utility
Ah, stopping and restarting the DNS server service did make it show up.

Now I just have to figure out why a remote test tool, like DNSStuff.com, is showing the reverse lookup is failing.

Is there any tool out there, better for testing reverse lookups than DNSStuff.com, so I can make sure things are wotking correctly?

Thanks!
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
You could try first just doing a reverse lookup from the command line.  After typing nslookup, enter the following command:

set q=PTR

Then, type the IP address of your mail server in reverse format - i.e., 100.155.171.12.in-addr.arpa.  Your server should response with the host  name of your mail server.  That will at least confirm that your DNS server is responding properly.  Then, you might need to look at your router/firewall, as there might be something there that could block RDNS.  I'm pretty sure that reverse lookups require UDP port 53 to be open.

0
 

Author Comment

by:RTCexpert
Comment Utility
I responds back with one of the DNS servers for the name and IP address (which I'm guessing based on what you said should be the mail servers external IP address), and then after that in the Non-authoritative answer it has

name = nothing.attdns.com

Does the above mean there is a problem on my end or on AT&T's end somehow?

Thanks!
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
When you initially type nslookup and press Enter, it should respond with the DNS server name and IP address.  When you type the actual query it should return the name and reverse IP address of the mail server.  Here's a screen capture (this is an internal query, but it should be the same for an external query.

Could be a problem on your end.  Are you doing this query directly on your server or on a workstation on the network?


Nslookup.jpg
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
Comment Utility
The more I think about this (and I've been thinking about it off and on quite a bit), the more I think what you're trying to do is not going to work.  Here's a link to a DNSStuff article about PTR records:

http://member.dnsstuff.com/rc/index2.php?option=com_alphacontent&section=8&cat=17&task=view&id=67&pop=1&Itemid=43

If you're not a DNSStuff member, you won't be able to get to that page, though, so here's a relevant quote from the article:

<<the in-addr.arpa zone is concerned with delegated network addresses. In other words, the owner of the network address is authoritative (i.e. responsible) for the host PTR records associated with that network address space. If you only own one or two host addresses within a network address space, the provider you purchased those addresses from needs to host your PTR records as the provider is the owner of (i.e. authoritative for) the network address. >>

My thinking is that the reason you're getting that weird "att.dns" response is that the query is trying to go to ATT, not to your own server, because of the above.  It occurs to me that maybe you haven't been talking to the right people at AT&T.  The provision of PTR records at AT&T can get complicated and depends upon what type of account you have with AT&T.  If it's a regular business DSL or T1 Internet account, you might try sending a request to prov-DNS@att.com and asking them to add the PTR record for your domain.  If you've already tried this and they won't do it because they don't host your domain, you might have to do something hinky, like pay them for DNS hosting but not use it, just so they'll add the PTR record where it should be.
0
 

Author Comment

by:RTCexpert
Comment Utility
I believe that you are correct.

It is looking more and more like we are going to need to use AT&T for the hosting, adn I'm looking into that now.

Thanks for all of your help!
0
 

Author Closing Comment

by:RTCexpert
Comment Utility
Thanks!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now