?
Solved

Domain Name / DNS troubleshoot / Reverse DNS / PTR

Posted on 2009-07-02
22
Medium Priority
?
744 Views
Last Modified: 2012-05-07
Hello,
I have an internal domain named domainname.com . Recently we had some issues with the email delivery to certain people
#550 No RDNS/PTR entry for 60.A.B.C. ##
After contacting my ISP a reverse DNS for ip 60.A.B.C resolving to mailserver.domainname.com was created.
I told the ISP that we do not own the domain "domainname" so any reverse dns query will not be resolved to that domain name.
I was told the ptr record must resolve to something .

What are my options now ?

Now let say i own a domain say externaldomain.com and i change the internal domain name to externaldomain.com.
Will this address the situation?
I have read its not a good practice to name your internal domain as your external domain, if i can not name the external domain same as the internal domain, How will anything will be resolved to my internal domain.????


0
Comment
Question by:WannabeNerd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 4
  • +2
22 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24763425
If you want forward and inverse DNS to work properly via a public view, you need a publicly resolvable domain name even if it is only used internally.
0
 

Author Comment

by:WannabeNerd
ID: 24763476
Why does it say that they should be different ?
http://technet.microsoft.com/en-us/library/cc708159(WS.10).aspx
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24763529
I have had a ISP's tell me a lot of things but I have only used the ISP to setup the reverse DNS.    Usually the owner of the IP address which is the ISP can setup the PTR (reverse DNS)

Call back try someone else to see if you get better help.     The problem I have had when you run into someone that is lazy or has no clue they think you want a A record or something else setup.

I call and say I need a reverse DNS server for 63.53.122.33  and make that mail.mydomain.com   blah blah blah
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 24763556
"Using the .local label for the full DNS name for the internal domain is a more secure configuration because the .local label is not registered for use on the Internet."

If you have an internal SMTP server relaying email, this changes how your internal network behaves.  The internal SMTP server can be configured to use the public domain name for transmission.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24763597
You need to set a public PTR up.   You don't have to do anything internally.   Only thing you have to do is make sure your email is going out the IP that you want it to... for instance that your MX record matches the public IP of your Exchange server.


Go to http://www.ipchicken.com on the exchange server....if the exchange server sends the email directly out to the internet you probably want that IP to be setup with RDNS.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24763641
The author states:

"I told the ISP that we do not own the domain "domainname" so any reverse dns query will not be resolved to that domain name.  I was told the ptr record must resolve to something ."

This means a publicly resolvable forward zone to match the inverse zone.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24763650

For Exchange 2007 the name is configured as the FQDN for your Send Connector (Organisation Configuration, Hub Transport, Send Connectors). The name used here does not have to match your AD Domain, it should be a name which resolves in your public domain.

For example, you might use mail.yourpublicdomain.com there. You should ensure a Host (A) record exists for that on your public DNS server. Then the name can be used for the Reverse Lookup with your ISP.

Chris
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24763707
The big problem with using a .com name you don't own is that your own servers, if able to connect to the Net, will go out there and find out from the .com root servers that they are not authoritative for this domain. Then they'll go out trying to register with the actual DNS server for that name (constantly, forever, even if you think you turned that off) which is problematic. :)

You can actually set up reverse dns that doesn't match and it will work almost all the time.  Maybe all the time, but not necessarily so in the future.  But in general it's better to separate your internal network from .com.  For instance, if you use a .doc name and your DNS server for that domain is exposed to the Net to support a public website and so you can get e-mail, then people can work the DNS server to see the names and addresses of every machine on your network.

So usually what people do is use .local for their Windows network which keeps it looking inward...and use .com or whatever for their e-mail addresses, website etc. so that people on the Net can find what they need to find.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24763722
oops, ".doc" above -> ".com"
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24763783

> Then they'll go out trying to register with the actual DNS server for that name (constantly, forever,
> even if you think you turned that off) which is problematic. :)

That won't occur if DNS is configured correctly for an AD domain. It can only occur when the local servers have no authority for the domain, that would be a problem because AD needs an domain to store service records in.

DNS will never forward requests for a domain it holds authority over (whether the public view agrees with that authority or not).

> You can actually set up reverse dns that doesn't match and it will work almost all the time

Except for AOL, GMail, Hotmail, and anyone else that checks the name in the HELO matches the reverse lookup.

> For instance, if you use a .com name and your DNS server for that domain is exposed to the Net to support
> a public website and so you can get e-mail

Then your firewall rules are flawed because there's no need to allow inbound DNS queries unless you are actually hosting a public DNS service.

Nothing to do with DNS configuration, everything to do with network security (or lack of).

Chris
0
 

Author Comment

by:WannabeNerd
ID: 24764040
Thanks but totally confused with different suggestions.
Jesper-- "The internal SMTP server can be configured to use the public domain name for transmission."
How do you do that ?

Chris-Dent:
"For Exchange 2007 the name is configured as the FQDN for your Send Connector (Organisation Configuration, Hub Transport, Send Connectors). The name used here does not have to match your AD Domain, it should be a name which resolves in your public domain."

I have got 2 send connectors namely:-
EdgeSync - Default-First-Site-Name to Internet
EdgeSync - Inbound to Default-First-Site-Name

How do i make the changes make changes so that i can use  my public domain name which is different to my internal domain name here ?




0
 
LVL 10

Expert Comment

by:Datedman
ID: 24764071
Chris what's with that? :)

o *If you don't own a .com domain,* and your servers have access to the Net, even if your servers think they're authoritative for it to start with, they will in fact discover otherwise in my experience.  Unless something has changed recently. :)

o Yup I said almost all of the time LOL...

o You should never rely on firewalls they're an additional thing IMO--configuration should be as secure as possible to start with.  But I said "if you use a .com name and your DNS server for that domain is exposed to the Net to support a public website"
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24764140
What I am suggesting is that you need another domain name that is publicly resolvable via a query with an Address record in the forward domain zone that matches the Pointer record in the inverse address zone.

I have on good authority that Chris-Dent knows what s/he's talking about when it comes to Windows!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24764326

Hey :)

We need to do this in order:

1. Get a public name for your mail server

Can you run:

nslookup -q=mx yourpublicdomain.com

Are any of the entries there your mail server?

If none of them are, we need to give your server a name. This can be anything, but we must be able to resolve it from the rest of the world. Something simple like "mail.yourpublicdomain.com" or "smtp.yourpublicdomain.com" would be nice. Are you able to add this to your public DNS service?

Whichever name we create needs to point to the public IP address used by the mail server when it sends out mail. So a new Host (A) record pointing at that IP address on your public DNS server.

2. Configuring the PTR

If we got a name from the MX, or made one up and added it the ISP can be contacted again. They can be told to point the PTR record (Reverse Lookup) to the name from step 1.

3. HELO

The last step is to change the name used when your server talks to other SMTP servers.

Exactly where this is depends on your configuration, we need to take a bit of a look at this.

Open up the Properties for "EdgeSync - Default-First-Site-Name to Internet". Select the Address Space tab and see if the only entry listed is "*". Then select the Network tab and see if "Use domain name system (DNS) ..." is selected.

If "Route mail through the following smart hosts" is selected then the changes need to be made on that server.

However, if the first option is selected, and the address space is "*" (everything) then all you need do now is change the value in the FQDN box under the general tab to the name we used in 1 and 2.

@Datedman, I'll leave those discussions for a different thread. My disagreement with the points isn't relevant to this one :)

Chris
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24764363
Yup I agree with everything you said, sorry if my points were badly put above.  I was mostly just trying to answer his question about why internal and external domain names should be different according to the quoted...and evidently I express myself poorly. :)
0
 

Author Comment

by:WannabeNerd
ID: 24765056
Still al little confused but getting there.  

"However, if the first option is selected, and the address space is "*" (everything) then all you need do now is change the value in the FQDN box under the general tab to the name we used in 1 and 2."

This is how it is on my server.  Just to be clear Chris is the name i enter in the FQDN box is "mail.yourpublicdomain.com"?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24765075

Good, that does help :)

> Just to be clear Chris is the name i enter in the FQDN box is "mail.yourpublicdomain.com"?

If, and only if that name exists in the public. And where "yourpublicdomain.com" should be replaced by the correct domain (just in case).

Whether the name exists is easy to test with "nslookup mail.yourpublicdomain.com".

Chris
0
 

Author Comment

by:WannabeNerd
ID: 24765146
Right!

mail.mypublicdomain.com was already set up from someone elses previous fiddlings so all ok there.

A little worried about messing with emails while people are sending them, so going to try it tonight.  I will let you know how I get on.

Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24770801

Good morning :)

How did it go?

Chris
0
 

Author Comment

by:WannabeNerd
ID: 24770944
Morning!
I "think" it worked!  Email sent from inside to hotmail account shows the change . In the first mail it shows Received: from servername.internaldomainname.com and after making the changes it shows
Received: mail.yourpublicdomain.co.uk .

Only thing that needs to be done is to ask the ISP to change my ptr record to mail.yourpublicdomain.co.uk because if i go to zoneedit.com and do the nsloopkup it still has the old ptr name for reverse dns i.e servername.internaldomainname.com .

Is there anything else which i need to look for ???



X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9MA==
X-Message-Status: n:0
X-SID-PRA: NAME <name@xyz.co.uk>
X-Message-Info: JGTYoYF78jEO+C0XDvAL4RbAszAYSJndFeaPwaKoTsu5elEr4sijOfUrxr3Tou4EXJ5rI3GKAcAHNOTYdMYtOq8v+d2XmPAJ
Received: from servername.internaldomainname.com ([60.A.B.C]) by col0-mc3-f6.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
       Thu, 2 Jul 2009 08:51:15 -0700


---------------------------------------------------------------------------------------------------------------------------




X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9MA==
X-Message-Status: n:0
X-SID-PRA: NAME <name@xyz.co.uk>
X-Message-Info: JGTYoYF78jGD4n47lwwP6V1hfWjMtViqhLyyE45h6WWT8QYB1flB4qkGvyITaL46CEIKfDxCBCR4xhLqU1txiXe69MBYMaf4
Received: from mail.yourpublicdomain.co.uk (60.A.B.C)3-F33.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
         Thu, 2 Jul 2009 14:31:22 -0700
---------------------------------------------------------------------------------------------------------------------------

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24772049

> Is there anything else which i need to look for ???

Just be aware that these changes take time. Especially when you're dealing with really bit mail services like Hotmail / AOL. They tend to lag behind the rest of the world when it comes to DNS changes.

Anyway, once the PTR has changed it should complete this and everything should be good :)

Chris
0
 

Author Closing Comment

by:WannabeNerd
ID: 31599188
Great Answer!
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question