Domain Name / DNS troubleshoot / Reverse DNS / PTR

Hello,
I have an internal domain named domainname.com . Recently we had some issues with the email delivery to certain people
#550 No RDNS/PTR entry for 60.A.B.C. ##
After contacting my ISP a reverse DNS for ip 60.A.B.C resolving to mailserver.domainname.com was created.
I told the ISP that we do not own the domain "domainname" so any reverse dns query will not be resolved to that domain name.
I was told the ptr record must resolve to something .

What are my options now ?

Now let say i own a domain say externaldomain.com and i change the internal domain name to externaldomain.com.
Will this address the situation?
I have read its not a good practice to name your internal domain as your external domain, if i can not name the external domain same as the internal domain, How will anything will be resolved to my internal domain.????


WannabeNerdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
If you want forward and inverse DNS to work properly via a public view, you need a publicly resolvable domain name even if it is only used internally.
0
WannabeNerdAuthor Commented:
Why does it say that they should be different ?
http://technet.microsoft.com/en-us/library/cc708159(WS.10).aspx
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
I have had a ISP's tell me a lot of things but I have only used the ISP to setup the reverse DNS.    Usually the owner of the IP address which is the ISP can setup the PTR (reverse DNS)

Call back try someone else to see if you get better help.     The problem I have had when you run into someone that is lazy or has no clue they think you want a A record or something else setup.

I call and say I need a reverse DNS server for 63.53.122.33  and make that mail.mydomain.com   blah blah blah
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jan SpringerCommented:
"Using the .local label for the full DNS name for the internal domain is a more secure configuration because the .local label is not registered for use on the Internet."

If you have an internal SMTP server relaying email, this changes how your internal network behaves.  The internal SMTP server can be configured to use the public domain name for transmission.
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
You need to set a public PTR up.   You don't have to do anything internally.   Only thing you have to do is make sure your email is going out the IP that you want it to... for instance that your MX record matches the public IP of your Exchange server.


Go to http://www.ipchicken.com on the exchange server....if the exchange server sends the email directly out to the internet you probably want that IP to be setup with RDNS.
0
Jan SpringerCommented:
The author states:

"I told the ISP that we do not own the domain "domainname" so any reverse dns query will not be resolved to that domain name.  I was told the ptr record must resolve to something ."

This means a publicly resolvable forward zone to match the inverse zone.
0
Chris DentPowerShell DeveloperCommented:

For Exchange 2007 the name is configured as the FQDN for your Send Connector (Organisation Configuration, Hub Transport, Send Connectors). The name used here does not have to match your AD Domain, it should be a name which resolves in your public domain.

For example, you might use mail.yourpublicdomain.com there. You should ensure a Host (A) record exists for that on your public DNS server. Then the name can be used for the Reverse Lookup with your ISP.

Chris
0
DatedmanCommented:
The big problem with using a .com name you don't own is that your own servers, if able to connect to the Net, will go out there and find out from the .com root servers that they are not authoritative for this domain. Then they'll go out trying to register with the actual DNS server for that name (constantly, forever, even if you think you turned that off) which is problematic. :)

You can actually set up reverse dns that doesn't match and it will work almost all the time.  Maybe all the time, but not necessarily so in the future.  But in general it's better to separate your internal network from .com.  For instance, if you use a .doc name and your DNS server for that domain is exposed to the Net to support a public website and so you can get e-mail, then people can work the DNS server to see the names and addresses of every machine on your network.

So usually what people do is use .local for their Windows network which keeps it looking inward...and use .com or whatever for their e-mail addresses, website etc. so that people on the Net can find what they need to find.
0
DatedmanCommented:
oops, ".doc" above -> ".com"
0
Chris DentPowerShell DeveloperCommented:

> Then they'll go out trying to register with the actual DNS server for that name (constantly, forever,
> even if you think you turned that off) which is problematic. :)

That won't occur if DNS is configured correctly for an AD domain. It can only occur when the local servers have no authority for the domain, that would be a problem because AD needs an domain to store service records in.

DNS will never forward requests for a domain it holds authority over (whether the public view agrees with that authority or not).

> You can actually set up reverse dns that doesn't match and it will work almost all the time

Except for AOL, GMail, Hotmail, and anyone else that checks the name in the HELO matches the reverse lookup.

> For instance, if you use a .com name and your DNS server for that domain is exposed to the Net to support
> a public website and so you can get e-mail

Then your firewall rules are flawed because there's no need to allow inbound DNS queries unless you are actually hosting a public DNS service.

Nothing to do with DNS configuration, everything to do with network security (or lack of).

Chris
0
WannabeNerdAuthor Commented:
Thanks but totally confused with different suggestions.
Jesper-- "The internal SMTP server can be configured to use the public domain name for transmission."
How do you do that ?

Chris-Dent:
"For Exchange 2007 the name is configured as the FQDN for your Send Connector (Organisation Configuration, Hub Transport, Send Connectors). The name used here does not have to match your AD Domain, it should be a name which resolves in your public domain."

I have got 2 send connectors namely:-
EdgeSync - Default-First-Site-Name to Internet
EdgeSync - Inbound to Default-First-Site-Name

How do i make the changes make changes so that i can use  my public domain name which is different to my internal domain name here ?




0
DatedmanCommented:
Chris what's with that? :)

o *If you don't own a .com domain,* and your servers have access to the Net, even if your servers think they're authoritative for it to start with, they will in fact discover otherwise in my experience.  Unless something has changed recently. :)

o Yup I said almost all of the time LOL...

o You should never rely on firewalls they're an additional thing IMO--configuration should be as secure as possible to start with.  But I said "if you use a .com name and your DNS server for that domain is exposed to the Net to support a public website"
0
Jan SpringerCommented:
What I am suggesting is that you need another domain name that is publicly resolvable via a query with an Address record in the forward domain zone that matches the Pointer record in the inverse address zone.

I have on good authority that Chris-Dent knows what s/he's talking about when it comes to Windows!
0
Chris DentPowerShell DeveloperCommented:

Hey :)

We need to do this in order:

1. Get a public name for your mail server

Can you run:

nslookup -q=mx yourpublicdomain.com

Are any of the entries there your mail server?

If none of them are, we need to give your server a name. This can be anything, but we must be able to resolve it from the rest of the world. Something simple like "mail.yourpublicdomain.com" or "smtp.yourpublicdomain.com" would be nice. Are you able to add this to your public DNS service?

Whichever name we create needs to point to the public IP address used by the mail server when it sends out mail. So a new Host (A) record pointing at that IP address on your public DNS server.

2. Configuring the PTR

If we got a name from the MX, or made one up and added it the ISP can be contacted again. They can be told to point the PTR record (Reverse Lookup) to the name from step 1.

3. HELO

The last step is to change the name used when your server talks to other SMTP servers.

Exactly where this is depends on your configuration, we need to take a bit of a look at this.

Open up the Properties for "EdgeSync - Default-First-Site-Name to Internet". Select the Address Space tab and see if the only entry listed is "*". Then select the Network tab and see if "Use domain name system (DNS) ..." is selected.

If "Route mail through the following smart hosts" is selected then the changes need to be made on that server.

However, if the first option is selected, and the address space is "*" (everything) then all you need do now is change the value in the FQDN box under the general tab to the name we used in 1 and 2.

@Datedman, I'll leave those discussions for a different thread. My disagreement with the points isn't relevant to this one :)

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DatedmanCommented:
Yup I agree with everything you said, sorry if my points were badly put above.  I was mostly just trying to answer his question about why internal and external domain names should be different according to the quoted...and evidently I express myself poorly. :)
0
WannabeNerdAuthor Commented:
Still al little confused but getting there.  

"However, if the first option is selected, and the address space is "*" (everything) then all you need do now is change the value in the FQDN box under the general tab to the name we used in 1 and 2."

This is how it is on my server.  Just to be clear Chris is the name i enter in the FQDN box is "mail.yourpublicdomain.com"?
0
Chris DentPowerShell DeveloperCommented:

Good, that does help :)

> Just to be clear Chris is the name i enter in the FQDN box is "mail.yourpublicdomain.com"?

If, and only if that name exists in the public. And where "yourpublicdomain.com" should be replaced by the correct domain (just in case).

Whether the name exists is easy to test with "nslookup mail.yourpublicdomain.com".

Chris
0
WannabeNerdAuthor Commented:
Right!

mail.mypublicdomain.com was already set up from someone elses previous fiddlings so all ok there.

A little worried about messing with emails while people are sending them, so going to try it tonight.  I will let you know how I get on.

Thanks
0
Chris DentPowerShell DeveloperCommented:

Good morning :)

How did it go?

Chris
0
WannabeNerdAuthor Commented:
Morning!
I "think" it worked!  Email sent from inside to hotmail account shows the change . In the first mail it shows Received: from servername.internaldomainname.com and after making the changes it shows
Received: mail.yourpublicdomain.co.uk .

Only thing that needs to be done is to ask the ISP to change my ptr record to mail.yourpublicdomain.co.uk because if i go to zoneedit.com and do the nsloopkup it still has the old ptr name for reverse dns i.e servername.internaldomainname.com .

Is there anything else which i need to look for ???



X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9MA==
X-Message-Status: n:0
X-SID-PRA: NAME <name@xyz.co.uk>
X-Message-Info: JGTYoYF78jEO+C0XDvAL4RbAszAYSJndFeaPwaKoTsu5elEr4sijOfUrxr3Tou4EXJ5rI3GKAcAHNOTYdMYtOq8v+d2XmPAJ
Received: from servername.internaldomainname.com ([60.A.B.C]) by col0-mc3-f6.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
       Thu, 2 Jul 2009 08:51:15 -0700


---------------------------------------------------------------------------------------------------------------------------




X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9MA==
X-Message-Status: n:0
X-SID-PRA: NAME <name@xyz.co.uk>
X-Message-Info: JGTYoYF78jGD4n47lwwP6V1hfWjMtViqhLyyE45h6WWT8QYB1flB4qkGvyITaL46CEIKfDxCBCR4xhLqU1txiXe69MBYMaf4
Received: from mail.yourpublicdomain.co.uk (60.A.B.C)3-F33.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
         Thu, 2 Jul 2009 14:31:22 -0700
---------------------------------------------------------------------------------------------------------------------------

0
Chris DentPowerShell DeveloperCommented:

> Is there anything else which i need to look for ???

Just be aware that these changes take time. Especially when you're dealing with really bit mail services like Hotmail / AOL. They tend to lag behind the rest of the world when it comes to DNS changes.

Anyway, once the PTR has changed it should complete this and everything should be good :)

Chris
0
WannabeNerdAuthor Commented:
Great Answer!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.