Solved

Domain Name / DNS troubleshoot / Reverse DNS / PTR

Posted on 2009-07-02
22
700 Views
Last Modified: 2012-05-07
Hello,
I have an internal domain named domainname.com . Recently we had some issues with the email delivery to certain people
#550 No RDNS/PTR entry for 60.A.B.C. ##
After contacting my ISP a reverse DNS for ip 60.A.B.C resolving to mailserver.domainname.com was created.
I told the ISP that we do not own the domain "domainname" so any reverse dns query will not be resolved to that domain name.
I was told the ptr record must resolve to something .

What are my options now ?

Now let say i own a domain say externaldomain.com and i change the internal domain name to externaldomain.com.
Will this address the situation?
I have read its not a good practice to name your internal domain as your external domain, if i can not name the external domain same as the internal domain, How will anything will be resolved to my internal domain.????


0
Comment
Question by:WannabeNerd
  • 6
  • 6
  • 4
  • +2
22 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24763425
If you want forward and inverse DNS to work properly via a public view, you need a publicly resolvable domain name even if it is only used internally.
0
 

Author Comment

by:WannabeNerd
ID: 24763476
Why does it say that they should be different ?
http://technet.microsoft.com/en-us/library/cc708159(WS.10).aspx
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24763529
I have had a ISP's tell me a lot of things but I have only used the ISP to setup the reverse DNS.    Usually the owner of the IP address which is the ISP can setup the PTR (reverse DNS)

Call back try someone else to see if you get better help.     The problem I have had when you run into someone that is lazy or has no clue they think you want a A record or something else setup.

I call and say I need a reverse DNS server for 63.53.122.33  and make that mail.mydomain.com   blah blah blah
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24763556
"Using the .local label for the full DNS name for the internal domain is a more secure configuration because the .local label is not registered for use on the Internet."

If you have an internal SMTP server relaying email, this changes how your internal network behaves.  The internal SMTP server can be configured to use the public domain name for transmission.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24763597
You need to set a public PTR up.   You don't have to do anything internally.   Only thing you have to do is make sure your email is going out the IP that you want it to... for instance that your MX record matches the public IP of your Exchange server.


Go to http://www.ipchicken.com on the exchange server....if the exchange server sends the email directly out to the internet you probably want that IP to be setup with RDNS.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24763641
The author states:

"I told the ISP that we do not own the domain "domainname" so any reverse dns query will not be resolved to that domain name.  I was told the ptr record must resolve to something ."

This means a publicly resolvable forward zone to match the inverse zone.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24763650

For Exchange 2007 the name is configured as the FQDN for your Send Connector (Organisation Configuration, Hub Transport, Send Connectors). The name used here does not have to match your AD Domain, it should be a name which resolves in your public domain.

For example, you might use mail.yourpublicdomain.com there. You should ensure a Host (A) record exists for that on your public DNS server. Then the name can be used for the Reverse Lookup with your ISP.

Chris
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24763707
The big problem with using a .com name you don't own is that your own servers, if able to connect to the Net, will go out there and find out from the .com root servers that they are not authoritative for this domain. Then they'll go out trying to register with the actual DNS server for that name (constantly, forever, even if you think you turned that off) which is problematic. :)

You can actually set up reverse dns that doesn't match and it will work almost all the time.  Maybe all the time, but not necessarily so in the future.  But in general it's better to separate your internal network from .com.  For instance, if you use a .doc name and your DNS server for that domain is exposed to the Net to support a public website and so you can get e-mail, then people can work the DNS server to see the names and addresses of every machine on your network.

So usually what people do is use .local for their Windows network which keeps it looking inward...and use .com or whatever for their e-mail addresses, website etc. so that people on the Net can find what they need to find.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24763722
oops, ".doc" above -> ".com"
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24763783

> Then they'll go out trying to register with the actual DNS server for that name (constantly, forever,
> even if you think you turned that off) which is problematic. :)

That won't occur if DNS is configured correctly for an AD domain. It can only occur when the local servers have no authority for the domain, that would be a problem because AD needs an domain to store service records in.

DNS will never forward requests for a domain it holds authority over (whether the public view agrees with that authority or not).

> You can actually set up reverse dns that doesn't match and it will work almost all the time

Except for AOL, GMail, Hotmail, and anyone else that checks the name in the HELO matches the reverse lookup.

> For instance, if you use a .com name and your DNS server for that domain is exposed to the Net to support
> a public website and so you can get e-mail

Then your firewall rules are flawed because there's no need to allow inbound DNS queries unless you are actually hosting a public DNS service.

Nothing to do with DNS configuration, everything to do with network security (or lack of).

Chris
0
 

Author Comment

by:WannabeNerd
ID: 24764040
Thanks but totally confused with different suggestions.
Jesper-- "The internal SMTP server can be configured to use the public domain name for transmission."
How do you do that ?

Chris-Dent:
"For Exchange 2007 the name is configured as the FQDN for your Send Connector (Organisation Configuration, Hub Transport, Send Connectors). The name used here does not have to match your AD Domain, it should be a name which resolves in your public domain."

I have got 2 send connectors namely:-
EdgeSync - Default-First-Site-Name to Internet
EdgeSync - Inbound to Default-First-Site-Name

How do i make the changes make changes so that i can use  my public domain name which is different to my internal domain name here ?




0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Expert Comment

by:Datedman
ID: 24764071
Chris what's with that? :)

o *If you don't own a .com domain,* and your servers have access to the Net, even if your servers think they're authoritative for it to start with, they will in fact discover otherwise in my experience.  Unless something has changed recently. :)

o Yup I said almost all of the time LOL...

o You should never rely on firewalls they're an additional thing IMO--configuration should be as secure as possible to start with.  But I said "if you use a .com name and your DNS server for that domain is exposed to the Net to support a public website"
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24764140
What I am suggesting is that you need another domain name that is publicly resolvable via a query with an Address record in the forward domain zone that matches the Pointer record in the inverse address zone.

I have on good authority that Chris-Dent knows what s/he's talking about when it comes to Windows!
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24764326

Hey :)

We need to do this in order:

1. Get a public name for your mail server

Can you run:

nslookup -q=mx yourpublicdomain.com

Are any of the entries there your mail server?

If none of them are, we need to give your server a name. This can be anything, but we must be able to resolve it from the rest of the world. Something simple like "mail.yourpublicdomain.com" or "smtp.yourpublicdomain.com" would be nice. Are you able to add this to your public DNS service?

Whichever name we create needs to point to the public IP address used by the mail server when it sends out mail. So a new Host (A) record pointing at that IP address on your public DNS server.

2. Configuring the PTR

If we got a name from the MX, or made one up and added it the ISP can be contacted again. They can be told to point the PTR record (Reverse Lookup) to the name from step 1.

3. HELO

The last step is to change the name used when your server talks to other SMTP servers.

Exactly where this is depends on your configuration, we need to take a bit of a look at this.

Open up the Properties for "EdgeSync - Default-First-Site-Name to Internet". Select the Address Space tab and see if the only entry listed is "*". Then select the Network tab and see if "Use domain name system (DNS) ..." is selected.

If "Route mail through the following smart hosts" is selected then the changes need to be made on that server.

However, if the first option is selected, and the address space is "*" (everything) then all you need do now is change the value in the FQDN box under the general tab to the name we used in 1 and 2.

@Datedman, I'll leave those discussions for a different thread. My disagreement with the points isn't relevant to this one :)

Chris
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24764363
Yup I agree with everything you said, sorry if my points were badly put above.  I was mostly just trying to answer his question about why internal and external domain names should be different according to the quoted...and evidently I express myself poorly. :)
0
 

Author Comment

by:WannabeNerd
ID: 24765056
Still al little confused but getting there.  

"However, if the first option is selected, and the address space is "*" (everything) then all you need do now is change the value in the FQDN box under the general tab to the name we used in 1 and 2."

This is how it is on my server.  Just to be clear Chris is the name i enter in the FQDN box is "mail.yourpublicdomain.com"?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24765075

Good, that does help :)

> Just to be clear Chris is the name i enter in the FQDN box is "mail.yourpublicdomain.com"?

If, and only if that name exists in the public. And where "yourpublicdomain.com" should be replaced by the correct domain (just in case).

Whether the name exists is easy to test with "nslookup mail.yourpublicdomain.com".

Chris
0
 

Author Comment

by:WannabeNerd
ID: 24765146
Right!

mail.mypublicdomain.com was already set up from someone elses previous fiddlings so all ok there.

A little worried about messing with emails while people are sending them, so going to try it tonight.  I will let you know how I get on.

Thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24770801

Good morning :)

How did it go?

Chris
0
 

Author Comment

by:WannabeNerd
ID: 24770944
Morning!
I "think" it worked!  Email sent from inside to hotmail account shows the change . In the first mail it shows Received: from servername.internaldomainname.com and after making the changes it shows
Received: mail.yourpublicdomain.co.uk .

Only thing that needs to be done is to ask the ISP to change my ptr record to mail.yourpublicdomain.co.uk because if i go to zoneedit.com and do the nsloopkup it still has the old ptr name for reverse dns i.e servername.internaldomainname.com .

Is there anything else which i need to look for ???



X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9MA==
X-Message-Status: n:0
X-SID-PRA: NAME <name@xyz.co.uk>
X-Message-Info: JGTYoYF78jEO+C0XDvAL4RbAszAYSJndFeaPwaKoTsu5elEr4sijOfUrxr3Tou4EXJ5rI3GKAcAHNOTYdMYtOq8v+d2XmPAJ
Received: from servername.internaldomainname.com ([60.A.B.C]) by col0-mc3-f6.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
       Thu, 2 Jul 2009 08:51:15 -0700


---------------------------------------------------------------------------------------------------------------------------




X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9MA==
X-Message-Status: n:0
X-SID-PRA: NAME <name@xyz.co.uk>
X-Message-Info: JGTYoYF78jGD4n47lwwP6V1hfWjMtViqhLyyE45h6WWT8QYB1flB4qkGvyITaL46CEIKfDxCBCR4xhLqU1txiXe69MBYMaf4
Received: from mail.yourpublicdomain.co.uk (60.A.B.C)3-F33.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
         Thu, 2 Jul 2009 14:31:22 -0700
---------------------------------------------------------------------------------------------------------------------------

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24772049

> Is there anything else which i need to look for ???

Just be aware that these changes take time. Especially when you're dealing with really bit mail services like Hotmail / AOL. They tend to lag behind the rest of the world when it comes to DNS changes.

Anyway, once the PTR has changed it should complete this and everything should be good :)

Chris
0
 

Author Closing Comment

by:WannabeNerd
ID: 31599188
Great Answer!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now