• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 964
  • Last Modified:

How to fix DNS mx record that is not returned by dig?

Hi
This is such a simple setup I can't believe that it is not working.  I've configured pleny of dns zones with mx records in the past, but they have always been in the one zone, whereas this mx record points to a sub domain.  Is this even a valid way to configure DNS, having the mx and ns records pointing to a sub domain?  Are there any tools to validate bind files?

[domain name changed to acme to protect the innocent]

Basically the mail and name server for acme.com.au are in prv.acme.com.au.
Both domains are on the same server on a 192.168.1 network.

I recently found that some new cron jobs could not send email to the acme.com.au domain because the linux `mail` process couldn't read the mx record.

So I ran dig to verify and sure enough the mx record is not returned.
dig @localhost acme.com.au mx
; <<>> DiG 9.3.4 <<>> @localhost acme.com.au mx
; [b](2 servers found)[/b]
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52342
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;acme.com.au.	IN	MX

;; AUTHORITY SECTION:
acme.com.au. 86400	IN	SOA	server2.prv.acme.com.au. root.acme.com.au. 2010102511 10800 3600 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 22 21:27:40 2010
;; MSG SIZE  rcvd: 94

Open in new window


Here is the acme.com.au.db file which shows the mx record is there, pointing to the sub domain
$ORIGIN .
$TTL 86400	; 1 day
acme.com.au	IN SOA	server2.prv.acme.com.au. root.acme.com.au. (
				2010102511 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	server2.prv.acme.com.au.
$ORIGIN acme.com.au.
mail			MX	10 server2.prv
ns1			NS	server2.prv

Open in new window


Not sure if the reverse dns zone is useful, but here it is...
1.168.192.IN-ADDR.ARPA.db
$ORIGIN .
$TTL 86400	; 1 day
1.168.192.IN-ADDR.ARPA	IN SOA	server2.prv.acme.com.au. root.1.168.192.IN-ADDR.ARPA. (
				2010112221 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	server2.prv.acme.com.au.
$ORIGIN 1.168.192.IN-ADDR.ARPA.
200			PTR	server2.prv.acme.com.au.

Open in new window


I have restarted the named process (many times) plus deleted and reinserted the mx record and even renamed the acme.com.au.db file.

What is the best way to get the mx record working?

Cheers
Gordon
0
blokeman
Asked:
blokeman
  • 7
  • 5
1 Solution
 
Chris DentPowerShell DeveloperCommented:

You do not have an MX record defined for acme.com.au.

You do have an MX record defined for mail.acme.com.au.

You want this to add an MX to acme.com.au, assuming the origin is currently acme.com.au.

                  MX      10 server2.prv

Side-notes:

 - Your $ORIGIN statement is pointless (sets @, you don't use @).
 - This sets the Name Server for a sub-domain called ns1, seems a bit weird:

    ns1                  NS      server2.prv

HTH

Chris
0
 
blokemanAuthor Commented:
Well spotted! I made a modification:
$ORIGIN .
$TTL 86400	; 1 day
acme.com.au	IN SOA	server2.prv.acme.com.au. root.acme.com.au. (
				2010102541 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	server2.prv.acme.com.au.
$ORIGIN acme.com.au.
acme.com.au	MX	10 server2.prv
mail			A	192.168.1.200
ns1			NS	server2.prv

Open in new window


but dig still does not give me the mx record!?

dig mx acme.com.au @localhost

; <<>> DiG 9.3.4 <<>> mx acme.com.au @localhost
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33581
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;acme.com.au.	IN	MX

;; AUTHORITY SECTION:
acme.com.au. 86400	IN	SOA	server2.prv.acme.com.au. root.acme.com.au. 2010102541 10800 3600 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 22 23:26:12 2010
;; MSG SIZE  rcvd: 94

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:

You *must* terminate names if you're giving it the full name.

Now you have an MX Record for acme.com.au.acme.com.au :) Make it one of these:

acme.com.au.      MX      10 server2.prv

Or:

@                  MX      10 server2.prv

Or:

                  MX      10 server2.prv

The last only works if the entry above uses the origin (@, or acme.com.au.).

Chris
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Chris DentPowerShell DeveloperCommented:

Incidentally, the same applies to your SOA record. I suggest you opt for @ where you want to use acme.com.au. as the name.

Chris
0
 
blokemanAuthor Commented:
Hmm..Don't go away...looking at it right now ! :-)
0
 
Chris DentPowerShell DeveloperCommented:

No problem, no rush :)

Chris
0
 
blokemanAuthor Commented:
Hi Chris,
Have you ever used Novell's eDirectory integrated DNS?

The iManager and the Java DNS management gui's both prompt for a hostname for the resource record.  I received an "invalid hostname" error if I tried to terminate the resource record name "acme.com.au.".

Plus the GUI doesn't allow one to adjust any of the $ORIGIN directives.
So I was stuck in a bind ;-D, and ended up with the following each time I tried to recreate the MX record:
$ORIGIN acme.com.au.
acme.com.au      MX      10 server2.prv

Which is as you mentioned equivalent to acme.com.au.acme.com.au

So in the end I exported the zone to a BIND format, which the gui allowed me to do.  Then edited it by hand to come up with :

$ORIGIN acme.com.au.
@            IN      SOA      server2.prv.acme.com.au. networkadmin.acme.com.au. (
                              2010102581      ; Serial
                              10800      ; Refresh
                              3600      ; Retry
                              604800      ; Expire
                              86400 )      ; Minimum;


$ORIGIN com.au.
acme            IN      NS      server2.prv.acme.com.au.

$ORIGIN acme.com.au.
@                        MX      10      server2.prv.acme.com.au.
mail                        IN      A      192.168.1.200
ns1                        IN      NS      server2.prv.acme.com.au.

Then I imported the Bind file and the GUI presented the MX record correctly, but most of all, dig mx returns a result!! :-)

What a PITA this exercise has been...I am sure that there must be a bug in the iManager and Java DNS module so I'll follow up on that another day.

Thanks for your input, you got me on the right track and showed me the light!!
0
 
Chris DentPowerShell DeveloperCommented:

I haven't used it I'm afraid. I use BIND (command line only) or MS DNS, the latter lets oyu leave the name field blank to generate the @ records. I guess that doesn't work here?

Chris
0
 
blokemanAuthor Commented:
OMG!  I just tried leaving the name blank and it worked!! WTF!!
I am not impressed by software that prompts you to enter data in a field that is not needed!!!
What is the logic of that?  

From you experience with MS DNS, are there scenarios where you need to enter the resource record name when creating a MX record?
 -- Gordon
0
 
Chris DentPowerShell DeveloperCommented:

Only if you're setting up a sub-domain. e.g.

company.acme.com.au.  IN MX  10  mail.acme.com.au.

Giving mail for bob@company.acme.com.au somewhere to go.

Graphical interfaces are overrated :)

Chris
0
 
blokemanAuthor Commented:
Thanks Chris!  That makes sense. "You da Genius man"!

Yeah Graphical interfaces are overrated, a bit like my Bind knowledge!! :-D

--Gordon
0259hrs and signing off
0
 
Chris DentPowerShell DeveloperCommented:

Sleep well :)

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now