• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4031
  • Last Modified:

DNS lookup failed error with email

Hello,

I'm having a strange issue with email/DNS.  Users are having issues sending email to one specific domain (partners.org).  Our domain name is ssmh.org.  The email system being used is Kerio.  I can see the messages sitting in the queue with the error "4.4.3 DNS lookup failed".  From what I can tell, DNS is configured correctly on the server.  I've ran DNS tests from a couple of online places that check for ns lookup, mx lookup, etc.  Everything comes back clean on both domains (sending/receiving).  However, if I try to do an nslookup from inside the ssmh.org domain, it does not resolve to partners.org.  A nslookup from outside the domain resolves fine to partners.org.

This domain (partners.org) is the only domain that users are unable to send mail too.  Mail flow is fine for everywhere else.  Initially I thought it may have been a problem with the mail server on the other end, yet when I try to send email to that domain from my personal yahoo account, email gets there without an issue.

Anybody have any ideas/suggestions?  this is driving me crazy.

Happy Holidays to all!
mcascio
0
mcascio
Asked:
mcascio
  • 11
  • 5
  • 5
2 Solutions
 
ewkellyCommented:
Who are you using for your external dns?
Try changing. Google has a free set at  8.8.8.8 and 8.8.4.4
Sounds like a bad dns entry to me.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Confirming:
Any attempt to resolve partners.org from inside the ssmh.org domain fails?
  Check the DNS server(s) being used inside ssmh.org.  Look for a SOA or NS records specifically on the server which are wrong.  Look for conditional forwarders pointed to partners.org which might now be erroneous.  It may be that someone set something up originally pointed at a valid partners.org name server, and they changed the server.

If it were only the mail server itself that was having problems, I'd suggest checking to make certain there weren't bad entries in the hosts file...
0
 
mcascioAuthor Commented:
razmus,

I don't see any conditional forwarders in DNS.  

ewkelly,

I'll need to investigate further on the external dns.  I wasn't involved in that process so not sure what is being used, but thanks for the start.

I'll update this once I get all the info.  If there's anything else you can think of, please let me know.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
mcascioAuthor Commented:
oh, and razmus, in answer to your question, yes, any attempt to resolve partners.org from inside the domain fails.  Can't do an nslookup on it and when trying to ping, it only says "unknown host" rather than resolving to the correct IP as it does outside of the domain.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
From inside the domain, if you enter nslookup
then "set type=soa"
then "partner.org"

Does it respond with information?
Make certain the NS records there match what you see from servers outside the domain...
0
 
mcascioAuthor Commented:
razmus,

I'll try that later tonight and let you know what happens.  unfortunately right now I'm offsite without access to the network.

thanks for the advice
0
 
mcascioAuthor Commented:
razmus,

I did as you instructed and it does respond with information.  It displayed the following:

Non-authoritative answer:
partner.org
        primary name server = dns1.name-services.com
        responsible mail addr = info.name-services.com
        serial  = 2002050701
        refresh = 10001 (2 hours 46 mins 41 secs)
        retry   = 1801 (30 mins 1 sec)
        expire  = 604801 (7 days 1 sec)
        default TTL = 181 (3 mins 1 sec)

dns1.name-services.com  internet address = 98.124.192.1
0
 
mcascioAuthor Commented:
razmus,

actually, forget that last comment I made.  I accidentally enter "partner.org" instead of the correct "partners.org"

when I did as you instructed with "partners.org" I did not get a response.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Hmm... partners.org -- my fault.
Okay then, that confirms your local DNS isn't able to resolve the domain, but that it doesn't think it's authoritative for the domain (which is good.)  There almost has to be a conditional forwarder for partners.org in place, especially if everything else is working.  (Unless your DNS servers are configured forward requests to another, upstream server, and it has a broken conditional forwarder.)

You can configure the DNS server to use one of the servers ewkelly specified above, and it should get mail moving again -- but I'd use that as a short term solution -- I'd want to fix the internet DNS servers as well.

Check the rest of your DNS server configuration.
  - Confirm there isn't a conditional forwarder for partners.org.  
  - If the server forwards requests to another server, try configuring it to forward to a different server.  If you are then able to see the SOA for partners.org, let the administrators of the original upstream DNS server know what you've found, and they will have to fix it.
0
 
ewkellyCommented:
It could be that your office IPS is blocking partners.org.
It could also be that your company has blocked it.
Are you using spam or traffic blocking of any kind at the office?

I cannot ping partners.org by name or ip address. According to my whois search their address is 172.27.98.22, but I can get to their web site.

0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
ewkelley is right.  I'd gotten so used to 'sanitized domain names' used as an example, I didn't check the records for the domain you provided.  It isn't impossible that you are filtering their DNS traffic, check that too!

I can get to www.partners.org
And I can connect to the server phsmgmx.partners.org via smtp.  (And it correctly identifies me as a potential source of spam and shuts me down immediately.)
> set type=mx
> partners.org

partners.org    MX preference = 20, mail exchanger = phsmgmx.partners.org
partners.org    nameserver = auth2.dns.partners.org
partners.org    nameserver = auth1.dns.partners.org
phsmgmx.partners.org    internet address = 155.52.254.36
auth1.dns.partners.org  internet address = 155.52.254.30
auth2.dns.partners.org  internet address = 155.52.254.31

Open in new window

0
 
mcascioAuthor Commented:
ewkelly,

I know they are using a Barracuda filtering device, but they don't filter any DNS traffic.  It's just driving me crazy why it only seems to be this particular domain.  

razmus,

up until now I never even tried going to www.partners.org via IE, but I just tried and as expected, I can't get to the page from within the network.  But can get to it just fine when I'm on my own personal Comcast line.  I also can't telnet to port 25 of phsmgmx.partners.org from inside the network.

I still need to check the external dns entries, however I won't be able to do that until Monday when the person who administers that is in the office.  I'll keep you both updated and distribute the points once I get that info and hopefully clears things up.

Thanks again
0
 
mcascioAuthor Commented:
Perhaps one of you know the answer to this:

the public address of the mail server mailhost.ssmh.org is 204.12.103.1.  However, there is no reverse pointer entry in DNS for this network.  Is this needed?  the fact that all other mail is working fine lends me to think it's not, but I want to verify.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
The screen that flashed by me quick said I was denied to the mail server, so I'd said with 70-80% confidence that -- yeah, you'll need that valid reverse lookup before the partners.org mail server accepts the mail.  (And it's a good thing to have in place for an outfacing mail server in any event... because lots of other systems will require it... and the number of mail servers which require it grows daily.)

Yes, I'm not surprised you can't get to the webpage from inside the network, 'cause you aren't able to resolve any of the partners.org addresses.  (You can test that by temporarily putting the address ewkelly suggested in the first message... ( http:#34212600 ))
0
 
ewkellyCommented:
Using the Google dns addresses that I gave you would prove if it is a dns problem or a Barracuda filtering device problem. The Barracuda devices use outside data to decide who to block. You can get your Barracuda Admin to allow partners.org though, if that is the issue.
0
 
mcascioAuthor Commented:
ewkelly,

I just entered the Google address in the DNS settings (8.8.8.8), and did a flush and register dns.  After doing that, I was able to resolve partners.org when doing an nslookup.  So I'm assuming that's pointing to a problem with the current DNS setup.  Maybe I should create the reverse pointer entry for the public subnet?
0
 
mcascioAuthor Commented:
fyi, this is the info I got after changing the DNS to Google and doing an nslookup

Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> partners.org
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    partners.org.ssmh.org
Address:  204.12.103.1
0
 
ewkellyCommented:
So you have narrowed it down to who ever you are using for dns.
This also rules out any host file issues.
If your dns is external, tell them of your issue.
If it is internal, try entering a reverse lookup, but also look at the entries to make sure they are accurate. You might also remove them and recreate them as they can be corrupted.  

One of your earlier messages said that you do not have any conditional forwarders on your dns server. I would strongly advise you put some in. The Google dns servers are free, if you don't mind using google. If you do, there are others out there that are also free.
0
 
mcascioAuthor Commented:
ewkelly,

I added a conditional forwarder for the partners.org domain and sent an email.  I don't see the error in the email queue that I used to see, and I checked the mail logs and it looks like it was sent successfully.  I'll know for sure if (or hopefully when) I hear back from the recipient.  

While this is fix for now, I'd also like to find out what the bigger problem is since I fear they may end up seeing this issue with more domains if in fact the DNS is incorrect.  But for now at least, I think I'll have some happy users trying to send to partners.org.

Thanks to you and razmus for all your help.  Much appreciated.
0
 
mcascioAuthor Commented:
just to explain more in depth what I ended up doing,

I did a whois lookup on partners.org and found their DNS server (auth1.partners.org).  I then went into DNS and created a conditional forwarder called "partner.org" and entered the IP of the partners DNS server (155.52.254.30)

ewkelly, is that what you were speaking of?  or did you mean to enter the Google DNS record as the conditional forwarder?  
0
 
ewkellyCommented:
I meant to add the google dns entries, but what ever works. You need at least one dns forwarder to get to outside addresses.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 11
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now