Solved

DNS lookup failed error with email

Posted on 2010-11-25
21
3,366 Views
Last Modified: 2012-06-22
Hello,

I'm having a strange issue with email/DNS.  Users are having issues sending email to one specific domain (partners.org).  Our domain name is ssmh.org.  The email system being used is Kerio.  I can see the messages sitting in the queue with the error "4.4.3 DNS lookup failed".  From what I can tell, DNS is configured correctly on the server.  I've ran DNS tests from a couple of online places that check for ns lookup, mx lookup, etc.  Everything comes back clean on both domains (sending/receiving).  However, if I try to do an nslookup from inside the ssmh.org domain, it does not resolve to partners.org.  A nslookup from outside the domain resolves fine to partners.org.

This domain (partners.org) is the only domain that users are unable to send mail too.  Mail flow is fine for everywhere else.  Initially I thought it may have been a problem with the mail server on the other end, yet when I try to send email to that domain from my personal yahoo account, email gets there without an issue.

Anybody have any ideas/suggestions?  this is driving me crazy.

Happy Holidays to all!
mcascio
0
Comment
Question by:mcascio
  • 11
  • 5
  • 5
21 Comments
 
LVL 5

Expert Comment

by:ewkelly
Comment Utility
Who are you using for your external dns?
Try changing. Google has a free set at  8.8.8.8 and 8.8.4.4
Sounds like a bad dns entry to me.
0
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Confirming:
Any attempt to resolve partners.org from inside the ssmh.org domain fails?
  Check the DNS server(s) being used inside ssmh.org.  Look for a SOA or NS records specifically on the server which are wrong.  Look for conditional forwarders pointed to partners.org which might now be erroneous.  It may be that someone set something up originally pointed at a valid partners.org name server, and they changed the server.

If it were only the mail server itself that was having problems, I'd suggest checking to make certain there weren't bad entries in the hosts file...
0
 

Author Comment

by:mcascio
Comment Utility
razmus,

I don't see any conditional forwarders in DNS.  

ewkelly,

I'll need to investigate further on the external dns.  I wasn't involved in that process so not sure what is being used, but thanks for the start.

I'll update this once I get all the info.  If there's anything else you can think of, please let me know.
0
 

Author Comment

by:mcascio
Comment Utility
oh, and razmus, in answer to your question, yes, any attempt to resolve partners.org from inside the domain fails.  Can't do an nslookup on it and when trying to ping, it only says "unknown host" rather than resolving to the correct IP as it does outside of the domain.
0
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
From inside the domain, if you enter nslookup
then "set type=soa"
then "partner.org"

Does it respond with information?
Make certain the NS records there match what you see from servers outside the domain...
0
 

Author Comment

by:mcascio
Comment Utility
razmus,

I'll try that later tonight and let you know what happens.  unfortunately right now I'm offsite without access to the network.

thanks for the advice
0
 

Author Comment

by:mcascio
Comment Utility
razmus,

I did as you instructed and it does respond with information.  It displayed the following:

Non-authoritative answer:
partner.org
        primary name server = dns1.name-services.com
        responsible mail addr = info.name-services.com
        serial  = 2002050701
        refresh = 10001 (2 hours 46 mins 41 secs)
        retry   = 1801 (30 mins 1 sec)
        expire  = 604801 (7 days 1 sec)
        default TTL = 181 (3 mins 1 sec)

dns1.name-services.com  internet address = 98.124.192.1
0
 

Author Comment

by:mcascio
Comment Utility
razmus,

actually, forget that last comment I made.  I accidentally enter "partner.org" instead of the correct "partners.org"

when I did as you instructed with "partners.org" I did not get a response.
0
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Hmm... partners.org -- my fault.
Okay then, that confirms your local DNS isn't able to resolve the domain, but that it doesn't think it's authoritative for the domain (which is good.)  There almost has to be a conditional forwarder for partners.org in place, especially if everything else is working.  (Unless your DNS servers are configured forward requests to another, upstream server, and it has a broken conditional forwarder.)

You can configure the DNS server to use one of the servers ewkelly specified above, and it should get mail moving again -- but I'd use that as a short term solution -- I'd want to fix the internet DNS servers as well.

Check the rest of your DNS server configuration.
  - Confirm there isn't a conditional forwarder for partners.org.  
  - If the server forwards requests to another server, try configuring it to forward to a different server.  If you are then able to see the SOA for partners.org, let the administrators of the original upstream DNS server know what you've found, and they will have to fix it.
0
 
LVL 5

Expert Comment

by:ewkelly
Comment Utility
It could be that your office IPS is blocking partners.org.
It could also be that your company has blocked it.
Are you using spam or traffic blocking of any kind at the office?

I cannot ping partners.org by name or ip address. According to my whois search their address is 172.27.98.22, but I can get to their web site.

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
ewkelley is right.  I'd gotten so used to 'sanitized domain names' used as an example, I didn't check the records for the domain you provided.  It isn't impossible that you are filtering their DNS traffic, check that too!

I can get to www.partners.org
And I can connect to the server phsmgmx.partners.org via smtp.  (And it correctly identifies me as a potential source of spam and shuts me down immediately.)
> set type=mx
> partners.org

partners.org    MX preference = 20, mail exchanger = phsmgmx.partners.org
partners.org    nameserver = auth2.dns.partners.org
partners.org    nameserver = auth1.dns.partners.org
phsmgmx.partners.org    internet address = 155.52.254.36
auth1.dns.partners.org  internet address = 155.52.254.30
auth2.dns.partners.org  internet address = 155.52.254.31

Open in new window

0
 

Author Comment

by:mcascio
Comment Utility
ewkelly,

I know they are using a Barracuda filtering device, but they don't filter any DNS traffic.  It's just driving me crazy why it only seems to be this particular domain.  

razmus,

up until now I never even tried going to www.partners.org via IE, but I just tried and as expected, I can't get to the page from within the network.  But can get to it just fine when I'm on my own personal Comcast line.  I also can't telnet to port 25 of phsmgmx.partners.org from inside the network.

I still need to check the external dns entries, however I won't be able to do that until Monday when the person who administers that is in the office.  I'll keep you both updated and distribute the points once I get that info and hopefully clears things up.

Thanks again
0
 

Author Comment

by:mcascio
Comment Utility
Perhaps one of you know the answer to this:

the public address of the mail server mailhost.ssmh.org is 204.12.103.1.  However, there is no reverse pointer entry in DNS for this network.  Is this needed?  the fact that all other mail is working fine lends me to think it's not, but I want to verify.
0
 
LVL 29

Assisted Solution

by:Rich Weissler
Rich Weissler earned 100 total points
Comment Utility
The screen that flashed by me quick said I was denied to the mail server, so I'd said with 70-80% confidence that -- yeah, you'll need that valid reverse lookup before the partners.org mail server accepts the mail.  (And it's a good thing to have in place for an outfacing mail server in any event... because lots of other systems will require it... and the number of mail servers which require it grows daily.)

Yes, I'm not surprised you can't get to the webpage from inside the network, 'cause you aren't able to resolve any of the partners.org addresses.  (You can test that by temporarily putting the address ewkelly suggested in the first message... ( http:#34212600 ))
0
 
LVL 5

Expert Comment

by:ewkelly
Comment Utility
Using the Google dns addresses that I gave you would prove if it is a dns problem or a Barracuda filtering device problem. The Barracuda devices use outside data to decide who to block. You can get your Barracuda Admin to allow partners.org though, if that is the issue.
0
 

Author Comment

by:mcascio
Comment Utility
ewkelly,

I just entered the Google address in the DNS settings (8.8.8.8), and did a flush and register dns.  After doing that, I was able to resolve partners.org when doing an nslookup.  So I'm assuming that's pointing to a problem with the current DNS setup.  Maybe I should create the reverse pointer entry for the public subnet?
0
 

Author Comment

by:mcascio
Comment Utility
fyi, this is the info I got after changing the DNS to Google and doing an nslookup

Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> partners.org
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    partners.org.ssmh.org
Address:  204.12.103.1
0
 
LVL 5

Accepted Solution

by:
ewkelly earned 400 total points
Comment Utility
So you have narrowed it down to who ever you are using for dns.
This also rules out any host file issues.
If your dns is external, tell them of your issue.
If it is internal, try entering a reverse lookup, but also look at the entries to make sure they are accurate. You might also remove them and recreate them as they can be corrupted.  

One of your earlier messages said that you do not have any conditional forwarders on your dns server. I would strongly advise you put some in. The Google dns servers are free, if you don't mind using google. If you do, there are others out there that are also free.
0
 

Author Comment

by:mcascio
Comment Utility
ewkelly,

I added a conditional forwarder for the partners.org domain and sent an email.  I don't see the error in the email queue that I used to see, and I checked the mail logs and it looks like it was sent successfully.  I'll know for sure if (or hopefully when) I hear back from the recipient.  

While this is fix for now, I'd also like to find out what the bigger problem is since I fear they may end up seeing this issue with more domains if in fact the DNS is incorrect.  But for now at least, I think I'll have some happy users trying to send to partners.org.

Thanks to you and razmus for all your help.  Much appreciated.
0
 

Author Comment

by:mcascio
Comment Utility
just to explain more in depth what I ended up doing,

I did a whois lookup on partners.org and found their DNS server (auth1.partners.org).  I then went into DNS and created a conditional forwarder called "partner.org" and entered the IP of the partners DNS server (155.52.254.30)

ewkelly, is that what you were speaking of?  or did you mean to enter the Google DNS record as the conditional forwarder?  
0
 
LVL 5

Expert Comment

by:ewkelly
Comment Utility
I meant to add the google dns entries, but what ever works. You need at least one dns forwarder to get to outside addresses.
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

Microsoft has released various new features which are capable of handling various tasks. One of these tasks is ‘Migration from pop3 to Exchange Server’. Pop3 data stores various data along mailboxes like contacts, tasks, etc. So, it becomes the need…
Utilizing an array to gracefully append to a list of EmailAddresses
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now