?
Solved

DNS lookup failed error with email

Posted on 2010-11-25
21
Medium Priority
?
3,802 Views
Last Modified: 2012-06-22
Hello,

I'm having a strange issue with email/DNS.  Users are having issues sending email to one specific domain (partners.org).  Our domain name is ssmh.org.  The email system being used is Kerio.  I can see the messages sitting in the queue with the error "4.4.3 DNS lookup failed".  From what I can tell, DNS is configured correctly on the server.  I've ran DNS tests from a couple of online places that check for ns lookup, mx lookup, etc.  Everything comes back clean on both domains (sending/receiving).  However, if I try to do an nslookup from inside the ssmh.org domain, it does not resolve to partners.org.  A nslookup from outside the domain resolves fine to partners.org.

This domain (partners.org) is the only domain that users are unable to send mail too.  Mail flow is fine for everywhere else.  Initially I thought it may have been a problem with the mail server on the other end, yet when I try to send email to that domain from my personal yahoo account, email gets there without an issue.

Anybody have any ideas/suggestions?  this is driving me crazy.

Happy Holidays to all!
mcascio
0
Comment
Question by:mcascio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 5
21 Comments
 
LVL 5

Expert Comment

by:ewkelly
ID: 34212600
Who are you using for your external dns?
Try changing. Google has a free set at  8.8.8.8 and 8.8.4.4
Sounds like a bad dns entry to me.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 34212618
Confirming:
Any attempt to resolve partners.org from inside the ssmh.org domain fails?
  Check the DNS server(s) being used inside ssmh.org.  Look for a SOA or NS records specifically on the server which are wrong.  Look for conditional forwarders pointed to partners.org which might now be erroneous.  It may be that someone set something up originally pointed at a valid partners.org name server, and they changed the server.

If it were only the mail server itself that was having problems, I'd suggest checking to make certain there weren't bad entries in the hosts file...
0
 

Author Comment

by:mcascio
ID: 34212839
razmus,

I don't see any conditional forwarders in DNS.  

ewkelly,

I'll need to investigate further on the external dns.  I wasn't involved in that process so not sure what is being used, but thanks for the start.

I'll update this once I get all the info.  If there's anything else you can think of, please let me know.
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 

Author Comment

by:mcascio
ID: 34212843
oh, and razmus, in answer to your question, yes, any attempt to resolve partners.org from inside the domain fails.  Can't do an nslookup on it and when trying to ping, it only says "unknown host" rather than resolving to the correct IP as it does outside of the domain.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 34212935
From inside the domain, if you enter nslookup
then "set type=soa"
then "partner.org"

Does it respond with information?
Make certain the NS records there match what you see from servers outside the domain...
0
 

Author Comment

by:mcascio
ID: 34213133
razmus,

I'll try that later tonight and let you know what happens.  unfortunately right now I'm offsite without access to the network.

thanks for the advice
0
 

Author Comment

by:mcascio
ID: 34215112
razmus,

I did as you instructed and it does respond with information.  It displayed the following:

Non-authoritative answer:
partner.org
        primary name server = dns1.name-services.com
        responsible mail addr = info.name-services.com
        serial  = 2002050701
        refresh = 10001 (2 hours 46 mins 41 secs)
        retry   = 1801 (30 mins 1 sec)
        expire  = 604801 (7 days 1 sec)
        default TTL = 181 (3 mins 1 sec)

dns1.name-services.com  internet address = 98.124.192.1
0
 

Author Comment

by:mcascio
ID: 34215125
razmus,

actually, forget that last comment I made.  I accidentally enter "partner.org" instead of the correct "partners.org"

when I did as you instructed with "partners.org" I did not get a response.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 34222266
Hmm... partners.org -- my fault.
Okay then, that confirms your local DNS isn't able to resolve the domain, but that it doesn't think it's authoritative for the domain (which is good.)  There almost has to be a conditional forwarder for partners.org in place, especially if everything else is working.  (Unless your DNS servers are configured forward requests to another, upstream server, and it has a broken conditional forwarder.)

You can configure the DNS server to use one of the servers ewkelly specified above, and it should get mail moving again -- but I'd use that as a short term solution -- I'd want to fix the internet DNS servers as well.

Check the rest of your DNS server configuration.
  - Confirm there isn't a conditional forwarder for partners.org.  
  - If the server forwards requests to another server, try configuring it to forward to a different server.  If you are then able to see the SOA for partners.org, let the administrators of the original upstream DNS server know what you've found, and they will have to fix it.
0
 
LVL 5

Expert Comment

by:ewkelly
ID: 34222388
It could be that your office IPS is blocking partners.org.
It could also be that your company has blocked it.
Are you using spam or traffic blocking of any kind at the office?

I cannot ping partners.org by name or ip address. According to my whois search their address is 172.27.98.22, but I can get to their web site.

0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 34223331
ewkelley is right.  I'd gotten so used to 'sanitized domain names' used as an example, I didn't check the records for the domain you provided.  It isn't impossible that you are filtering their DNS traffic, check that too!

I can get to www.partners.org
And I can connect to the server phsmgmx.partners.org via smtp.  (And it correctly identifies me as a potential source of spam and shuts me down immediately.)
> set type=mx
> partners.org

partners.org    MX preference = 20, mail exchanger = phsmgmx.partners.org
partners.org    nameserver = auth2.dns.partners.org
partners.org    nameserver = auth1.dns.partners.org
phsmgmx.partners.org    internet address = 155.52.254.36
auth1.dns.partners.org  internet address = 155.52.254.30
auth2.dns.partners.org  internet address = 155.52.254.31

Open in new window

0
 

Author Comment

by:mcascio
ID: 34223623
ewkelly,

I know they are using a Barracuda filtering device, but they don't filter any DNS traffic.  It's just driving me crazy why it only seems to be this particular domain.  

razmus,

up until now I never even tried going to www.partners.org via IE, but I just tried and as expected, I can't get to the page from within the network.  But can get to it just fine when I'm on my own personal Comcast line.  I also can't telnet to port 25 of phsmgmx.partners.org from inside the network.

I still need to check the external dns entries, however I won't be able to do that until Monday when the person who administers that is in the office.  I'll keep you both updated and distribute the points once I get that info and hopefully clears things up.

Thanks again
0
 

Author Comment

by:mcascio
ID: 34223697
Perhaps one of you know the answer to this:

the public address of the mail server mailhost.ssmh.org is 204.12.103.1.  However, there is no reverse pointer entry in DNS for this network.  Is this needed?  the fact that all other mail is working fine lends me to think it's not, but I want to verify.
0
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 400 total points
ID: 34225353
The screen that flashed by me quick said I was denied to the mail server, so I'd said with 70-80% confidence that -- yeah, you'll need that valid reverse lookup before the partners.org mail server accepts the mail.  (And it's a good thing to have in place for an outfacing mail server in any event... because lots of other systems will require it... and the number of mail servers which require it grows daily.)

Yes, I'm not surprised you can't get to the webpage from inside the network, 'cause you aren't able to resolve any of the partners.org addresses.  (You can test that by temporarily putting the address ewkelly suggested in the first message... ( http:#34212600 ))
0
 
LVL 5

Expert Comment

by:ewkelly
ID: 34225376
Using the Google dns addresses that I gave you would prove if it is a dns problem or a Barracuda filtering device problem. The Barracuda devices use outside data to decide who to block. You can get your Barracuda Admin to allow partners.org though, if that is the issue.
0
 

Author Comment

by:mcascio
ID: 34225417
ewkelly,

I just entered the Google address in the DNS settings (8.8.8.8), and did a flush and register dns.  After doing that, I was able to resolve partners.org when doing an nslookup.  So I'm assuming that's pointing to a problem with the current DNS setup.  Maybe I should create the reverse pointer entry for the public subnet?
0
 

Author Comment

by:mcascio
ID: 34225421
fyi, this is the info I got after changing the DNS to Google and doing an nslookup

Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> partners.org
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    partners.org.ssmh.org
Address:  204.12.103.1
0
 
LVL 5

Accepted Solution

by:
ewkelly earned 1600 total points
ID: 34225489
So you have narrowed it down to who ever you are using for dns.
This also rules out any host file issues.
If your dns is external, tell them of your issue.
If it is internal, try entering a reverse lookup, but also look at the entries to make sure they are accurate. You might also remove them and recreate them as they can be corrupted.  

One of your earlier messages said that you do not have any conditional forwarders on your dns server. I would strongly advise you put some in. The Google dns servers are free, if you don't mind using google. If you do, there are others out there that are also free.
0
 

Author Comment

by:mcascio
ID: 34225612
ewkelly,

I added a conditional forwarder for the partners.org domain and sent an email.  I don't see the error in the email queue that I used to see, and I checked the mail logs and it looks like it was sent successfully.  I'll know for sure if (or hopefully when) I hear back from the recipient.  

While this is fix for now, I'd also like to find out what the bigger problem is since I fear they may end up seeing this issue with more domains if in fact the DNS is incorrect.  But for now at least, I think I'll have some happy users trying to send to partners.org.

Thanks to you and razmus for all your help.  Much appreciated.
0
 

Author Comment

by:mcascio
ID: 34225637
just to explain more in depth what I ended up doing,

I did a whois lookup on partners.org and found their DNS server (auth1.partners.org).  I then went into DNS and created a conditional forwarder called "partner.org" and entered the IP of the partners DNS server (155.52.254.30)

ewkelly, is that what you were speaking of?  or did you mean to enter the Google DNS record as the conditional forwarder?  
0
 
LVL 5

Expert Comment

by:ewkelly
ID: 34225690
I meant to add the google dns entries, but what ever works. You need at least one dns forwarder to get to outside addresses.
0

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question