Link to home
Start Free TrialLog in
Avatar of mray77
mray77Flag for Afghanistan

asked on

Reverse DNS lookup

our mail server is mail.externaldomainname.com when i do a reverse lookup using a site like mxtoolbox or testexchangeconnectivity, it shows reverse lookup failed. My reverse DNS is being displayed as: mail.internaldomainname.com; which is different than our external domain name. How can i resolve?
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image


Most commonly this means contacting your ISP and asking them to set or correct the PTR record.

We can check exactly where if you feel your ISP is not responsible for the record.

Chris
Avatar of mray77

ASKER

ATT is our ISP, and we manage our own DNS through their site. I have an A record for MAIL pointing to the external ip address of our mail server.
Add a reverse lookup (PTR record).

Sure, but Forward and Reverse Lookup are not delegated down the same paths.

That means you can have company X who look after your forward lookup zone (the mail records, etc), and company Y who look after reverse lookup.

Company Y is typically your ISP, or whoever provides you with the internet connection. In a (very) small number of cases reverse lookup is delegated to you. However, you generally know about it if that is the case because you'd have had to ask for it.

If ATT provide both DNS hosting and the connection for you, then you may still need to get in touch with them. A PTR record may not be exposed in your regular DNS interface. It depends on your hosting agreement: If you pay for hosted servers (on their site) then it may be available; if you pay for DNS and a net connection seperately (technically if not administratively) then it's unlikely to be so easily available.

Chris
Avatar of mray77

ASKER

There is an option to add/update the PTR record when i create the A record for MAIL. Should this PTR record be mail.internal.com or mail.external.com? That's where i'm unclear. It seems like right now it's mail.internal.com and that is wrong.

Where are you looking? That sounds like an MS DNS option? :)

If it's in their, your ISPs interface, then you need the public name, and public IP (mail.external.com and its IP).

Chris
Avatar of mray77

ASKER

No, it's an ATT tool called https://www.businessdirect.att.com it's for managing our external dns

Ahh good, just checking :)

In that case you want the PTR record to point to mail.external.com. Does it give you the option to change it?

Chris
Avatar of mray77

ASKER

Yes, but i get the feeling that it's not updating. I'm on hold now with ATT. i'm going to have them check it. Thanks for the help!

It might take time, these things are very rarely instant. It's not unreasonable to expect it to take a few days for a change to flow through.

Still, check with them anyway, that's well worth doing, waiting 2 days and seeing nothing would be poor form :)

Chris
Sometimes it can take 24 hours for the DNS change.
Avatar of mray77

ASKER

ATT is telling me my PTR record is correct. They even used dnsstuff.com.
Avatar of mray77

ASKER

They are basically using the same tools i have access too.

We can test it without any tools. Let me walk you through:

1. Lookup the servers responsible for the IP address, where 1.2.3.4 is the IP

Note: The IP is reversed in our commands intentionally.

nslookup -q=ns 4.3.2.1.in-addr.arpa

You should get a response like this:

3.2.1.in-addr.arpa
        primary name server = ns1.somedomain.com.

2. Lookup the record on the primary name server:

nslookup -q=ptr 4.3.2.1.in-addr.arpa ns1.somedomain.com

We're executing the query for the PTR record against the system that claims it's responsible. This bypasses all caching and update intervals, you should get the changed version of the record this time.

Chris
Avatar of mray77

ASKER

You are a genius! Check this out...

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\jjenkins.FSDOMAIN>nslookup -q=ns 1.2.3.4.in-addr.arpa
Server:  UnKnown
Address:  a.b.c.d

Non-authoritative answer:
1.2.3.4.in-addr.arpa.fsdomain.com nameserver = ns1.dsredirection.com
1.2.3.4.in-addr.arpa.fsdomain.com nameserver = ns2.dsredirection.com

ns1.dsredirection.com   internet address = x.x.x.x

C:\Users\jjenkins.FSDOMAIN>nslookup -q=ptr 1.2.3.4.in-addr.arpa ns1.dsredi
rection.com
Server:  UnKnown
Address:  a.b.c.d

*** No domain name pointer (PTR) records available for 1.2.3.4.in-addr.arp
a

C:\Users\jjenkins.FSDOMAIN>
Ahh it's got a bit confused. Try this one instead:

nslookup -q=ns 4.3.2.1.in-addr.arpa.
nslookup -q=ptr 4.3.2.1.in-addr.arpa. ns1.somedomain.com

Notice how I've added the . after arpa? That'll stop it adding fsdomain.com on the end, we don't want it to do that.

There are better tools for this, I generally recommend this one:

http://members.shaw.ca/nicholas.fong/dig/

But my resolver can do it too (although you have to have PowerShell):

http://code.msdn.microsoft.com/dnsshell/Release/ProjectReleases.aspx?ReleaseId=5028

For the first, we'd do:

dig 1.2.3.4 ptr +trace

Or in mine:

Get-Dns 1.2.3.4 ptr -Trace

In each case we're most interested in the final block, the bit that shows us the response. The advantage here is that it takes the hard work of figuring out where to send a request out of your hands :)

Chris
Avatar of mray77

ASKER

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\jjenkins.FSDOMAIN>nslookup -q=ns 1.2.3.4.in-addr.arpa.
Server:  UnKnown
Address:  a.b.c.d

2.3.4.in-addr.arpa
        primary name server = adns01.bigpond.com
        responsible mail addr = hostmaster.bigpond.com
        serial  = 9
        refresh = 43200 (12 hours)
        retry   = 3600 (1 hour)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

C:\Users\jjenkins.FSDOMAIN>nslookup -q=ptr 1.2.3.4.in-addr.arpa. ns1.bigpo
nd.com
*** Can't find server address for 'ns1.bigpond.com':
Server:  UnKnown
Address:  a.b.c.d

Non-authoritative answer:
1.2.3.4.in-addr.arpa      name = CPE-4-3-2-1.lns1.wel.bigpond.net.au


2.3.4.in-addr.arpa nameserver = adns01.bigpond.com
2.3.4.in-addr.arpa nameserver = adns02.bigpond.com
2.3.4.in-addr.arpa nameserver = adns03.bigpond.com
2.3.4.in-addr.arpa nameserver = adns04.bigpond.com

C:\Users\jjenkins.FSDOMAIN>
Remember we had to reverse the IP address for nslookup ? :)

So if your IP is 212.213.214.215 it becomes this for the PTR record:

215.214.213.212.in-addr.arpa.

Fun, isn't it? :)

Chris
Avatar of mray77

ASKER

So what you are saying is that in my PTR record, i need update it and reverse? Or are we talking about a mistake i made running the nslookup?

Just a mistake in the nslookup run.

Pick up the install for dig above, it'll make the checks a lot simpler. Unfortunately nslookup itself isn't a particularly comprehensive debugging tool.

Chris
If you are using att direct and you login do you see the reverse DNS zone for your IP Address range available? If you do not see this then you cannot add or update records for that IP range from the ATT DNS console.

You then have two options.

1. Ask the ISP that controls the reverse lookup zone to create the record.
2. Have the RR zone delegated to your ATT direct account. If this is your choice contact ATT Support and confirm the DNS servers that the ISP should delegate the the RR zone to. Then ask the ISP to delegate the RR Zone to the listed servers. Some will not do this.

Another bit of trivia, the PTR record is best if it matches the A record but not necessary. Also if you are actually sending out your email through a gatway that is not the same ip address as your MX record then that ip address also requires an A and an RR record.
Avatar of mray77

ASKER

Chris, quick question on the install. I'm running in to this issue; which is in the instructions:
Import-Module will throw an error on import if the Execution Policy requires all files to be signed. The format file is not signed.

Run:

Set-ExecutionPolicy RemoteSigned

That should let it carry on, until I get around to getting myself a proper certificate.

Chris
Avatar of mray77

ASKER

Another observation...When i do a simple telnet test, the HELO response from my mail server is mail.Internal_Domain_Name.com

That may not necessarily matter, it depends on the FQDN value you have listed in the Send Connector (Org Config \ Hub Transport).

Chris
Avatar of mray77

ASKER

My FQDN listed on the Send Connector is set to mail.external_domain.com my receive connector is set to mail.internal_domain.com as it does not let me configure this for internal domain.

Cool, that's good. Ignore the one you see when you run telnet ..., it's showing you the FQDN for the Receive Connector.

Chris
Avatar of mray77

ASKER

Gotcha. I think it's important to note that we are using MXLogic for spam filtering. Could there be something there? I just keep coming back to the message when using mxtoolbox.com which says: Warning - Reverse DNS does not match SMTP Banner. I'm really scratching my head here since everything looks right. ATT confirmed DNS and PTR are correct and the FQDN on my send connector is correct.

Is that sending out for you? Or is it only inbound mail that comes through that?

mxtoolbox...

It's limited.

You know the test you did with Telnet? That's what it just did, there's no way for it to find out the name used by your Send Connector.

It means you can generally ignore the result of that test as long as mail is flowing properly.

Chris
We used to use postini and had the same banner mismatch. And we did experience in that some remote smtp systems would reject our emails due to the banner mismatch at that time.
Avatar of mray77

ASKER

So if i have an email address that is not accepting our mail, can i try to send via telnet and post the response?

Yep, you can indeed.

Chris
Avatar of mray77

ASKER

I don't have there mail server name, they are actually using MXLOGIC just like we are. Domain i'm trying to send to:
buckenmeyer-king-cpa.com

In that case you'd do what your mail server does, look up the MX record:

nslookup -q=mx buckenmeyer-king-cpa.com

Your server takes those, then picks one of the servers with the lowest MX Preference. For example this one:

buckenmeyer-king-cpa.com        MX preference = 15, mail exchanger = buckenmeyer-king-cpa.com.inbound15.mxlogic.net

Then your server will attempt to connect to the exchanger:

telnet buckenmeyer-king-cpa.com.inbound15.mxlogic.net 25

Once you're there, you can start your conversation:

helo mail.external_domain.com
mail from: you@domain.com
rcpt to: recipient@domain.com
data
.

Chris
Avatar of mray77

ASKER

Here is something that is odd. i just sent from Telnet and the recipient received it and responded. I about fell out of my seat. I sent from Outlook, and have not heard back from them.
Avatar of mray77

ASKER

The message i sent from Outlook is just sitting in my exchange 2010 mail queue.

When you did the telnet test, that was from your Exchange server?

Chris
Avatar of mray77

ASKER

it was from my workstation; which is on the same network. Could there be a difference?

Yeah, I'd only expect your Exchange server to have the problematic IP address. I reckon you should give it a try from the Exchange server itself.

Chris
Avatar of mray77

ASKER

It worked from the exchange server too using telnet. I now have a technical contact we can work with on their side. Again, still not working when sent from Outlook. Message is stuck in the queue.

What's the message it's logging while it's stuck in the queue?

Chris
Avatar of mray77

ASKER

Identity: mail\9075\128950
Subject: last test
Internet Message ID: <CC6239D8EE38044C8E677E019F6A785A146079E4@mail.mydomain.com>
From Address: sender@mydomain.com
Status: Ready
Size (KB): 41
Message Source Name: FromLocal
Source IP: 255.255.255.255
SCL: -1
Date Received: 2/11/2011 9:52:52 AM
Expiration Time: 2/13/2011 9:52:52 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: mail\9075
Recipients:  someone@buckenmeyer-king-cpa.com
Hmm well it does suggest that it hasn't figured out the PTR record yet, but I'd have expected it to refuse to talk to you using telnet if that were the case.

Is any mail flowing out?

Chris
Avatar of mray77

ASKER

Yes, currently that is the only external domain in the queue not sending.
ASKER CERTIFIED SOLUTION
Avatar of mray77
mray77
Flag of Afghanistan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mray77

ASKER

No forwarders were configured in DNS.