Solved

Changing MX record and DNS cache

Posted on 2016-10-02
12
206 Views
Last Modified: 2016-10-05
Recently I have to configure new Spam filter on my Exchange server 2003.
The mx record looked like this before change;

xxx.com MX mail.xxx.com
mail.xxx.com A 222.222.222.222(my exchange server)

Now pointed mail.xxx.com to 333.333.333.333(spam filter)

333.333.333.333 will forward the filtered emails to my exchange server 222.222.222.222

From now, I will say 222.222.222.222 as 2 and 333.333.333.333 as 3.

After the change, about half of emails are sent directly to 2, not to 3, and most of them are spams.
I guess this is caused by the spam sender's DNS cache still has our MX and A records.
I thought if I change A record of mail.xxx.com from 2 to 3, the emails will be all redirected to 3, but as I inspected headers of spams, they are still sending emails directly to 2. How can I fix this problem? Should I change the MX record as well, like 'xxx.com MX mail2.xxx.com'? Is there anyway to propagate DNS record change immediately? TTL on both MX and A records are 3600 sec in Dyn.com. They said DNS cache will be cleared at most 24 hours, but it doesn't look like. I changed last Friday, still I'm getting lots of spams directly to my exchange server.
0
Comment
Question by:crcsupport
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 25

Expert Comment

by:-MAS
ID: 41825554
Hi,
First of all you are running an unsupported Exchange server. Please consider upgrading to a supported version version.
I guess you configured new spam filer on both IPs.
Antispam is supposed to work like below.
Antispam flow
Your email is supposed to receive in the spamfiler and spamfilter will forward the genuine emails to mailbox server/Transport server.

Please check the below images for your understanding of mail flow and Exchange IOPS in different version of Exchange servers.
Mail flow
Mail flow
Exchange IOPs
Exchange IOPs
MAS
1
 
LVL 27

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 75 total points
ID: 41825556
Both the A record and the MX record for your mail receiver should be pointing to the same IP address.  This allows ill-written software that does an A lookup instead of an MX lookup to still get mail through.

It can take up to 2 days in bad cases for a record change to propagate all the way up to the root level.  After that it will start to propagate down to individual network DNS caches.
1
 
LVL 25

Expert Comment

by:-MAS
ID: 41825566
As commented above it will take sometime to get updated over the web.
That could be one reason for the spam received directly.
1
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 1

Author Comment

by:crcsupport
ID: 41825578
Dr. Klahn,
what do you mean this part? "Both the A record and the MX record for your mail receiver should be pointing to the same IP address. "

MX record is pointing to A record (mail.xxx.com) and A record is pointing to IP address.
Do you mean I have to get rid of A record and make the MX to point to IP address like below?

xxx.com MX 333.333.333.333

I thought a proper way to configure is MX to A, then A to IP address.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 41825580
Also, TTL is configured at very low. And I guess the problem is not DNS update from my ANS to root, but root to spam senders. I thought spam senders keep their only DNS cache TTL ignoring my configured TTL.
0
 
LVL 25

Assisted Solution

by:-MAS
-MAS earned 75 total points
ID: 41825583
@crcsupport,
You are correct.
MX should point to A record and A record should point to IP.
FYI you cannot point MX record to IP. It can only point to A record.
1
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
ID: 41825766
now you have to set a transport/firewall rule to only accept external mail from your antispam vendors ip address and reject from other internet addresses.
1
 
LVL 37

Accepted Solution

by:
bbao earned 200 total points
ID: 41825777
> TTL is configured at very low. And I guess the problem is not DNS update from my ANS to root, but root to spam senders.

you have done everything correctly from your side

 the reason of keeping receiving spam at the old email server (actually still the current email server with a new MX record) is simply because the spammer side haven't changed the IP per your new MX record.

what's the point for them to change if they could keep successfully sending spam to an IP? the spammers don't care domain names and MX records, actually using IP directly is a good practice for them to avoid to be fooled by the what you are doing. be aware an IP is location associated and not easy to be changed while a domain name can be easily pointed to anywhere, especially for an IP that the spammers have used for years. if you are the spammer, wha t do you do?
1
 
LVL 37

Expert Comment

by:bbao
ID: 41825786
therefore keep observing for a while. if there is no significant changes, consider getting a new IP for your mail server, OR simply swap the IPs of your mail server and antispam gateway if possible.
1
 
LVL 1

Author Comment

by:crcsupport
ID: 41826971
Now I'm attracted to David's suggestion and convinced more reading Bing's.
It's been about 70 hours, we are still getting spams, guess Bing is right, spammers use IP address, not MX records, don't know why and how they operate, but it sound very possible.

Maybe I have to change IP between my server and the antispam cloud which won't affect my DNS records or block all but antispam cloud server.



I'll let you know guys
0
 
LVL 1

Author Comment

by:crcsupport
ID: 41830338
I blocked all but only SMTP 25 for cloud Antispam to us and all spams are gone.

I also found Barracuda works very well, almost all spams getting caught. I used to use GFI Mail Essential, too much headache, their spam filtering is way off standard.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 41830344
By the way, until I make changes to firewall to block all ports, spams have been coming even after 4 days,96 hours. Half spams were sent to new MX record, half spams were still sent to old MX record.
So, I guess many spam senders are just ignoring DNS record change of recipients, maybe to reduce the load on their spam sending server or something else.

Anyway, it's good to know.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question