Solved

Changing MX record and DNS cache

Posted on 2016-10-02
12
80 Views
Last Modified: 2016-10-05
Recently I have to configure new Spam filter on my Exchange server 2003.
The mx record looked like this before change;

xxx.com MX mail.xxx.com
mail.xxx.com A 222.222.222.222(my exchange server)

Now pointed mail.xxx.com to 333.333.333.333(spam filter)

333.333.333.333 will forward the filtered emails to my exchange server 222.222.222.222

From now, I will say 222.222.222.222 as 2 and 333.333.333.333 as 3.

After the change, about half of emails are sent directly to 2, not to 3, and most of them are spams.
I guess this is caused by the spam sender's DNS cache still has our MX and A records.
I thought if I change A record of mail.xxx.com from 2 to 3, the emails will be all redirected to 3, but as I inspected headers of spams, they are still sending emails directly to 2. How can I fix this problem? Should I change the MX record as well, like 'xxx.com MX mail2.xxx.com'? Is there anyway to propagate DNS record change immediately? TTL on both MX and A records are 3600 sec in Dyn.com. They said DNS cache will be cleared at most 24 hours, but it doesn't look like. I changed last Friday, still I'm getting lots of spams directly to my exchange server.
0
Comment
Question by:crcsupport
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 24

Expert Comment

by:-MAS
Comment Utility
Hi,
First of all you are running an unsupported Exchange server. Please consider upgrading to a supported version version.
I guess you configured new spam filer on both IPs.
Antispam is supposed to work like below.
Antispam flow
Your email is supposed to receive in the spamfiler and spamfilter will forward the genuine emails to mailbox server/Transport server.

Please check the below images for your understanding of mail flow and Exchange IOPS in different version of Exchange servers.
Mail flow
Mail flow
Exchange IOPs
Exchange IOPs
MAS
1
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 75 total points
Comment Utility
Both the A record and the MX record for your mail receiver should be pointing to the same IP address.  This allows ill-written software that does an A lookup instead of an MX lookup to still get mail through.

It can take up to 2 days in bad cases for a record change to propagate all the way up to the root level.  After that it will start to propagate down to individual network DNS caches.
1
 
LVL 24

Expert Comment

by:-MAS
Comment Utility
As commented above it will take sometime to get updated over the web.
That could be one reason for the spam received directly.
1
 
LVL 1

Author Comment

by:crcsupport
Comment Utility
Dr. Klahn,
what do you mean this part? "Both the A record and the MX record for your mail receiver should be pointing to the same IP address. "

MX record is pointing to A record (mail.xxx.com) and A record is pointing to IP address.
Do you mean I have to get rid of A record and make the MX to point to IP address like below?

xxx.com MX 333.333.333.333

I thought a proper way to configure is MX to A, then A to IP address.
0
 
LVL 1

Author Comment

by:crcsupport
Comment Utility
Also, TTL is configured at very low. And I guess the problem is not DNS update from my ANS to root, but root to spam senders. I thought spam senders keep their only DNS cache TTL ignoring my configured TTL.
0
 
LVL 24

Assisted Solution

by:-MAS
-MAS earned 75 total points
Comment Utility
@crcsupport,
You are correct.
MX should point to A record and A record should point to IP.
FYI you cannot point MX record to IP. It can only point to A record.
1
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
Comment Utility
now you have to set a transport/firewall rule to only accept external mail from your antispam vendors ip address and reject from other internet addresses.
1
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 200 total points
Comment Utility
> TTL is configured at very low. And I guess the problem is not DNS update from my ANS to root, but root to spam senders.

you have done everything correctly from your side

 the reason of keeping receiving spam at the old email server (actually still the current email server with a new MX record) is simply because the spammer side haven't changed the IP per your new MX record.

what's the point for them to change if they could keep successfully sending spam to an IP? the spammers don't care domain names and MX records, actually using IP directly is a good practice for them to avoid to be fooled by the what you are doing. be aware an IP is location associated and not easy to be changed while a domain name can be easily pointed to anywhere, especially for an IP that the spammers have used for years. if you are the spammer, wha t do you do?
1
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
therefore keep observing for a while. if there is no significant changes, consider getting a new IP for your mail server, OR simply swap the IPs of your mail server and antispam gateway if possible.
1
 
LVL 1

Author Comment

by:crcsupport
Comment Utility
Now I'm attracted to David's suggestion and convinced more reading Bing's.
It's been about 70 hours, we are still getting spams, guess Bing is right, spammers use IP address, not MX records, don't know why and how they operate, but it sound very possible.

Maybe I have to change IP between my server and the antispam cloud which won't affect my DNS records or block all but antispam cloud server.



I'll let you know guys
0
 
LVL 1

Author Comment

by:crcsupport
Comment Utility
I blocked all but only SMTP 25 for cloud Antispam to us and all spams are gone.

I also found Barracuda works very well, almost all spams getting caught. I used to use GFI Mail Essential, too much headache, their spam filtering is way off standard.
0
 
LVL 1

Author Comment

by:crcsupport
Comment Utility
By the way, until I make changes to firewall to block all ports, spams have been coming even after 4 days,96 hours. Half spams were sent to new MX record, half spams were still sent to old MX record.
So, I guess many spam senders are just ignoring DNS record change of recipients, maybe to reduce the load on their spam sending server or something else.

Anyway, it's good to know.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now