Strange Things with MX records.
England, Robert
We are experiencing some intermittently strange problems. Our internal Mail
relay servers point to our internal DNS servers for all resolution. We run a
multi level DNS environment. We currently run two BIND 8.2.2 p7, as top
level DNS server that are authoritative for all internal Domains, and a
db.cache with all of the ROOT DNS servers. All of our first level internal
DNS servers have forwards to the 2 top level DNS servers and their db.cache
also has the top level DNS servers.
FIRST LEVEL INTERNAL DNS SERVERS.
----------------------------------------------------------------------------
-
;=======================================================
; Hints file that points to the Internal DNS servers (db.cache)
;=======================================================
; ***********************
; Db.cache extension
; ***********************
;
. 99999999 IN NS rootdns1.agere.com.
99999999 IN NS rootdns1.agere.com.
;
;
rootdns1.agere.com. 99999999 IN A 192.19.192.98
rootdns2.agere.com. 99999999 IN A 192.19.192.102
----------------------------------------------------------------------------
-
Our first level DNS servers, are a combination of BIND 8.2.2 p5 & p7, and
BIND 4.9.7,
---------------------------------------------------------------------
forwarders 192.19.192.98 192.19.192.102
options forward-only
---------------------------------------------------------------------
With the Configuration noted, our DNS server fail to find worldnet.att.net
MX records. I'm trying to lookup the MX record information for
worldnet.att.net. Doing the DIG against our top level DNS server we get the
following information.
----------------------------------------------------------------------------
-
# /usr/sbin/dig @192.19.192.98 worldnet.att.net. mx
; <<>> DiG 8.2 <<>> @192.19.192.98 worldnet.att.net. mx
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 192.19.192.98: Connection timed out
If I dig against an AT&T DNS resolver, I get the correct answers.
# /usr/sbin/dig @199.191.128.103 worldnet.att.net. mx
; <<>> DiG 8.2 <<>> @199.191.128.103 worldnet.att.net. mx
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 5, ADDITIONAL: 11
;; worldnet.att.net, type = MX, class = IN
worldnet.att.net. 3h39m37s IN MX 5 gateway2.worldnet.att.net.
worldnet.att.net. 3h39m37s IN MX 5 gateway3.worldnet.att.net.
worldnet.att.net. 3h39m37s IN MX 5 gateway4.worldnet.att.net.
worldnet.att.net. 3h39m37s IN MX 5 gateway5.worldnet.att.net.
worldnet.att.net. 3h39m37s IN MX 5 gateway6.worldnet.att.net.
worldnet.att.net. 3h39m37s IN MX 5 gateway8.worldnet.att.net.
worldnet.att.net. 3h39m37s IN MX 5 gateway1.worldnet.att.net.
worldnet.att.net. 28m41s IN NS ns4.worldnet.att.net.
worldnet.att.net. 28m41s IN NS ns.worldnet.att.net.
worldnet.att.net. 28m41s IN NS ns1.worldnet.att.net.
worldnet.att.net. 28m41s IN NS ns2.worldnet.att.net.
worldnet.att.net. 28m41s IN NS ns3.worldnet.att.net.
gateway2.worldnet.att.net. 5h45m47s IN A 204.127.134.23
gateway3.worldnet.att.net. 5h45m47s IN A 204.127.134.23
gateway4.worldnet.att.net. 5h7m45s IN A 204.127.134.23
gateway5.worldnet.att.net. 4h57m20s IN A 204.127.134.23
gateway6.worldnet.att.net. 4h28m27s IN A 204.127.134.23
gateway8.worldnet.att.net. 4h26m22s IN A 204.127.134.23
gateway1.worldnet.att.net. 5h45m47s IN A 204.127.134.23
ns4.worldnet.att.net. 18h57m21s IN A 204.127.160.2
ns1.worldnet.att.net. 18h3m24s IN A 204.127.129.1
ns2.worldnet.att.net. 18h58m26s IN A 204.127.129.2
ns3.worldnet.att.net. 19h1m53s IN A 204.127.160.1
;; Total query time: 73 msec
;; FROM: rootdns1 to SERVER: 199.191.128.103
;; WHEN: Tue Oct 9 14:50:06 2001
;; MSG SIZE sent: 34 rcvd: 474
I went to the WHOIS database to find the DNS server for att.net, when I try
to DIG against the att.net dns servers for the worldnet.att.net MX records I
get errors.
$/usr/sbin/dig @199.191.145.136 worldnet.att.net mx
; <<>> DiG 8.2 <<>> @199.191.145.136 worldnet.att.net mx
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 199.191.145.136: Connection timed out
$/usr/sbin/dig @199.191.144.75 worldnet.att.net mx
; <<>> DiG 8.2 <<>> @199.191.144.75 worldnet.att.net mx
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 199.191.144.75: Connection timed out
$/usr/sbin/dig @199.191.129.139 worldnet.att.net mx
; <<>> DiG 8.2 <<>> @199.191.129.139 worldnet.att.net mx
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 199.191.129.139: Connection timed out
$/usr/sbin/dig @199.191.128.43 worldnet.att.net mx
; <<>> DiG 8.2 <<>> @199.191.128.43 worldnet.att.net mx
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 199.191.128.43: Connection timed out
If I do a dig with out specifying a DNS server this is the response I get.
# /usr/sbin/dig world.net.att. mx
; <<>> DiG 8.2 <<>> world.net.att. mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; world.net.att, type = MX, class = IN
. 1D IN SOA A.ROOT-SERVERS.NET.
nstld.verisign-grs.com. (
2001100900 ; serial
30M ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
;; Total query time: 37 msec
;; FROM: rootdns1 to SERVER: default -- 192.19.192.98
;; WHEN: Tue Oct 9 12:37:56 2001
;; MSG SIZE sent: 31 rcvd: 106
Any help would be great, I'm running out of ideas.
Thanks!
-RCE
Simon Waters
"England, Robert" wrote:
>
> ; <<>> DiG 8.2 <<>> world.net.att. mx
You certainly pick the zones to have trouble with.
ns.worldnet.att.net has 8 A records, which defeats "DIG", which
appears to assume that each server has a unique name. Although I
guess it could have 8 interfaces, on various networks.....
I haven't seen anything "wrong" yet with att.net, but it is hard
work, and I doubt they got them all perfect *8-)
BIND 9 blacklists lame servers by IP address, I guess for the
slightly more common multihomed server.
All your BIND versions are very stale - maintenance?
If your second level servers forward to the central servers (I
would call them "centralised caches" or something, they don't
sound like "root servers"), then they should not need to specify
the servers in the db.cache files as if the were root servers,
and should "forward only".
If you forward to a server, then why do you need to fall back to
using it as the root, if it doesn't answer your forwarded
requests it is unlikely to answer any others.
If these servers are not doing "forward only" this could cause
some weird errors I suspect, but it is too late to figure out
exactly what. Probably something like what your seeing!
--
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769 ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework