bind is killing me, need help

odious1 · 03-30-2005, 09:01 PM

I am asking for for help because I am at wits end on this. I noticed in my mail logs bounced mail because of resolution issues. The name server seems to be doing fine other than this one domain. The problem is that everyone elses server doesn't seem to be having a problem with it. If is forward the lookup it does fine but recursive with no forward and I get a no servers could be contacted error.

TcpDump:

Code:

21:06:22.700189 66-207-75-100.sher.dmt.ntelos.net.32774 > 64.4.114.226.domain:  37776+ A? manchester-industries.com. (43) (DF)
21:06:22.701587 64.4.114.226.1105 > d.root-servers.net.domain:  1340 [1au] A? manchester-industries.com. (54) (DF)
21:06:22.757261 d.root-servers.net.domain > 64.4.114.226.1105:  1340-% 0/13/16 (542)
21:06:22.759130 64.4.114.226.1105 > e.gtld-servers.net.domain:  49440 [1au] A? manchester-industries.com. (54) (DF)
21:06:22.861090 e.gtld-servers.net.domain > 64.4.114.226.1105:  49440 FormErr- [0q] 0/0/0 (12) (DF)
21:06:22.861481 64.4.***.226.1105 > e.gtld-servers.net.domain:  45165 A? manchester-industries.com. (43) (DF)
21:06:23.022310 e.gtld-servers.net.domain > 64.4.***.226.1105:  45165- 0/2/2 (122) (DF)
21:06:23.024011 64.4.***.226.1105 > a.gtld-servers.net.domain:  1392 [1au] A? ns1.telcove.net. (44) (DF)
21:06:23.024600 64.4.***.226.1105 > a.gtld-servers.net.domain:  33464 [1au] A? ns2.telcove.net. (44) (DF)
21:06:23.118391 a.gtld-servers.net.domain > 64.4.***.226.1105:  1392 FormErr- [0q] 0/0/0 (12) (DF)
21:06:23.118788 64.4.***.226.1105 > a.gtld-servers.net.domain:  24769 A? ns1.telcove.net. (33) (DF)
21:06:23.120055 a.gtld-servers.net.domain > 64.4.***.226.1105:  33464 FormErr- [0q] 0/0/0 (12) (DF)
21:06:23.120388 64.4.***.226.1105 > a.gtld-servers.net.domain:  13051 A? ns2.telcove.net. (33) (DF)
21:06:23.172268 a.gtld-servers.net.domain > 64.4.***.226.1105:  24769- 1/3/3 A 24.56.102.10 (147) (DF)
21:06:23.173537 64.4.***.226.1105 > 24.56.102.10.domain:  60520 [1au] A? manchester-industries.com. (54) (DF)
21:06:23.224499 a.gtld-servers.net.domain > 64.4.***.226.1105:  13051- 1/3/3 A 24.56.100.10 (147) (DF)
21:06:23.277388 24.56.102.10.domain > 64.4.***.226.1105:  60520*- 1/3/4 (183) (DF)
21:06:25.177680 64.4.***.226.1105 > 24.56.100.10.domain:  15221 [1au] A? manchester-industries.com. (54) (DF)
21:06:25.210220 24.56.100.10.domain > 64.4.***.226.1105:  15221*- 1/3/4 (183) (DF)

It queries root, the tld makes a referral, ns*.telcove.net is authoritative and 24.56.100.10 is the reverse. What could the problem be? What is my server not doing that everyone else is?

Any thoughts would be great...

fur · 03-30-2005, 10:51 PM

The MTA is most likely setup so that if there is no reverse record found for a IP address it won't relay the mail. This is mostly for spam reasons, and is a common setup most MTAs have implemented on them. So whoever owns manchester-industries.com needs to configure reverse DNS for their domain.

Code:

> manchester-industries.com
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1

Non-authoritative answer:
Name:    manchester-industries.com
Address:  24.75.133.148

> 24.75.133.148
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1

*** vnsc-pri.sys.gtei.net can't find 24.75.133.148: Non-existent host/domain
>

odious1 · 03-30-2005, 11:22 PM

Thanks for the reply. You are correct my mta bounced the mail because it could not resolve the address. The problem is that it is a legitamate domain and mail that needs to get through. What makes this so confusing is that my slave server will resolve this but the master will not. As you can see from the tcp info in my first post it doesnt seem to be anything related to firewalling. I just dont have enough knowledge to figure this out. And again I have not noticed any other names not resolving other than this one. Whois reports that the record for manchester-industries.com was updated on 03/25 but how would that explain one server resolving but not another.

Tom

fur · 03-31-2005, 01:26 AM

My guess is that there is a problem in the ptr record for that domain as its not resolving on any server I have tried it on...

>nslookup 24.75.133.148
Server: nscache1.bflony.adelphia.net
Address: 68.168.224.162

DNS request timed out.
timeout was 2 seconds.
*** Request to nscache1.bflony.adelphia.net timed-out

here is another example..

DNS server handling your query: ns1.kloth.net
DNS server's address: 213.133.98.149#53

** server can't find 148.133.75.24.in-addr.arpa.: NXDOMAIN

It may be resolving on that one sever because it is holding a cached answer. I bet if you were to flush the cache on that server it would quit resolving.

Looking further into this, and checking on telcoves NS servers for a PTR record for that domains IP using the "dig" command...

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52784
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;148.133.75.24.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
133.75.24.in-addr.arpa. 10584 IN SOA ns1.telcove.net. hostmaster.telcove.net. 2005031800 10800 3600 604800 43200

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 31 09:13:08 2005
;; MSG SIZE rcvd: 106

Now compare that with this response with one of the IPs of yahoo.com...

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14097
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 4

;; QUESTION SECTION:
;70.118.109.216.in-addr.arpa. IN PTR

;; ANSWER SECTION:
70.118.109.216.in-addr.arpa. 932 IN PTR p7.www.dcn.yahoo.com.

;; AUTHORITY SECTION:
118.109.216.in-addr.arpa. 172532 IN NS ns4.yahoo.com.
118.109.216.in-addr.arpa. 172532 IN NS ns5.yahoo.com.
118.109.216.in-addr.arpa. 172532 IN NS ns1.yahoo.com.
118.109.216.in-addr.arpa. 172532 IN NS ns2.yahoo.com.
118.109.216.in-addr.arpa. 172532 IN NS ns3.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com. 137776 IN A 66.218.71.63
ns2.yahoo.com. 102361 IN A 66.163.169.170
ns4.yahoo.com. 125099 IN A 63.250.206.138
ns5.yahoo.com. 125301 IN A 216.109.116.17

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 31 09:21:24 2005
;; MSG SIZE rcvd: 233

Notice the "ANSWER SECTION" that is present in the answer I got from yahoos IP as to that of manchester-industries.com. Whoever is responsible for that domain needs to fix their PTR record from the looks of it.

benjithegreat98 · 03-31-2005, 11:13 AM

Where I work we used to reject if a domain's reverse info was incorrect. I became such a PITA because a whole lot of domains where not configured correctly. And they didn't like it when you tried to tell them that either. It sure blocked a lot of spam, but a lot of legitimate mail got dropped to. The state of TN was even misconfigured. We dropped that method and moved to DNS Black Listing.

odious1 · 03-31-2005, 11:35 AM

Thanks for all the thoughts on this. I dont know why i just jumped in and assumed that someting was wrong with my server never considering (thanks fur) that cached results could be keeping that domain alive. I am glad and frustrated at the same time because I spent so much time trying to fix something that was not broken. Oh well, live and learn. I use blacklisting on the server as well as explicitly rejecting a lot of ip ranges that have given me trouble in the past. In looking through my logs it doesent look like the reverse name checking is really catching much (if any) spam. I guess the spammers figured out how to circumvent that a long time ago through spoofing, etc... It sure does pull out the misconfigured legit stuff thought. I may have to relax this as benjithegreat mentioned.

thanks again

Tom