[Sysadmin] [ronr at linuxdude.com: bounces]
David Kaufman
david at gigawatt.com
Fri Dec 3 16:37:39 CST 2004
Dean Mah <dmah at shaw.ca> wrote:
> ----- Forwarded message from Ron <ronr at linuxdude.com> -----
> Subject: bounces
>
> Regarding bounces,
> there seems to be an intermitant problem with resolving
> lists.evolt.org, I'm attaching the log entries. We have
> had no network issues and no down time that I'm aware of.
>
> There doesn't seem to be any other valid domains not
> resolving. If I can be of any assistance, let me know.
>
> Regards,
>
> Ron Robertson
I think the problem may be neuro's WATERS.COM dns server:
whois evolt.org:
[snip most]
Name Server:NS1.EVERYDNS.NET
Name Server:NS2.EVERYDNS.NET
Name Server:NS3.EVERYDNS.NET
Name Server:NS.WASTERS.COM
and, further shooting the trouble...
host lists.evolt.org NS1.EVERYDNS.NET:
lists.evolt.org has address 216.40.227.23
host lists.evolt.org NS2.EVERYDNS.NET:
lists.evolt.org has address 216.40.227.23
host lists.evolt.org NS3.EVERYDNS.NET:
lists.evolt.org has address 216.40.227.23
is all good, but then:
host lists.evolt.org NS.WASTERS.COM
lists.evolt.org is a nickname for aa.houston.tx.us.evolt.org
aa.houston.tx.us.evolt.org has address 216.40.227.23
NS.WASTERS.COM disagrees with the other name servers. The IP address
reported is the same, but (for some reason) it is reported as a CNAME
alias for aa.houston.tx.us.evolt.org instead of an A record. This might
work sometimes but it can't be good. When you try to do double-check
that the reverse-ip resolves *back* to the name, it's not found using my
nameserver, which is the way paranoid mailservers would perform this
check, right?
host aa.houston.tx.us.evolt.org
Host not found.
it does resolve if I happen to ask NS.WASTERS.COM:
host aa.houston.tx.us.evolt.org NS.WASTERS.COM
aa.houston.tx.us.evolt.org has address 216.40.227.23
..but 3 dns requests out of 4 won't ask ns.waters.com, they'll ask
EveryDNS and will get a not-found, since the other 3 EveryDNS servers
haven't had aa.houston.tx.us.evolt.org setup on them.
William, I wasn't going to say anything, but why do you think we need to
run our own DNS, anyway? I've have all of my domains on EveryDNS for
over a year and have been 100% satisfied with the top-notch service
David runs there. Is there some configuration option you can't do
through the EveryDNS.net web interface?
If you just prefer to maintain (and back up) the configuration changes
on a server that you control, the EveryDNS servers can be slaved to
y/our DNS server *privately*, without modifying the public WHOIS record,
so that EveryDNS slurps it's data off our locally-administered and
security-hardened) server, but the bazillions of mailservers all over
the net don't hit y/our machine directly -- they hit one of EveryDNS's
very well connected, and geographically-, network- and
registrar-redundant public dns servers. But what are we hoping to gain
by running our own DNS servers, other than more administration work for
us?
I think we gotta remove this nameserver from the whois record, at least
for now, as it could be causing bounces on more mail servers than just
this one reported directly to Dean, and if we do put it back, not do
that until after all of the nameservers are slaved properly, and
generating consistent responses to queries.
A lot of mail servers have recently begun enforcing stricter checks on
inbound SMTP connections to try to reduce spam and virus volumes. My
company just had an incident about 2 weeks ago where fully *half* of our
major clients were suddenly rejecting mail from us, because we had no
reverse IP setup for the external interface on our firewall. Our
mailserver has a publicly routable IP address, which worked for
*inbound* connections, but we learned that it's *outbound* connections
appeared to originate from our firewall. The receiving mailservers were
detecting what the actual origination IP address of our connections was
(which was not who it claimed to be in its HELO message) and they
apparently decided that IP addresses without reverse DNS mapping that
lie in their HELO string similar enough to the typical sources of spam,
phishing scams, viruses and so on, to reject all connections from. The
fact that this configuration change happened to many seemingly random
external servers at once implies that some fairly common mailserver
software out there was auto-updated that day, or a new release came out,
that imposed this behavior by default. Needless to say we had to setup
reverse DNS for that IP address quickly.
Evolt's current DNS issue is more evil (in terms of ease of debugging),
since that odd cname will only be reported to, and so its reverse ip
will only be *required* by, one in four of the mailservers (that care to
check), and those lookups will fail if they happen to be directed to any
of the other three public DNS servers we publish. Sticky, icky, and
intermittent, indeed.
Please let's remove it from the public WHOIS forthwith. If this
continue to have to be manually maintained in two different places, the
servers will inevitably eventually fall out of sync again, unless or
until the servers are actually slaved.
-dave
More information about the Sysadmin
mailing list