Re: Can anyone tell me what's wrong with this domain?

Wow. I think you might have nailed it, Bill. I do have incoming TCP
firewalled off in my iptables configuration. I'll check some of the
servers giving rejection messages - if they're all MS, then that's a
virtual lock.

Thank you for checking and providing this excellent tip. Now I just
need to dig back in my logs and find out why I have the firewall
configured that way. However, it seems I'll have to open inbound TCP on
53 to fix the problem, so the reason may be moot.

Thanks again for your sleuthing!

Cheers,

Steve


In article <bedhel$1g9m$1@sf1.isc.org>, Bill Larson <wllarso@swcp.com>
wrote:

> I haven't checked all of the servers that are supposed to server the
> "literacytent.org" domain, but I have found one interesting thing while
> trying to query dns-auth1.crocker.com for an MX record associated with
> this literacytent.org domain.
>
> Trying to query this server using TCP rather than UDP returns a
> "connection refused" response from the server. Someone is trying to
> "enhance" their ability to provide services by denying services!
> Everyone thinks that shutting off DNS queries using TCP won't have any
> impact because "everyone knows that DNS only uses UDP".
>
> I searched the MARC archives of the bind-users mailing list for
> "exchange tcp" and received a reply from Mark Andrews for a question
> about the Microsoft Exchange Server. (You can get this message at
> <http://marc.theaimsgroup.com/?l=bind-users&m=105391525331498&w=2>.)
> The question and blunt response was:
>
> > Are microsoft's ExchangeServer always uses TCP to query DNS record?
> Yes.
>
> So, if your servers/firewalls are truly configured to reject DNS
> queries made over TCP ***and*** you expect to have to converse with
> people that use MS Exchange, then from Mark's reply you are bound to
> fail.
>
> Anyway, good luck.
>
> Bill Larson
>
> On Monday, July 7, 2003, at 07:12 PM, Steve Linberg wrote:
>
> >
> > On Monday, July 7, 2003, at 07:05 PM, Bill Larson wrote:
> >
> >> Have you considered that since you have delegated this domain to two
> >> name servers on the same network, if there is ANY connectivity
> >> problems - even brief - then the mail servers trying to send mail to
> >> your domain cannot obtain any DNS information?
> >>
> >> Suggestion - Don't have all of your name servers on the same network.
> >> Whenever there is any problem with accessing this network, then all
> >> queries will fail.
> >
> > That's a good suggestion. I only run one machine right now, so my
> > options are a bit limited, but I can see how network failures would
> > cause this kind of outage.
> >
> > I still think I have a different problem, though, because there are
> > some servers that always reject mail to the domain I detailed with the
> > "sender not found in DNS" error. Since I get the rejection notices,
> > that reduces the chance that it's a recurring network error or routing
> > issue - something about the way I have the domain set up appears to be
> > incorrect or incomplete according to at least some criteria. What I
> > was hoping to find was that I left out something important in the zone
> > file or made some other locally-correctible mistake.
> >
> > If it does turn out to be network/routing related and not a
> > misconfiguration in my BIND setup for the domain, then a whole
> > different problem-solving approach kicks in, but for now I'm still
> > going on the assumption that I made an error in the BIND specification
> > and just can't see it.
> >
> > - Steve
> >
> >
> >>
> >> Bill Larson
> >>
> >> On Monday, July 7, 2003, at 04:01 PM, Steve Linberg wrote:
> >>
> >>> In article <becpu9$qb8$1@sf1.isc.org>,
> >>> "Paul & Susan" <pswheele@swbell.net> wrote:
> >>>
> >>>> did you look at you sendmail files to see if they are looking into
> >>>> you dns
> >>>> servers?
> >>>
> >>> Outgoing mail is fine (and I use qmail). The errors are coming from
> >>> *some* destination mailservers who apparently try to look the domain
> >>> up
> >>> in their DNS and can't find it, or can't find the record type they're
> >>> looking for. I've got both an "IN A" and "MX" for that domain,
> >>> which is
> >>> what confuses me.
> >>>
> >>> 98-99% of my outgoing mail arrives where it's going just fine, but
> >>> there
> >>> are some domains it fails for with the above error. I'm assuming
> >>> this
> >>> is due to a BIND configuration error on my end.
> >>>
> >>
> >
>
>