topic Re: DNS Problem in Operating System - Linux

DNS Problem

Bejoy C Alias — Wed, 09 Mar 2005 01:28:50 GMT

We are having our domain registered as centuryenka.com and hosted our primary/secondary dns and email and web on our on servers. We are using a 64 kbps 1:1 leased line link for our servers. Now the pblm is that some of our customers are complaining that they are not able to send mails to our domain. They are not able to resolve our domain and getting the MX record not found errors ( But around 90 % of customers are able to send mails ) . And this problem is intermittend, this pblm was there before two three weeks and got solved automatically , this may get solved automatically in the coming days. But i am not understanding why this pblm comes again . Whether the link speed should be increased or some other problems ? At the same time I am able to send mails to our domain from most of the web based mails like yahoo hotmail rediff indiatimes etc .

Re: DNS Problem

Florian Heigl (new acc) — Wed, 09 Mar 2005 06:19:48 GMT

You could consider running a secondary DNS outside of Your network (i.e. a cheap dedicated server). DNS queries and responses are done through UDP, so if Your line is highly loaded, they might eventually be lost.

You might be able to get rid of that by doing bandwidth allocations on Your external interface, if the router supports that (cisco systems should be np)

but I can't say for sure that this really is the issue - it would be really great if You could let Your customers supply more exact data of when the problem occurs, so You could compare it to the load on Your line at that time.

Also consider running named in debug mode if the problem persists. the log file is called named.run if I remember correctly and collects quite usefull data.

Re: DNS Problem

Vitaly Karasik_1 — Wed, 09 Mar 2005 08:16:43 GMT

Bejoy,
As for now, you DNS seems to be OK [http://www.dnsstuff.com/tools/lookup.ch?name=centuryenka.com+&type=MX],
but I agree with previous advice - you should add another DNS server [you may ask your friends or your ISP to do this]

Re: DNS Problem

Steven E. Protter — Wed, 09 Mar 2005 08:52:47 GMT

Its probably not a DNS issue.

There are a lot of security upgrades to stop spam that can unwittingly effect inbound mail.

My servers, like aol and others won't accept mail from senders that don't have valid reverse lookup addresses. You'd be suprised how many people don't have that.

The course of action is this:

On the server that accepts/rejects the mail:

fail -f /var/log/maillog

Then have the complaining customer send a mail. See what the reject message is. If its a configuration problem on your server, correct it. If the customer needs assistance in correcting the problem, perhaps their technical support people will help. Or direct them here.

SEP

Re: DNS Problem

Dave Falloon — Wed, 09 Mar 2005 13:06:48 GMT

To add to SEP's point you should speak with the company that owns your IP, the people you are leasing the line from. They should delegate control to you, ie, allow you to manage the reverse records for your IP(s). If they have handed control to your name servers you'll need to setup a zone and allow them to do zone transfers.

Here's a page with lots of info:

http://homepages.tesco.net/~J.deBoynePollard/FGA/avoid-rfc-2317-delegation-example-1.html

Looks like the people you'll need to talk to are:

Bharat Sanchar Nigam Limited

according to apnic ( http://www.apnic.net/apnic-bin/whois.pl?210.212.163.178 )

--Dave

Re: DNS Problem

Dave Falloon — Wed, 09 Mar 2005 13:09:21 GMT

Nevermind, I just checked you have reverse records setup properly.

--Dave

Re: DNS Problem

Bejoy C Alias — Mon, 14 Mar 2005 02:37:22 GMT

The problem seems to be with the firewall rules configured in our server. It was like this
anywhere to anywhere sport 53 dport 1024:65535 accept
anywhere to anywhere dport 53 sport 1024:65535 accept
reject all other udp packets.
When i done a tcpdump -pqti eth1 icmp , it was showing a lot of messages like "ns1.centuryenka.com icmp udp port domain unreachable" . So i made changes in the firewall rules and set it like
anywhere to anywhere sport 53 accept
anywhere to anywhere dport 53 accept.
and reject all other udp packets. This stopped the above messages from coming in the tcpdump . And now those customers who all are unable to send mails are now able to send mails to this doamin .
But iam not understanding why the previous rule was not accepting queries and at the same time most of the customers were able to query and send mails to our domain. Even i was able to use dnsstuff.com and dsnsreport.com to check our domains without any pblms previously.

Re: DNS Problem

Bejoy C Alias — Tue, 15 Mar 2005 02:37:39 GMT

Hi guys...
I got the solution...
Sorry to inform that i forgot one thing to tell u. two weeks before i made changes to the firewall rules so that it will accept dns queries from a port above 1024 . Before that the rule was to accept queries from any port to my server's dns port. This prevented those customers from querying my server because thier queries were coming from the dns port 53 to my server's dns port 53. I found this after checking the tcpdump output. My server was sending " icmp udp port domain unreachable " message to those servers. Now the rules are set to accept queries from 53 or any port above 1024 . I hope no one is using other than these ports for querying dns servers.....
Thanks for your suggestions...

Re: DNS Problem

Bejoy C Alias — Tue, 15 Mar 2005 02:39:11 GMT

Closing the thread....