strange problem with MX records, firewall, Bind and Windows DNS

Simon Waters Simon at wretched.demon.co.uk
Thu May 30 21:09:50 UTC 2002


bindlist wrote:
> 
> Testing shows that queries work for the most part except for one instance
> that is causing mail problems with other mailsystems.
> 
> If, say I am on inner.foo.bar (or a workstation on the net using the
> inner.foo.bar NS) and try to lookup and MX record for some.com, the
> request is forwarded to the external DNS server. Next ns.foo.bar tries to
> lookup the MX record and gets (one example but any such occur taken from a
> cache dump):

> The result sent to the inner.foo.bar nameserver ends up as:
> 
> DNS R  Error:2(Server Fail)

Sorry can you show us what query you actually did.

Use "dig" and show the whole output cut and pasted.
 
> At this point mail gets queued to the outside domain (in this case
> x.berkeley.edu) because the error return is keeping something from falling

I assume you mean ssl.berkeley.edu?

> back to an A record to try to hand mail off to since there is no MX
> record.
> 
> Or at least thats what I thought occured. If there is no MX records BIND
> would then try for an A record yes?

No if you ask for an MX record you will get an MX record, most
modern MTAs either ask for MX then A or ask for "ANY" and sort
it out themselves. 

But none of this logic is implemented in BIND, you ask the DNS
for an MX, it typically returns no-error and 0 answers (assuming
the domain exists).

> Querying server (# 1) address = x.x.x.x
> got answer:
> HEADER:
>         opcode = QUERY, id = 4, rcode = SERVFAIL
>         header flags:  qr rd ra
>         qdcount = 1, ancount = 0, nscount = 0, arcount = 0

> Anyone got any ideas?

What do get if you "dig @ns.foo.bar ssl.berkeley.edu mx" from
the inner name server. The debug suggests you should get server
fail. If you do the external server is broken, if you get an
empty answer then it is a MS DNS problem and off topic here.

We generally try not to obscure domain names and the like. If
the external name server provides recursion to everyone I could
have answered one of these queries in a couple of seconds.


More information about the bind-users mailing list