On 12/5/2017 "Lightner, Jeffrey"<jlight...@dsservices.com> wrote:
We're having issues send email to a user @SIDDHAFLOWERS.COM Investigation here shows that the issue we have is querying your name servers (both by name and by IP) are refusing to respond to our name servers. Their name servers: NS1.QUICKFIX8.COM NS2.QUICKFIX8.COM Our name servers: DSWADNS1.WATER.COM DSWADNS2.WATER.COM We find other name servers such as those as Google are able to query their name servers. Based on that I determined their name server IP (for both) is 74.124.202.236. However, if I attempt to reach port 53 (DNS) on that IP from our name servers it simply fails to connect. Our Network Security engineer did a capture and shows we send packets but never get a response. Interestingly further testing shows this is an issue from any of our AT&T provided IPs: 12.44.84.194 12.44.84.213 12.44.84.214 12.44.84.216 But not from separate QTS Datacenter provided IPs: 209.10.103.136 209.10.103.148 I've reached out to the folks at QuickFix and am waiting to hear back but we've seen a similar issue on another domain using separate name servers. Is it possible there is some sort of blacklist for DNS (not email) that people might be subscribing to that would cause them to block AT&T IPs? We can do queries from our DNS to most domains but have identified these 2 as problems so suspect there might be others. By the way, I can reach their mail server via command line connection to port 25 on its IP. The issue here is purely in querying the DNS servers which of course means mail programs can't determine the MX records themselves. Last night I did see some posts suggesting commenting out query-source but testing that didn't do anything. We do have our query-source setup for random outbound ports and I verified last night that it still works based on the test site for that. Most of what I find about blacklisting is about spam blacklisting of mail servers not blacklisting of DNS server queries and it is the latter we are experiencing. CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you
Here is a query I just did: D:\>dig SIDDHAFLOWERS.COM mx @ns1.quickfix8.COM. ; <<>> DiG 9.9.3-P1 <<>> SIDDHAFLOWERS.COM mx @ns1.quickfix8.COM. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63456 ;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;SIDDHAFLOWERS.COM. IN MX ;; ANSWER SECTION: SIDDHAFLOWERS.COM. 14400 IN MX 1 aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 aspmx2.googlemail.COM. SIDDHAFLOWERS.COM. 14400 IN MX 5 alt2.aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 5 alt1.aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 aspmx3.googlemail.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 alt3.aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 alt4.aspmx.l.google.COM. ;; AUTHORITY SECTION: SIDDHAFLOWERS.COM. 86400 IN NS ns2.quickfix8.COM. SIDDHAFLOWERS.COM. 86400 IN NS ns1.quickfix8.COM. ;; ADDITIONAL SECTION: ns1.quickfix8.COM. 14400 IN A 74.124.202.236 ns2.quickfix8.COM. 14400 IN A 74.124.202.236 ;; Query time: 128 msec ;; SERVER: 74.124.202.236#53(74.124.202.236) ;; WHEN: Tue Dec 05 13:08:20 Central Standard Time 2017 ;; MSG SIZE rcvd: 296 D:\> The problem is not with the "two" name servers for the domain you are trying to reach. Note the quotation marks. I was able to contact the ONE IP address and get a DNS response. If, for some reason, you do not have a path to that IP address, you will not get a response. And, there is no fall-back, as both name servers are on the same IP address. --Barry Finkel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
