Incredibly strange DNS / Sendmail problem
I'm encountering a strange DNS / e-mail problem an a mail server running OpenBSD 4.3. Sometimes, DNS returns completely unexpected results. I get two completely different answers to the same DNS query with the incorrect answers being returned by the DNS server that is being used by the mail server. For example, whois ruhl.in shows that the name servers are dns1.name-services.com to dns5.name-services.com. Then, dig @dns1.name-services.com -t mx ruhl.in returns: * ; DiG 9.4.2 @dns1.name-services.com -t mx ruhl.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3610 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;ruhl.in. IN MX ;; ANSWER SECTION: ruhl.in.1800IN MX 10 ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 20 ALT1.ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 30 ALT2.ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 40 ASPMX2.GOOGLEMAIL.COM. ruhl.in.1800IN MX 50 ASPMX3.GOOGLEMAIL.COM. ;; AUTHORITY SECTION: ruhl.in.3600IN NS dns1.name-services.com. ruhl.in.3600IN NS dns2.name-services.com. ruhl.in.3600IN NS dns3.name-services.com. ruhl.in.3600IN NS dns4.name-services.com. ruhl.in.3600IN NS dns5.name-services.com. ;; ADDITIONAL SECTION: dns1.name-services.com. 3600IN A 98.124.192.1 dns2.name-services.com. 3600IN A 69.64.157.18 dns3.name-services.com. 3600IN A 98.124.193.1 dns4.name-services.com. 3600IN A 69.64.145.225 dns5.name-services.com. 3600IN A 70.42.37.7 * But if I use the name server used by the e-mail server, dig -t mx ruhl.in, returns: * ; DiG 9.4.2 -t mx ruhl.in ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ruhl.in. IN MX ;; ANSWER SECTION: ruhl.in.471 IN CNAME ghs.google.com. ghs.google.com. 482751 IN CNAME ghs.l.google.com. ;; AUTHORITY SECTION: l.google.com. 60 IN SOA e.l.google.com. dns-admin.google.com. 1380328 900 900 1800 60 * When I change the /etc/resolv.conf file on the mail server to swap the order of the DNS servers, then dig returns the correct records for a little while until the records expire and then switches to the incorrect one! Meanwhile, the DNS server that had been listed first and is now second begins to return the correct records once those records expire. Has anyone seen this kind of behavior before? Can anyone explain what is happening here? It's driving me up the wall. Eric Johnson
Re: Incredibly strange DNS / Sendmail problem
On Thu, May 14, 2009 at 10:43:54AM -0500, Eric wrote: I'm encountering a strange DNS / e-mail problem an a mail server running OpenBSD 4.3. Sometimes, DNS returns completely unexpected results. I get two completely different answers to the same DNS query with the incorrect answers being returned by the DNS server that is being used by the mail server. Meanwhile, the DNS server that had been listed first and is now second begins to return the correct records once those records expire. Has anyone seen this kind of behavior before? Can anyone explain what is happening here? It's driving me up the wall. Eric Johnson What is wrong is how ruhl.in was setup. You *cannot* have a CNAME record if any other type of record exists for that name. Complain to their administrator. See: dig ruhl.in ANY @dns1.name-services.com === ;; QUESTION SECTION: ;ruhl.in. IN ANY ;; ANSWER SECTION: ruhl.in.1800IN CNAME ghs.google.com. ruhl.in.1800IN MX 10 ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 20 ALT1.ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 30 ALT2.ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 40 ASPMX2.GOOGLEMAIL.COM. ruhl.in.1800IN MX 50 ASPMX3.GOOGLEMAIL.COM. ruhl.in.1800IN SOA dns1.name-services.com. info.name-services.com. 2002050701 10001 1801 604801 181 === If you need to fix this without their help. You can force a particular routing in sendmail. In /etc/mail/mailertable: ruhl.in.relay:[aspm.l.google.com.] And you rebuild it (cd /etc/mail make). You would need to be running sendmail with mailertable support. (In stock OpenBSD, sendmail.cf not localhost.cf.) It's an ugly hard-coded mess but the fault is ruhl.in. -- Hugo Villeneuve h...@eintr.net http://EINTR.net/
Re: Incredibly strange DNS / Sendmail problem
On 2009-05-14, Eric rabbitearcr...@gmail.com wrote: I'm encountering a strange DNS / e-mail problem an a mail server running OpenBSD 4.3. Sometimes, DNS returns completely unexpected results. I get two completely different answers to the same DNS query with the incorrect answers being returned by the DNS server that is being used by the mail server. For example, whois ruhl.in shows that the name servers are dns1.name-services.com to dns5.name-services.com. Then, dig @dns1.name-services.com -t mx ruhl.in returns: They screwed up their domain setup. People aren't as careful with CNAMEs as they should be. * ; DiG 9.4.2 @dns1.name-services.com -t mx ruhl.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3610 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;ruhl.in. IN MX ;; ANSWER SECTION: ruhl.in.1800IN MX 10 ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 20 ALT1.ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 30 ALT2.ASPMX.L.GOOGLE.COM. ruhl.in.1800IN MX 40 ASPMX2.GOOGLEMAIL.COM. ruhl.in.1800IN MX 50 ASPMX3.GOOGLEMAIL.COM. ;; AUTHORITY SECTION: ruhl.in.3600IN NS dns1.name-services.com. ruhl.in.3600IN NS dns2.name-services.com. ruhl.in.3600IN NS dns3.name-services.com. ruhl.in.3600IN NS dns4.name-services.com. ruhl.in.3600IN NS dns5.name-services.com. ;; ADDITIONAL SECTION: dns1.name-services.com. 3600IN A 98.124.192.1 dns2.name-services.com. 3600IN A 69.64.157.18 dns3.name-services.com. 3600IN A 98.124.193.1 dns4.name-services.com. 3600IN A 69.64.145.225 dns5.name-services.com. 3600IN A 70.42.37.7 * But if I use the name server used by the e-mail server, dig -t mx ruhl.in, returns: * ; DiG 9.4.2 -t mx ruhl.in ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ruhl.in. IN MX ;; ANSWER SECTION: ruhl.in.471 IN CNAME ghs.google.com. ghs.google.com. 482751 IN CNAME ghs.l.google.com. ;; AUTHORITY SECTION: l.google.com. 60 IN SOA e.l.google.com. dns-admin.google.com. 1380328 900 900 1800 60 * When I change the /etc/resolv.conf file on the mail server to swap the order of the DNS servers, then dig returns the correct records for a little while until the records expire and then switches to the incorrect one! Meanwhile, the DNS server that had been listed first and is now second begins to return the correct records once those records expire. Has anyone seen this kind of behavior before? Can anyone explain what is happening here? It's driving me up the wall. Eric Johnson
Re: Incredibly strange DNS / Sendmail problem
On Thu, May 14, 2009 at 10:43:54AM -0500, Eric wrote: I'm encountering a strange DNS / e-mail problem an a mail server running OpenBSD 4.3. Sometimes, DNS returns completely unexpected results. I get two completely different answers to the same DNS query with the incorrect answers being returned by the DNS server that is being used by the mail server. It's not that strange. d...@noc:~$ dig @dns1.name-services.com ruhl.in ; DiG 9.4.2-P2 @dns1.name-services.com ruhl.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 6509 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ruhl.in. IN A ;; ANSWER SECTION: ruhl.in.1800IN CNAME ghs.google.com. ;; Query time: 281 msec ;; SERVER: 98.124.192.1#53(98.124.192.1) ;; WHEN: Thu May 14 12:49:13 2009 ;; MSG SIZE rcvd: 53 'ruhl.in' has a CNAME record. Technically, it shouldn't be advertising any other records, but it is, and this is the source of the issue. If your first query is for the MX record, then your resolver will cache the the authoritative MX records from dnsN.name-services.com. If your first query is for an A record or anything that will return and cache the CNAME, then your resolver will cache that as the authoritative answer and use that instead of making new MX queries. ## ## MX queried first (after flushing the cache) ## d...@noc:~$ host -t mx ruhl.in # first query ruhl.in mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM. ruhl.in mail is handled by 30 ALT2.ASPMX.L.GOOGLE.COM. ruhl.in mail is handled by 40 ASPMX2.GOOGLEMAIL.COM. ruhl.in mail is handled by 50 ASPMX3.GOOGLEMAIL.COM. ruhl.in mail is handled by 10 ASPMX.L.GOOGLE.COM. d...@noc:~$ host ruhl.in # second query ruhl.in is an alias for ghs.google.com. ghs.google.com is an alias for ghs.l.google.com. ghs.l.google.com has address 209.85.171.121 d...@noc:~$ host -t mx ruhl.in # cached ruhl.in mail is handled by 50 ASPMX3.GOOGLEMAIL.COM. ruhl.in mail is handled by 10 ASPMX.L.GOOGLE.COM. ruhl.in mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM. ruhl.in mail is handled by 30 ALT2.ASPMX.L.GOOGLE.COM. ruhl.in mail is handled by 40 ASPMX2.GOOGLEMAIL.COM. ## ## MX queried second (after flushing the cache) ## d...@noc:~$ host ruhl.in # first query ruhl.in is an alias for ghs.google.com. ghs.google.com is an alias for ghs.l.google.com. ghs.l.google.com has address 209.85.171.121 d...@noc:~$ host -t mx ruhl.in # second query ruhl.in is an alias for ghs.google.com. ghs.google.com is an alias for ghs.l.google.com. d...@noc:~$ host -t mx ruhl.in # cached ruhl.in is an alias for ghs.google.com. ghs.google.com is an alias for ghs.l.google.com. named-checkzone even complains if you setup a zone like this. d...@noc:~$ cat example.txt $TTL 1d @ SOA noc.example.com. hostmaster.example.com. ( 2009051400 ; serial 16384 ; refresh 2048; retry 1048576 ; expire 2560 ) ; minimum @ NS ns1.example.com. @ NS ns2.example.com. @ CNAME ghs.google.com. @ A 192.168.1.1 @ MX 10 mx0 @ MX 20 mx1 mx0 A 192.168.1.2 mx1 A 192.168.1.3 d...@noc:~$ named-checkzone example.com example.txt dns_master_load: example.txt:17: example.com: CNAME and other data dns_master_load: example.txt:17: example.com: CNAME and other data dns_master_load: example.txt:17: example.com: CNAME and other data zone example.com/IN: loading from master file example.txt failed: CNAME and other data For more info: http://www.zytrax.com/books/dns/ch8/cname.html
