reverse DNS failed

Question

reverse DNS failed

I have my domain name (funsunstudio.com) at godaddy.com and have created all of my MX, SPF, & CName records. I kept their nameservers. I have my XServe G5 setup to send and recieve mail. I can recieve my mail just fine and I can send my mail to most accounts. If I try to send an e-mail to an AOL account I get the following Error Message http://postmaster.info.aol.com/errors/421dnsnr.html:

Reverse DNS lookup for your IP address is failing. AOL does require that all connecting Mail Transfer Agents have established reverse DNS.

Now I went to www.mxtoolbox.com and typed in my IP Address (12.146.245.34) and it said Reverse DNS failed. My email server is mail.funsunstudio.com Now I can send to just about any other account (only other one that I have had a problem with is roadrunner e-mails). I have a seperate IP address for my website and for my e-mail. Everything looks to be right when I do a dig on my domain as well. This was working for a couple days and then it quit working (without me touching anything).

Here is what postconf -n outputs:
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = all
local recipientmaps = proxy:unix:passwd.byname $alias_maps
luser_relay =
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 0
mydestination = $myhostname,localhost.$mydomain,funsunstudio.com
mydomain = funsunstudio.com
mydomain_fallback = localhost
myhostname = mail.funsunstudio.com
mynetworks = 127.0.0.1/32,10.0.0.1/32,12.146.245.32/28
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit_mynetworks reject rblclient sbl-xbl.spamhaus.org permit
smtpd tls_keyfile =
unknown local_recipient_rejectcode = 550
virtual mailboxdomains = hash:/etc/postfix/virtual_domains
virtual_transport = lmtp:unix:/var/imap/socket/lmtp

I am not an open relay and everything else is working great, I just can't seem to get this reverse DNS problem to start working again. Any help would be appreciated.

Posted on Jan 19, 2006 6:51 AM

Reply

Answer 1

pterobyte

Level 6

11,098 points

Jan 19, 2006 8:00 AM in response to Marshall Merritt

Marshall,

your IP (12.146.245.34) has no reverse resolution. This must be added to the DNS catering to the reverse zone of this address. Most likely your ISP (Don't know godaddy so cannot help there).
The DNS handling the forward and the reverse zone must not necessarily be the same. You need to talk to your ISP.

Alex

Reply

Answer 2

Jan 19, 2006 8:47 AM in response to pterobyte

My ISP is AT&T with whom I have my T-1 Line. So I need to call them up right and tell the the situation? I was just making sure that I had all my MX Records & all correct. Also I could host my own DNS through my server and have reverse lookup that way, would that solve the problem. Thanks for the quick reply Alex.

Reply

Answer 3

pterobyte

Level 6

11,098 points

Jan 19, 2006 10:35 AM in response to Marshall Merritt

Yes, this is correct.

Even if you host your own DNS this will only do for forward resolution. Reverse resolution only works on your own DNS if the owner of your IP Class/Subnet delegates reverse resolution to you (which typically is only done if you have a large number of IPs).

Note: It is only important for reverse resolution to be in place. It doesn't have to resolve to mail.yourdomain.tld, it just has to resolve. Normally providers do something like:
34.245.146.12.in-addr.arpa. 86400 IN PTR 12-146-245-34.clients.isp.tld
This is good enough. Mail servers only check for a resolution, but not if the hosts actually match. This is also because of virtual domains this would never work properly otherwise.

Alex

P.S. Your MX and A records are OK:
; <<>> DiG 9.2.2 <<>> funsunstudio.com mx

;; QUESTION SECTION:
;funsunstudio.com. IN MX

;; ANSWER SECTION:
funsunstudio.com. 3600 IN MX 0 mail.funsunstudio.com.
------------
; <<>> DiG 9.2.2 <<>> mail.funsunstudio.com

;; QUESTION SECTION:
;mail.funsunstudio.com. IN A

;; ANSWER SECTION:
mail.funsunstudio.com. 3568 IN A 12.146.245.34

Reply

Answer 4

Jan 19, 2006 11:01 AM in response to pterobyte

Thank you again Alex. I honestly suspected there could be an issue with my ISP but I wanted to get another person's view on my settings before I made the call. I appreciate your help and quick responses.

Reply

Answer 5

Jan 25, 2006 10:13 AM in response to Marshall Merritt

Ok so I e-mailed AT&T and they gave me this reply on the 23rd.

"
This is to confirm we have added reverse ip block as a delegation as
requested, which will begin to propagate on our Network at 2:00 PM
Central Time.

*******************

Following is an example of how a partial c class should be set up.

0/27.161.2.12.in-addr.arpa. 3600 SOA dns2.anydomain.com.
administrator.anydomain.com. (
2002050202 ; serial
14400 ; refresh (4 hour)
600 ; retry (10 mins)
600000 ; expire (7 day)
86400) ; minimum (1 day)
0/27.161.2.12.in-addr.arpa. 3600 NS dns2.anydomain.com.
0/27.161.2.12.in-addr.arpa. 3600 NS
cbru.br.ns.els-gms.att.net.
0/27.161.2.12.in-addr.arpa. 3600 NS
dbru.br.ns.els-gms.att.net.
1.0/27.161.2.12.in-addr.arpa. 3600 PTR gw.anydomain.com.
10.0/27.161.2.12.in-addr.arpa. 3600 PTR hidden4.anydomain.com."

So I did that and I am still having the exact same error.

Here is my named.conf file:

zone "funsunstudio.com" in {
file "funsunstudio.com.zone";
type master;
};

zone "245.146.12.in-addr.arpa" IN {
file "db.12.146.245";
type master;
};

Here is my funsunstudio.com.zone file:

$TTL 3600
funsunstudio.com. IN SOA ns1.funsunstudio.com. marshall.funsunstudio.com. (
2006012500 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1h ) ; minimum
funsunstudio.com. IN NS ns1.funsunstudio.com.
funsunstudio.com. IN NS ns2.funsunstudio.com.
funsunstudio.com IN A 12.146.245.42
www IN A 12.146.245.42
ns1 IN A 12.146.245.40
ns2 IN A 12.146.245.41
mail IN A 12.146.245.34
funsunstudio.com. IN MX 0 mail

Here is my db.12.146.245 file:

$TTL 3600
245.146.12.in-addr.arpa. IN SOA ns1.245.146.12.in-addr.arpa. marshall.funsunstudio.com. (
2006012500 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1h ) ; minimum
40.245.146.12.in-addr.arpa. IN NS ns1.funsunstudio.com.
41.245.146.12.in-addr.arpa. IN NS ns2.funsunstudio.com.
40.245.146.12.in-addr.arpa. IN PTR ns1.funsunstudio.com.
41.245.146.12.in-addr.arpa. IN PTR ns2.funsunstudio.com.
34.245.146.12.in-addr.arpa. IN PTR mail.funsunstudio.com.
42.245.146.12.in-addr.arpa. IN PTR www.funsunstudio.com.

Can someone please tell me why I am having so much trouble with this? This is getting really frustrating. Between GoDaddy telling me that they do not all reverse DNS on their e-mail to AT&T not enabling Rervse DNS the first time, I am getting tired of this run around. I am hosting all DNS on my servers directly so I can edit all the config files myself. I have been using http://www.mxtoolbox.com to check my status. Any help would be appreciated.

Btw: XServe G5 DP 2.3 & Server 10.4.4

Thanks,
Marshall

Reply

Answer 6

pterobyte

Level 6

11,098 points

Jan 25, 2006 10:45 AM in response to Marshall Merritt

There is still no reverse resolution.
This is either because reverse resolution has not been delegated/delegated properly or because your/the handling DNS is not properly configured.
Are you sure reverse resolution get's delegated to ns1.funsunstudio.com/ns2.funsunstudio.com and not somewhere else? It may be worth waiting an extra day. If the sysadmin at AT & T send you the notice too early changes may be visible only after the next update tonight.

Also your DNS is setup to reverse resolve for the whole c class. Unless you own the whole c class this should be changed (this however will not cause your problem, so not to worry).

Reply

Answer 7

Jan 25, 2006 11:51 AM in response to pterobyte

thanks pterobyte, I don't doubt the system admin's at AT&T have screwed this one up (yet again), so I'm going to wait another day and see if anything changes. Thanks.

Reply

Answer 8

Jan 30, 2006 5:11 AM in response to Marshall Merritt

Ok so I e-mailed them back and this was the response I got

"This is to confirm name servers have been updated as requested, which
will begin to propagate on our Network at 2:00 PM Central TIme.

Thank you

AT&T DNS Technical Support"

That was on the 26th, so last Thursday, & I still have Failed Reverse DNS. Also I know that I was resolving it for the whole C Class I just wanted to see if that made it work. So what are my options from here? I know my DNS is being hosted correctly on my XServe because if you do anytype of dig or lookup it returns the correct addresses' and everything so what's next? I have never had this issue before...

Reply

Answer 9

pterobyte

Level 6

11,098 points

Jan 30, 2006 5:54 AM in response to Marshall Merritt

Marshall,

I just checked your DNS directly and it resolves just fine. However, when I try to lookup through any other DNS it doesn't resolve.

This clearly means that reverse resolution for 12.146.245.34 is not delegated to your name server or blocked "on the road". Could it be your ISP is delegating to a different name server? Did you maybe have another name server before which is still in your ISPs records? Or could it be that GoDaddy is blocking it by any chance?
There aren't many other options left otherwise.

Alex

Reply

Answer 10

Jan 30, 2006 6:11 AM in response to pterobyte

Alex,

I did have it resolve to GoDaddy's DNS servers, but when I contacted GoDaddy about Reverse DNS they said they do not all Rervse DNS to their Namservers, so I switched them to my XServe. When I did that I sent AT&T an e-mail on the 25th, with the new nameservers, then on the 26th got the following e-mail "This is to confirm name servers have been updated as requested, which will begin to propagate on our Network at 2:00 PM Central TIme." So I waited until today for it to spread through the networks.

Also, would you mind telling me how you resolved directly to me?

Thanks for all the help so far Alex, I really appreciate it.

Marshall

Reply

Answer 11

pterobyte

Level 6

11,098 points

Jan 30, 2006 6:39 AM in response to Marshall Merritt

Also, would you mind telling me how you resolved directly to me?

By "telling" dig or nslookup to use your nameserver instead of mine.
(In nslookup use "server ns.domain.tld" before doing lookups for example)

BTW: I just tried checking again this very momen and your NS wasn't responding at all. Did you turn it off?

Reply

Answer 12

pterobyte

Level 6

11,098 points

Jan 30, 2006 7:04 AM in response to Marshall Merritt

Marshall,

I just checked on AT&Ts name server:

--------------

server DBRU.BR.NS.ELS-GMS.ATT.NET

Default server: DBRU.BR.NS.ELS-GMS.ATT.NET
Address: 199.191.128.106#53

12.146.245.34

Server: DBRU.BR.NS.ELS-GMS.ATT.NET
Address: 199.191.128.106#53

Non-authoritative answer:
34.245.146.12.in-addr.arpa canonical name = 34.32/28.245.146.12.in-addr.arpa.

Authoritative answers can be found from:
32/28.245.146.12.in-addr.arpa nameserver = ns1.funsunstudio.com.
32/28.245.146.12.in-addr.arpa nameserver = ns2.funsunstudio.com.
--------------

From what I can tell your network is 12.146.245.32 - 12.146.245.47 which translates to 12.146.245.32/28 in CIDR notation, so it looks OK.

I noticed some intermittent failures on your DNS. Don't know if you are "playing" with it or if there is an issue.

Reply

Answer 13

Jan 30, 2006 7:04 AM in response to pterobyte

Alex,

Yes I did turn it off, I restarted my XServe. Now I have it back up and running like normal. It did resolve when I did the nslookup. But it still won't resolve throughout the internet.

Thanks again,
Marshall

Reply

Answer 14

Jan 30, 2006 7:06 AM in response to pterobyte

Alex,

read my post above yours just now, I was playing with it, but I quit now once you told me that it was resolving straight to my nameserver.

you are a lifesaver so far, thanks.

Marshall

Reply

Answer 15

Feb 8, 2006 9:11 AM in response to Marshall Merritt

Problem is still there, anything else I can do? I am at a loss as to why it's not working...

Reply