Mail servers cannot resolve domains correctly.

Issues related to configuring your network
Post Reply
arek199602
Posts: 5
Joined: 2019/10/18 14:05:51

Mail servers cannot resolve domains correctly.

Post by arek199602 » 2019/10/28 17:23:25

Hello,
I have two servers. One of them has domain name olimpus.local. Another valhalla.local. Both servers have installed postfix service.I want to send mail between these to servers, but when I run command dig -t mx olimpus.local on first server I've got
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t mx olimpus.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12030
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;olimpus.local. IN MX

;; ANSWER SECTION:
olimpus.local. 172800 IN MX 10 delphos.olimpus.local.

;; AUTHORITY SECTION:
olimpus.local. 172800 IN NS prometheus.olimpus.local.
olimpus.local. 172800 IN NS delphos.olimpus.local.

;; ADDITIONAL SECTION:
delphos.olimpus.local. 172800 IN A 192.168.42.20
prometheus.olimpus.local. 172800 IN A 192.168.42.21
delphos.olimpus.local. 172800 IN AAAA fe80::20c:29ff:fe78:4cb1

;; Query time: 3 msec
;; SERVER: 192.168.42.20#53(192.168.42.20)
;; WHEN: Mon Oct 28 12:09:34 EDT 2019
;; MSG SIZE rcvd: 165
When I run command dig -t mx valhalla.local on the same server I've got
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t mx valhalla.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1323
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;valhalla.local. IN MX

;; AUTHORITY SECTION:
. 10079 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019102800 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.42.20#53(192.168.42.20)
;; WHEN: Mon Oct 28 12:11:15 EDT 2019
;; MSG SIZE rcvd: 118
This is configuration my first server:
named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { 127.0.0.1; 192.168.42.20; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.42.0/24; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
forwarders {
8.8.8.8;
};
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "olimpus.local" IN {
type master;
file "olimpus.local.zone";
notify yes;
};

zone "42.168.192.in-addr.arpa" IN {
type master;
file "192.168.42.zone";
notify yes;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
olimpus.local.zone
;
;Data file for olimpus.local
;
$TTL 2D
olimpus.local. IN SOA olimpus.local. root.olimpus.local. (
2014090102; Serial
1D; Refresh
2H; Retry
1W; Expire
2D); Default TTL

@ IN NS delphos.olimpus.local.
@ IN NS prometheus.olimpus.local.
IN MX 10 delphos.olimpus.local.

@ IN A 192.168.42.20
@ IN A 192.168.42.21
@ IN A 192.168.42.22

delphos IN A 192.168.42.20
prometheus IN A 192.168.42.21
aphrodite IN A 192.168.42.22
vulcan IN A 192.168.42.23
delphos IN AAAA fe80::20c:29ff:fe78:4cb1
dns IN CNAME delphos
mail IN CNAME prometheus
www IN CNAME delphos
192.168.42.zone
$TTL 2D
42.168.192.in-addr.arpa. IN SOA delphos.olimpus.local. root.olimpus.local. (
2014090102 ;serial
259200 ;refresh(3 days)
14400 ;retry(4 hours)
18140 ;expire(3 weeks)
604800 ;minimum(1 week)
)
NS delphos.olimpus.local.
; NS prometheus.olimpus.local.
20 PTR delphos.olimpus.local.
;22 PTR vulcan.olimpus.local.
resolv.conf
# Generated by NetworkManager
search olimpus.local valhalla.local
nameserver 192.168.42.20
nameserver 8.8.8.8
And this is configuration of my second server:
named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { 192.168.42.25; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { 192.168.42.0/24; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
forwarders {
8.8.8.8;
};

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "valhalla.local" IN {
type master;
file "valhalla.local.zone";
};

/*zone "42.168.192.in-addr.arpa" {
type master;
file "192.168.42.zone";
};*/

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
valhalla.local.zone
$TTL 172800
valhalla.local. IN SOA valhalla.local. root.valhalla.local. (
20141203 ; serial
60 ; refresh (1 minute)
7200 ; retry (2 hours)
604800 ; expire (1 week)
17280 ; minimum (2 days)
);

NS odin.valhalla.local.
MX 10 odin.valhalla.local.

@ IN A 192.168.42.25
odin IN A 192.168.42.25
resolv.conf
search valhalla.local olimpus.local
nameserver 192.168.42.25
nameserver 192.168.42.20
Of course mail sending don't work between servers. Only works within the same server.

arek199602
Posts: 5
Joined: 2019/10/18 14:05:51

Re: Maill servers cannot resolve domains correctly.

Post by arek199602 » 2019/10/29 17:19:27

I discovered when I have properly work internet connection I've got NXDOMAIN error. But when my connection is lost mail servers resolve domains correctly.

When I have not internet
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t mx valhalla.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41192
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;valhalla.local. IN MX

;; ANSWER SECTION:
valhalla.local. 172800 IN MX 10 odin.valhalla.local.

;; AUTHORITY SECTION:
valhalla.local. 172800 IN NS odin.valhalla.local.

;; ADDITIONAL SECTION:
odin.valhalla.local. 172800 IN A 192.168.10.21

;; Query time: 1 msec
;; SERVER: 192.168.42.25#53(192.168.42.25)
;; WHEN: Tue Oct 29 13:19:52 EDT 2019
;; MSG SIZE rcvd: 94
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t mx olimpus.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31503
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;olimpus.local. IN MX

;; ANSWER SECTION:
olimpus.local. 172800 IN MX 10 delphos.olimpus.local.

;; AUTHORITY SECTION:
olimpus.local. 172800 IN NS delphos.olimpus.local.
olimpus.local. 172800 IN NS prometheus.olimpus.local.

;; ADDITIONAL SECTION:
delphos.olimpus.local. 172800 IN A 192.168.1.20
prometheus.olimpus.local. 172800 IN A 192.168.1.21
delphos.olimpus.local. 172800 IN AAAA fe80::20c:29ff:fe78:4cb1
prometheus.olimpus.local. 172800 IN AAAA fe80::20c:29ff:feeb:4443

;; Query time: 0 msec
;; SERVER: 192.168.42.20#53(192.168.42.20)
;; WHEN: Tue Oct 29 13:21:32 EDT 2019
;; MSG SIZE rcvd: 193
When I have internet
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t mx valhalla.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63027
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;valhalla.local. IN MX

;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019102900 1800 900 604800 86400

;; Query time: 216 msec
;; SERVER: 192.168.42.20#53(192.168.42.20)
;; WHEN: Tue Oct 29 13:22:13 EDT 2019
;; MSG SIZE rcvd: 118
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t mx olimpus.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;olimpus.local. IN MX

;; ANSWER SECTION:
olimpus.local. 172800 IN MX 10 delphos.olimpus.local.

;; AUTHORITY SECTION:
olimpus.local. 172800 IN NS delphos.olimpus.local.
olimpus.local. 172800 IN NS prometheus.olimpus.local.

;; ADDITIONAL SECTION:
delphos.olimpus.local. 172800 IN A 192.168.1.20
prometheus.olimpus.local. 172800 IN A 192.168.1.21
delphos.olimpus.local. 172800 IN AAAA fe80::20c:29ff:fe78:4cb1
prometheus.olimpus.local. 172800 IN AAAA fe80::20c:29ff:feeb:4443

;; Query time: 0 msec
;; SERVER: 192.168.42.20#53(192.168.42.20)
;; WHEN: Tue Oct 29 13:22:29 EDT 2019
;; MSG SIZE rcvd: 193

maikcat
Posts: 7
Joined: 2019/01/11 13:01:58

Re: Mail servers cannot resolve domains correctly.

Post by maikcat » 2019/10/31 14:06:21

First i would avoid to use .local extension
Second you can try to configure your DNS servers to act as secondary to each other.
-or-
use the other one as forwarder and enable recursion on both.

Regards

Michael.

Post Reply