I know very little about mail server administration. I'm piecing together user guides. I've bought a domain name, and [paid] Protonmail which allows using a custom domain. I've had this working for a while, but now I'm having trouble extending it for another DKIM record.
Objectives:
Send and receive email using Protonmail from the custom domain
Send-only email from a Postfix server I'm running
In order to send/receive email using Protonmail through my domain name, I've set up the following TXT records:
Host=# protonmail-verification=e954fa...
Host=protonmail._domainkey v=DKIM1; k=rsa; p=MGM0....
Host=# v=spf1 include:_spf.protonmail.ch mx ~all
This has been working for months. Now I'd like to implement objective 2 (above). I created a DKIM key using opendkim:
sudo opendkim-genkey -b 8192 -h rsa-sha256 -r -v --subdomains -s postfix -d $(hostname --domain) && \
sudo sed -i 's/h=rsa-sha256/h=sha256/' postfix.txt
Then I've added the contents from postfix.txt, concatenating the long p string, to my DNS provider with another TXT record:
Host=[MY DOMAIN NAME]._domainkey v=DKIM1; h=sha256; k=rsa; s=email; p=MEEij...
Where I think I'm struggling is with updating the spf record. How should it look? I thought it should be like so:
v=spf1 include:[MY DOMAIN NAME] include:_spf.protonmail.ch mx ~all
However, when testing sending an email from my Postfix server, some client servers reject the email, with the following log in my Postfix server:
E543D5E0003: host mail.tutanota.de[81.3.6.165] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [MY POSTFIX SERVERS IP] (in reply to RCPT TO command)
I'm quite sure there is something wrong in my spf record. Are the arguments correct? And does the order matter? How can I use the Protonmail records for sending and receiving, but restrict my Postfix server to send-only? (does DNS even care about this directionality?)
Ok, let's start debugging this anyways ... (quite frankly, this is not a programming question so superuser would have been the better choice there, but I like that you wanna host your own mail :) )
Your SPF record should look like the following. Your own domain is not needed, cause the SPF record is saved in it's DNS records. Otherwise, that would (but won't) build a loop.
v=spf1 include:_spf.protonmail.ch mx ~all
The error itself you are seeing is related to the PTR lookup of your public IP, but could also be caused by the extra include and be a false positive here.
To make sure it's correct anyway, look it up manually:
On linux
dig -x <public ip of mail domain>
that will (should) print multiple lines, the one you're interested in:
;; ANSWER SECTION:
XXX.XXX.XXX.XXX.in-addr.arpa. 43200 IN PTR my-domain.com.
On windows:
nslookup <public ip of mail domain>
prints:
Server: some.dns.server.com
Address: XXX.XXX.XXX.XXX
Name: my-domain.com
Address: <public ip of mail domain>
crucial here is the "my-domain.com." part - if that is not your mail domain, then your hosting provider will most likely give you a way to change the PTR somewhere.
Try this and then we will look futher into it if necessary, of course it's hard to debug without being able to lookup all the information ;)
What I'm trying to do
I'm using Consul for dns, with dnsmasq acting as the proxy (https://www.consul.io/docs/guides/forwarding.html).
As well as querying consul directly (nslookup my.service.consul), I also want to be able to query without the .consul suffix (nslookup my.service).
Environment
Ubuntu 16.04
Config
/etc/resolv.conf
search consul
nameserver 127.0.0.1
/etc/dnsmasq.conf
server=/consul/127.0.0.1#8600
server=8.8.8.8
server=8.8.4.4
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.10.10.102
netmask 255.255.255.0
gateway 10.10.10.1
The Problem
The problem I have is that queries for my.service do not have the consul search path appended by resolvconf.
If I change /etc/resolv.conf to:
search consul service.consul
nameserver 127.0.0.1
and then search just for my (nslookup my), the service.consul suffix is correctly appended to the query succeeds with an address for my.service.consul.
But consul is not appended to my.service (nslookup my.service), even though the config is identical. Which makes me think that search domains are not appended to dotted queries.
Things I've tried
I've tried dns-search in /etc/network/interfaces. No difference.
I've tried using dnsmasq's resolv-file option to specify a different file. Still no search suffixes added to dotted queries.
I've tried various options of the resolveconf ndots configuration options, but this doesn't work either. It correctly changes whether or not queries with insufficient dots are actually tried (as per the official resolvconf docs), but it never manages to convince resolvconf to add the .consul suffix to a dotted query: my.service.
(And a load of other combinations of those files and dnsmasq options that I tried before I even worked out that this was the problem... but which no longer seems relevant.)
So my question ultimately is...
How do I persuade resolvconf to add the consul suffix for my dotted query my.service to get my.service.consul?
Please also bear in mind that I DO want the service to be manually specified in my queries and DO NOT want it as part of the dns search domain in resolv.conf. Particularly as consul has quite a dynamic dns search facility for datacenters etc and I'll quickly hit the 6 domain limit for the search entries in resolv.conf if I try to specify all the allowable combinations.
In resolv.conf: options ndots:2
I have a script that makes a lot of Whois queries. If I use only one interface I will get banned. But I have eth1 and eth1:0 to eth1:13, so 15 ip addresses to rotate these queries.
How can I call that whois command so that I specify which interface it will use for the query?
I've seen this post but I cannot add the routing table because my interfaces already have a route used to specify the gateway.
e.g. route add -net x.x.x.32/29 gw x.x.X.33 dev eth1
So my plan is to somehow change the route for destination port 43 only, then make the query, then remove that route, set another, make the other query, etc. A little bit like this:
route add -port 43 dev eth1
whois example.com
route del -port 43 dev eth1
route add -port 43 dev eth1:0
whois example.org
route del -port 43 dev eth1:0
route add -port 43 dev eth1:1
whois example.net
route del -port 43 dev eth1:1
...
WARNING: -port does not work indeed.
So, what would be the simplest way to achieve that without messing up the rest of the traffic of the server?
Thanks!
Ok so I answer my own question.
This is not a solution that works for every thing else than a whois obviously, but it can make the trick for a lot of protocols.
Use CURL to make the query since curl has an Interface option.
Of course you need to have a list of whois servers like this one.
e.g. in perl:
use WWW::Curl::Easy;
my $curl = WWW::Curl::Easy->new;
$curl->setopt(CURLOPT_URL, "whois.crsnic.net:43");
$curl->setopt(CURLOPT_INTERFACE, "1.2.3.4");
$curl->setopt(CURLOPT_CUSTOMREQUEST, "example.com\r\n");
my $curldata = "";
$curl->setopt(CURLOPT_WRITEDATA, \$curldata);
$curl->perform;
print("$curldata\n");
Then you can parse $curldata to find the thin whois server and to the same thing on it.
I have recently started using ip route commands for advanced routing stuff. Now I have come across something rather puzzling to me. A default route added to a table will be easily deleted whereas another route remains.
I add these two rules:
ip route add dev wlan0 default via 192.168.0.1 table 21
ip route add dev wlan0 192.168.0.0/24 table 21
Now if I do:
ip route show table 21
I see both of these rules present.
default via 192.168.0.1 dev wlan0
192.168.0.0/24 dev wlan0 scope link
If I then try to delete table 21, and show it again:
ip route del table 21
ip route show table 21
There is still that rule remaining.
192.168.0.0/24 dev wlan0 scope link
Can anyone explain this? The man page says that del is designed to delete a ROUTE, which also includes tables.
As #user3291010 has already pointed out, to delete a full table, use the following command:
This command deletes table 21:
ip route flush table 21
The command you tried is used to remove specific rules from a table. It wants a prefix to match on. When you didn't supply the prefix, it just deleted the first entry, which happened to be the default route.
To remove the second entry, and only the second entry, you could run this command:
ip route delete table 21 192.168.0.0/24
As far as I know, there is no way to delete all entries using the delete command.
Maybe try:
ip route flush table 21
How can I find the origins of conflicting DNS records?
You'll want the SOA (Start of Authority) record for a given domain name, and this is how you accomplish it using the universally available nslookup command line tool:
command line> nslookup
> set querytype=soa
> stackoverflow.com
Server: 217.30.180.230
Address: 217.30.180.230#53
Non-authoritative answer:
stackoverflow.com
origin = ns51.domaincontrol.com # ("primary name server" on Windows)
mail addr = dns.jomax.net # ("responsible mail addr" on Windows)
serial = 2008041300
refresh = 28800
retry = 7200
expire = 604800
minimum = 86400
Authoritative answers can be found from:
stackoverflow.com nameserver = ns52.domaincontrol.com.
stackoverflow.com nameserver = ns51.domaincontrol.com.
The origin (or primary name server on Windows) line tells you that ns51.domaincontrol is the main name server for stackoverflow.com.
At the end of output all authoritative servers, including backup servers for the given domain, are listed.
You used the singular in your question but there are typically several authoritative name servers, the RFC 1034 recommends at least two.
Unless you mean "primary name server" and not "authoritative name server". The secondary name servers are authoritative.
To find out the name servers of a domain on Unix:
% dig +short NS stackoverflow.com
ns52.domaincontrol.com.
ns51.domaincontrol.com.
To find out the server listed as primary (the notion of "primary" is quite fuzzy these days and typically has no good answer):
% dig +short SOA stackoverflow.com | cut -d' ' -f1
ns51.domaincontrol.com.
To check discrepencies between name servers, my preference goes to the old check_soa tool, described in Liu & Albitz "DNS & BIND" book (O'Reilly editor). The source code is available in http://examples.oreilly.com/dns5/
% check_soa stackoverflow.com
ns51.domaincontrol.com has serial number 2008041300
ns52.domaincontrol.com has serial number 2008041300
Here, the two authoritative name servers have the same serial number. Good.
On *nix:
$ dig -t ns <domain name>
You could find out the nameservers for a domain with the "host" command:
[davidp#supernova:~]$ host -t ns stackoverflow.com
stackoverflow.com name server ns51.domaincontrol.com.
stackoverflow.com name server ns52.domaincontrol.com.
I found that the best way it to add always the +trace option:
dig SOA +trace stackoverflow.com
It works also with recursive CNAME hosted in different provider. +trace trace imply +norecurse so the result is just for the domain you specify.
The term you should be googling is "authoritative," not "definitive".
On Linux or Mac you can use the commands whois, dig, host, nslookup or several others. nslookup might also work on Windows.
An example:
$ whois stackoverflow.com
[...]
Domain servers in listed order:
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
As for the extra credit: Yes, it is possible.
aryeh is definitely wrong, as his suggestion usually will only give you the IP address for the hostname. If you use dig, you have to look for NS records, like so:
dig ns stackoverflow.com
Keep in mind that this may ask your local DNS server and thus may give wrong or out-of-date answers that it has in its cache.
We've built a dns lookup tool that gives you the domain's authoritative nameservers and its common dns records in one request.
Example: https://www.misk.com/tools/#dns/stackoverflow.com
Our tool finds the authoritative nameservers by performing a realtime (uncached) dns lookup at the root nameservers and then following the nameserver referrals until we reach the authoritative nameservers. This is the same logic that dns resolvers use to obtain authoritative answers. A random authoritative nameserver is selected (and identified) on each query allowing you to find conflicting dns records by performing multiple requests.
You can also view the nameserver delegation path by clicking on "Authoritative Nameservers" at the bottom of the dns lookup results from the example above.
Example: https://www.misk.com/tools/#dns/stackoverflow.com#f.root-servers.net
You can use the whois service. On a UNIX like operating system you would execute the following command. Alternatively you can do it on the web at http://www.internic.net/whois.html.
whois stackoverflow.com
You would get the following response.
...text removed here...
Domain servers in listed order:
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
You can use nslookup or dig to find out more information about records for a given domain. This might help you resolve the conflicts you have described.
I have found that for some domains, the above answers do not work. The quickest way I have found is to first check for an NS record. If that doesn't exist, check for an SOA record. If that doesn't exist, recursively resolve the name using dig and take the last NS record returned. An example that fits this is analyticsdcs.ccs.mcafee.com.
Check for an NS record
host -t NS analyticsdcs.ccs.mcafee.com.
If no NS found, check for an SOA record
host -t SOA analyticsdcs.ccs.mcafee.com.
If neither NS or SOA, do full recursive and take the last NS returned
dig +trace analyticsdcs.ccs.mcafee.com. | grep -w 'IN[[:space:]]*NS' | tail -1
Test that the name server returned works
host analyticsdcs.ccs.mcafee.com. gtm2.mcafee.com.
An easy way is to use an online domain tool. My favorite is Domain Tools (formerly whois.sc). I'm not sure if they can resolve conflicting DNS records though. As an example, the DNS servers for stackoverflow.com are
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
SOA records are present on all servers further up the hierarchy, over which the domain owner has NO control, and they all in effect point to the one authoritative name server under control of the domain owner.
The SOA record on the authoritative server itself is, on the other hand, not strictly needed for resolving that domain, and can contain bogus info (or hidden primary, or otherwise restricted servers) and should not be relied on to determine the authoritative name server for a given domain.
You need to query the server that is authoritative for the top level domain to obtain reliable SOA information for a given child domain.
(The information about which server is authoritative for which TLD can be queried from the root name servers).
When you have reliable information about the SOA from the TLD authoritative server, you can then query the primary name server itself authoritative (the one thats in the SOA record on the gTLD nameserver!) for any other NS records, and then proceed with checking all those name servers you've got from querying the NS records, to see if there is any inconsistency for any other particular record, on any of those servers.
This all works much better/reliable with linux and dig than with nslookup/windows.
Unfortunately, most of these tools only return the NS record as provided by the actual name server itself. To be more accurate in determining which name servers are actually responsible for a domain, you'd have to either use "whois" and check the domains listed there OR use "dig [domain] NS #[root name server]" and run that recursively until you get the name server listings...
I wish there were a simple command line that you could run to get THAT result dependably and in a consistent format, not just the result that is given from the name server itself. The purpose of this for me is to be able to query about 330 domain names that I manage so I can determine exactly which name server each domain is pointing to (as per their registrar settings).
Anyone know of a command using "dig" or "host" or something else on *nix?