I have a main server where are placed the DNS records for a domain (eg: example.com), but this domain has another server only for webmail. The DNS setup is working fine: I can access example.com through the browser and the webmail can send/receive emails (from webmail.example.com - A/MX DNS records are ok).
The problem is that on example.com there's a page where I send emails to contact#example.com and this is not being delivered - it works with anything else (Gmail, Hotmail etc).
I've tried some different things I found on Google/StackOverflow to fix it but without success.
exim -bt noreply#example.com (returns: router = localuser, transport = local_delivery)
exim -bt contact#example.com (returns: contact#example.com is undeliverable: Unrouteable address)
Where noreply# was created on the main server to send the emails from that page and contact# was created at the second server (webmail server). It looks like Exim4 is always looking for internal email addresses for this domain, even though the MX record is setup for another server.
How I could fix it? Exim4 should look for the MX record instead of trying to deliver it locally.
Thank you.
you have set example.com as a local domain. don't do that except on the MX server for example.com.
When troubleshooting DNS issues (specifically whether a domain is resolving), what is the proper way to check so that you get accurate results? DNS info is cached throughout the internet, and different machines (like local machine) or service (like pingdom) has different results.
How to check the DNS so that you know what you will get after it propagates?
Working with Heroku and CloudFlare.
In most common cases you can use tools such as: dig or host. Both tools are made for query name servers to retrieve info. You can also use a simple "ping something.domain.com" in order to see if IP has changed. But I suggest you to use different DNS's on the computer you're using to test. Actually Google DNS replicate so fast ( 8.8.8.8 ).
Not on purpose DNS poisoning: Keep in mind if you're pinging something that is recently configured/changed on your name server and still not propagated you'll "poison" the DNS's cache and this data is going to expire, but later...( Always depending on domain name TTL's of course ).
Using a new DNS wich never has known that domain you're sure the request is made for the first time and it's going to be made without asking any cache.
Example:
To get all the DNS servers for domain.com:
$ host -t ns domain.com
domain.com name server ns2.domain.com.
domain.com name server ns3.domain.com.
To ask a domain name for something.domain.com:
$ dig #nameserver something.domain.com
You can also ask for TXT, CNAME types and so on...
Examples:
AXFR retrieval test:
$ dig #domainname domain.com AXFR
Or get all Mail Exchange (MX) server for a domain:
$ host -t MX domain.com
domain.com mail is handled by 10 smtp.godo.com.
domain.com mail is handled by 20 smtp2.godo.com.
Hope it helps.
Cheers! :)
http://en.wikipedia.org/wiki/Nslookup
To get a "Non-authoritative" answer from your local name server that would be e.g.:
nslookup test.com
To check the name server where the domain is listed that would be e.g.:
nslookup test.com nameServerOfTest.com
My Question
Hello All! Man, I love Stack Overflow :)
Anyway, I am configuring my first ever Mail Server and want to do it right.
The actual server is configured and working great so just need a bit of help with the rdns & SFP public records of my domains. I have spent days researching but I am utterly confused so could do with a much appreciated hand.
Using this sample data below:
Domains the mail server handles: example.com, example.co.uk, example.net
Mail Server IP (For IMAP and SMTP): 123.123.123.123 for all domains
Website Server IP (A Record / For Port 80 HTTP): 101.101.101.101 = .com, 102.102.102.102 = .co.uk, 103.103.103.103 = .net
How do I setup the records?
My best guesses
rdsn set correct so emails not rejected as spam
Am I right in thinking that rdns is configured around the domains A records as follows:
rdns 101.101.101.101 = example.com
rdns 102.102.102.102 = example.co.uk
rdns 103.103.103.103 = example.net
And that the mail server on IP 123.123.123.123 can rdns to whatever my ISP decides? Or does the mail server IP rdsn have to point to one of the same IPs above (say 101.101.101.101 for the .com) in which case, whatabout the .co.uk and the .net? Is'nt RDNS set only one domain per IP? I've read a lot of conflicting information on all of this.
spf set correct so emails not rejected as spam
Do I set the below the same for each domain?
v=spf1 mx:example.com mx:example.co.uk mx:example.net ~all
Or do I need a new domain which points straight to my mail server? Say:
mail.example.com (A Record / For Port 80 HTTP): 123.123.123.123
&
v=spf1 mx:mail.example.com ~all
Set as the SPF for example.com, example.co.uk and example.net?
Any help on the above MUCH MUCH MUCH loved and appreciated. Thanks a lot. And ignore my best guesses if they are way off, only shown to display what I have learnt so far.
Also please note I have full control over rdsn, dns and MX records and spf txt etc on all my domains and IPs so whatever needs doing - i'll do it!
Many thanks. :)
I have configured a set of DNS records at a new DNS provider. The configuration is complex, with load-balancing, SSL, etc, there are things that could go wrong.
I want to test this configuration before changing the namespace records at registrar.
Is there any way to locally provide my machine with the new nameserver for the domain?
Are there any tools that might help with this?
Please note: I don't want to just update the A records (e.g. in /etc/hosts) - I want to specifically check the nameserver is returning the A and CNAME records.
If you're on a *nix system, you should be able to use either nslookup or dig. With both of those commands you can specify what server you would like to query. Simply use your new nameserver as the server. With dig, the query would look something like
dig #<your-nameserver> <hostname-to-look-up>
So, if you wanted to query google's public dns server and ask it about the address www.google.com, you'd use
dig #8.8.8.8 www.google.com
which, amongst other things, would tell you that www.google.com is an alias for www.l.google.com -- and then would give you a bunch of IP address (A records) for that name.
For both Windows and my remote Linux(CentOS) servers I use nslookup tool which works on both platforms:
nslookup new-sub.domain.com 8.8.8.8
// and for more details:
nslookup -debug new-sub.domain.com 8.8.8.8
How can I find the origins of conflicting DNS records?
You'll want the SOA (Start of Authority) record for a given domain name, and this is how you accomplish it using the universally available nslookup command line tool:
command line> nslookup
> set querytype=soa
> stackoverflow.com
Server: 217.30.180.230
Address: 217.30.180.230#53
Non-authoritative answer:
stackoverflow.com
origin = ns51.domaincontrol.com # ("primary name server" on Windows)
mail addr = dns.jomax.net # ("responsible mail addr" on Windows)
serial = 2008041300
refresh = 28800
retry = 7200
expire = 604800
minimum = 86400
Authoritative answers can be found from:
stackoverflow.com nameserver = ns52.domaincontrol.com.
stackoverflow.com nameserver = ns51.domaincontrol.com.
The origin (or primary name server on Windows) line tells you that ns51.domaincontrol is the main name server for stackoverflow.com.
At the end of output all authoritative servers, including backup servers for the given domain, are listed.
You used the singular in your question but there are typically several authoritative name servers, the RFC 1034 recommends at least two.
Unless you mean "primary name server" and not "authoritative name server". The secondary name servers are authoritative.
To find out the name servers of a domain on Unix:
% dig +short NS stackoverflow.com
ns52.domaincontrol.com.
ns51.domaincontrol.com.
To find out the server listed as primary (the notion of "primary" is quite fuzzy these days and typically has no good answer):
% dig +short SOA stackoverflow.com | cut -d' ' -f1
ns51.domaincontrol.com.
To check discrepencies between name servers, my preference goes to the old check_soa tool, described in Liu & Albitz "DNS & BIND" book (O'Reilly editor). The source code is available in http://examples.oreilly.com/dns5/
% check_soa stackoverflow.com
ns51.domaincontrol.com has serial number 2008041300
ns52.domaincontrol.com has serial number 2008041300
Here, the two authoritative name servers have the same serial number. Good.
On *nix:
$ dig -t ns <domain name>
You could find out the nameservers for a domain with the "host" command:
[davidp#supernova:~]$ host -t ns stackoverflow.com
stackoverflow.com name server ns51.domaincontrol.com.
stackoverflow.com name server ns52.domaincontrol.com.
I found that the best way it to add always the +trace option:
dig SOA +trace stackoverflow.com
It works also with recursive CNAME hosted in different provider. +trace trace imply +norecurse so the result is just for the domain you specify.
The term you should be googling is "authoritative," not "definitive".
On Linux or Mac you can use the commands whois, dig, host, nslookup or several others. nslookup might also work on Windows.
An example:
$ whois stackoverflow.com
[...]
Domain servers in listed order:
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
As for the extra credit: Yes, it is possible.
aryeh is definitely wrong, as his suggestion usually will only give you the IP address for the hostname. If you use dig, you have to look for NS records, like so:
dig ns stackoverflow.com
Keep in mind that this may ask your local DNS server and thus may give wrong or out-of-date answers that it has in its cache.
We've built a dns lookup tool that gives you the domain's authoritative nameservers and its common dns records in one request.
Example: https://www.misk.com/tools/#dns/stackoverflow.com
Our tool finds the authoritative nameservers by performing a realtime (uncached) dns lookup at the root nameservers and then following the nameserver referrals until we reach the authoritative nameservers. This is the same logic that dns resolvers use to obtain authoritative answers. A random authoritative nameserver is selected (and identified) on each query allowing you to find conflicting dns records by performing multiple requests.
You can also view the nameserver delegation path by clicking on "Authoritative Nameservers" at the bottom of the dns lookup results from the example above.
Example: https://www.misk.com/tools/#dns/stackoverflow.com#f.root-servers.net
You can use the whois service. On a UNIX like operating system you would execute the following command. Alternatively you can do it on the web at http://www.internic.net/whois.html.
whois stackoverflow.com
You would get the following response.
...text removed here...
Domain servers in listed order:
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
You can use nslookup or dig to find out more information about records for a given domain. This might help you resolve the conflicts you have described.
I have found that for some domains, the above answers do not work. The quickest way I have found is to first check for an NS record. If that doesn't exist, check for an SOA record. If that doesn't exist, recursively resolve the name using dig and take the last NS record returned. An example that fits this is analyticsdcs.ccs.mcafee.com.
Check for an NS record
host -t NS analyticsdcs.ccs.mcafee.com.
If no NS found, check for an SOA record
host -t SOA analyticsdcs.ccs.mcafee.com.
If neither NS or SOA, do full recursive and take the last NS returned
dig +trace analyticsdcs.ccs.mcafee.com. | grep -w 'IN[[:space:]]*NS' | tail -1
Test that the name server returned works
host analyticsdcs.ccs.mcafee.com. gtm2.mcafee.com.
An easy way is to use an online domain tool. My favorite is Domain Tools (formerly whois.sc). I'm not sure if they can resolve conflicting DNS records though. As an example, the DNS servers for stackoverflow.com are
NS51.DOMAINCONTROL.COM
NS52.DOMAINCONTROL.COM
SOA records are present on all servers further up the hierarchy, over which the domain owner has NO control, and they all in effect point to the one authoritative name server under control of the domain owner.
The SOA record on the authoritative server itself is, on the other hand, not strictly needed for resolving that domain, and can contain bogus info (or hidden primary, or otherwise restricted servers) and should not be relied on to determine the authoritative name server for a given domain.
You need to query the server that is authoritative for the top level domain to obtain reliable SOA information for a given child domain.
(The information about which server is authoritative for which TLD can be queried from the root name servers).
When you have reliable information about the SOA from the TLD authoritative server, you can then query the primary name server itself authoritative (the one thats in the SOA record on the gTLD nameserver!) for any other NS records, and then proceed with checking all those name servers you've got from querying the NS records, to see if there is any inconsistency for any other particular record, on any of those servers.
This all works much better/reliable with linux and dig than with nslookup/windows.
Unfortunately, most of these tools only return the NS record as provided by the actual name server itself. To be more accurate in determining which name servers are actually responsible for a domain, you'd have to either use "whois" and check the domains listed there OR use "dig [domain] NS #[root name server]" and run that recursively until you get the name server listings...
I wish there were a simple command line that you could run to get THAT result dependably and in a consistent format, not just the result that is given from the name server itself. The purpose of this for me is to be able to query about 330 domain names that I manage so I can determine exactly which name server each domain is pointing to (as per their registrar settings).
Anyone know of a command using "dig" or "host" or something else on *nix?