MX Records - Crazy behavior

Hi all

I have hosted a dns server on my machine - 61.95.134.168
I have set up the A records and the MX records appropriately.
I am able to receive mails too...So, where's the problem?

When I leave my system for 3 to 4 hrs, which means when no body queries the dns server for such a time, any mails sent from external domains dont reach me,

If I go to dollardns, or dnsstuff ,query for MX records . Then try to send a mail......mail comes immediately..

Someone, please help me in understanding this behavior of MX Records, I mean the DNS Server...It must be some refresh settings in DNS.....I am just not able to figure out...

HELP PLEASE

Regards
roarking

Shame on you for not giving your domain so that we can figure out what's wrong with it!!!

At this point the best way for me to help you is by showing you an example:

DollarDNS Zone Transfer

There are only two records which effect mail:

dollardns.net. MX 10 mail.dollardns.net.
mail.dollardns.net. A 68.51.39.58

Silent rage

I thought IP would be sufficient for you to figure out..Anyway I wanted help from you ppl..
I dont intend to hear statements like "Shame on you " and stuff like that

Mr. Silent Rage .,,,howmuch ever knowledge you have,
that does not mean, u can just say whatever that comes to your mind...I always thought support forums are there are to help ppl and not pass such crap comments

anyway from ip, it is not rocket science to figure out what the domain.I never though support forums would give me such a great answer

Obviously I know that there are 2 records that matter for sending mails.one A record and one MX record which should point . I have no qualms in giving the details,....But dont feel like after hearing such great statements.

SilentRage , People come to these forums for help and not to hear such statements as you made.

Hope you realize that
roarking

My gosh are you sensitive. heh. Good thing I'm not, or I'd react with emotion too. Don't know if you noticed, but I had tried to help, and you seem to be the first person to complain about my approach. It is up to you to forgive any errant behavior due to my repeatedly telling people to provide their domain. Not only does this seem to be common sense to me, but if they searched the forum they'd see my often repeated admonishment that people need to give their real domain. Most people are not as tolerant as I am, and it is in your best interests to be tolerant with those trying to help you. I have a right to be frustrated, and I have a right to voice my frustration. You have no idea how many people's questions went unanswered before I came in here. I don't need people to thank me, but the least they can do is not criticize me.

There is only one unfair comment you made that I want to reply directly to and that is this notion that anybody with a bit of DNS know-how could find the domain associated with your IP. Well let's just see:

61.95.134.168 Name Server List

There we got the list of name servers responsible for what that IP points to.

dnsdel.mantraonline.com
dnsbom.mantraonline.com

Looks like neither name server is configured for the domain. 'tis a shame. But let's try the IP next:

61.95.134.168

Nope, doesn't even look like your own name server knows what the IP is supposed to point to. I tried all this before I made my reply. I was at work at the time, so I did not have access to my website logs. Now I do, and now I have spent the time searching them for your dns crawler queries.

dig @server.numberplus.com numberplus.com mx

And now I have PROOF that you configured your MX records correctly. I NEVER assume somebody knows what they're talking about. I skip right by their words and go straight to testing their domain so that my reply can be based on verifiable facts. This way I can answer questions more quickly, thoroughly, and with more efficiency.

And finally... the problem may have something to do with the fact your server is returning "non-authoritative" answers. Is this a slave server to some stealth master server or something? It's also a smart idea to get reverse dns setup.

Hi SilentRage and other members

I just couldnt take the comment. Hence my reaction.

SilentRage, You are definitely doing great help for a lot of people who have loads of DNS queries for their domain. No doubt about it.If you feel I have criticized , please do not as I never meant it that way.A reply like ---Domain Name ???? --would have served the purpose right?

Yes, there could be some people who do not provide the necessary data.But my humble request is to you tone down your frustation levels a bit, because in most of the times, it could be that the user might assume a few things...

I happen to be one of them. I thought my ISP provider had put in a reverse DNS entry so that the domain name is just a click away....

My bad. I should have checked my assumption.

Silent Rage..No hardfeelings man.

The nameservers that you provided in the response are my ISP and they have not put in a reverse dns entry

dnsbom.mantraonline.com - Is my ISP

I am runnuing a dns server for my zone numberplus.com where the hostname is server.numberplus.com.

Yes , I think it is a slave to the master dns server that is being maintained at my isp. This is my guess.

You said -- returning "non-authoritative" answers -- Can you please tell me what should I do to make it return authoritative answers?


roarking

Well, if you certainly are a slave to another server (something I'm just gonna have to trust ya on since I can't verify it) then you need to reconfigure your server to be a master for the zone. It is extremely rare that a server would return non-authoritative for a query when it is a domain host. The only exception I can think of is when the domain host is a slave, and it has not been able to contact the master for an extended period of time until it expires (expiration interval set in the SOA record). A "non-authoritative" answer basically means the server is saying "oh, I dunno, I'm just guessin". For some name servers, guessing might be enough, but others may discard the answer completely. That could be the explanation to your problem.

I did a bit more snooping and found that you are running BIND 8.2.3. It's fairly easy to switch from slave to master with that server. Just open up your named.conf and change that zone's statement "type slave;" to "type master;" and delete the "masters {};" line.

Or I suppose the "easy" way is to tell your ISP to get with the program.

Yes, I will certainly check the solutions you have suggested.

I had run the dns report for the domain it says
------------------------------------------------------
Warning: Your NS records at your authoritative DNS servers have TTLs that do not match what the parent servers report:

TTL for NS record server.numberplus.com. is 172800 at parent versus 45024 at 61.95.134.168.
In some cases, this can cause some serious problems. For example, if the parent servers have a 172800 second TTL (48 hours), and your authoritative DNS servers report a TTL of 3600 seconds (1 hour), you are saying that the parent DNS servers do not have the correct information. But, after 1 hour your DNS records may time out. At that point a DNS resolver will need to get fresh NS records. This can cause a serious problem in some cases.

------------------------------------------------------
Could you throw some light on the above warning?
I want to understand where did i specify 172800 in my configuration..Data file doesnt show that number . Also the 45024 seconds ...Where is the report taking these values from.?
----------------------------------------------

My DNS data is :

;
; Database file numberplus.com.dns for numberplus.com zone.
; Zone version: 17
;

@ IN SOA server.numberplus.com. hostmaster.numberplus.com. (
17 ; serial number
43200 ; refresh
600 ; retry
2419200 ; expire
82800 ) ; default TTL

;
; Zone NS records
;

@ NS connect.numberplus.com.
@ NS dnsbom.mantraonline.com.
dnsbom.mantraonline.com. A 202.56.240.5

;
; Zone records
;

@ A 61.95.134.168
@ MX 10 numberplus.com.
connect A 192.168.0.3
A 61.95.134.168
server A 61.95.134.168
www CNAME numberplus.com.
----------------------------------------------

-roarking

DNS Report:

The parent vs authoritative servers having different TTLs is the most obscure problem I've heard of. Out of the dozens and dozens of people I've helped on this forum, perhaps only 2 of them had problems related to differing TTLs. The result of this problem should be some clients are not able to access your website or mail server or anything configured under that domain sometimes.

Your NS record TTL is take from 1 of 2 locations since I doubt you have it explicitly specified. Either it was taken from the $TTL line or the SOA minimum TTL (a.k.a. default TTL). To fix this problem change this record:

numberplus.com. NS server.numberplus.com.

To:

numberplus.com. 172800 NS server.numberplus.com.

What? You say that record doesn't exist in the zone file you showed me? Well that's cause it wasn't the right file. The information dns report and I pulled from your server is different from the file you showed me. Something else that is odd is your file is formatted like Microsoft DNS Server files. Your server reports that it is BIND 8.2.3.

Yes, the file is Microsoft DNS format . I am using the DNS Server from Win2k3 server

Exactly, the problem you pointed was happening.
My mailserver was not being accessed for sometime from a lot of external domains..But when i try to refresh, change some settings and test the smtp test utility that is available on Zoneedit.com . i was able to get mails from outside

Can I go ahead with your suggestion, even though
it is a MS DNS Format file ?

numberplus.com. NS server.numberplus.com.

To:

numberplus.com. 172800 NS server.numberplus.com.

roarking

sure, remove the existing NS records and add the modified NS record I suggested.

However, that won't please me. I'm not convinced the TTL issue is the reason for your problem. I think something else is awefully fishy, so I'm going to start verifying some things. Execute the following commands at the DOS command prompt:

ipconfig /all > C:\ipconfig.txt
netstat -an | find "53" > C:\netstat.txt

Attach the 2 files to your next post. Then we're going to do some tests using nslookup depending on what I find. Make sure to execute the above commands on the server with the IP address you mentioned in your first post.

Hi SilentRage
I have manually updated the TTL Value

Please find attached the 2 files

All the server, dns, and mail are running on the same machine . It has 2 LAN cards, one for isp and one for the lan

roarking

Alright, I'm convinced. I think what we have here is a Microsoft DNS Server pretending to be BIND in the version.bind. I've never looked at version.bind on other MS DNS Servers so it could be normal. For certain there is no evidence that BIND is anywhere. So now I'm going to treat this like a MS problem (doubting whether they can get anything right).

Due to the many unknowns of the MS dns server's relationship with the files and Active Directory, I can't be sure of anything except what I see. It may be that you have the wrong file, it may be that you have the right file but it is being ignored. I decided not to put you through nslookup tests. However, the next step is for you to enable zone transfers so that I can pull up a full record listing for your domain. I've tried to help MS DNS Server users in the past and utterly failed, so don't get your hopes up. You're lucky I'm helping you at all, I strongly dislike failure. But I've learned a lot since I first started helping on this board, and I have a few last-resort tricks up my sleeve which I don't think MS can do anything but BOW DOWN before.

I have manually changed the TTL Option , but i guess as you say, the problem seems to be somewhere else as the dns report still gives ttl warnings..
May be we need to change MS Settings in some obscure places so that ttl discrepancies dont happen.

Yes, I have changed the DNS Server option to allow Zone transfer .