DNS lookup stops at 2 mx records

[Peter Hope]

We recently upgraded our W2K/Exchange2000 box to SP4 (OS)
and Exchange SP3. After doing so, several domains that we
send messages to generate NDRs (ie. capgroup.com,
pcb.ub.es,ucla.edu). We could email these domains prior
to the SP upgrades. The common thread with the domains
that we cannot connect to is that they have multiple mx
records with mail relays. Apparently DNS will now only
attempt to connect to the 2 lowest mx records and then
fail. I have verifed this by examining the
c:\winnt\system32\logfiles\smtpsvc1\*.log. Within these
files you will see entries like:

149.142.194.218 OutboundConnectionResponse - 25
149.142.194.218 OutboundConnectionCommand - 25
149.142.194.14 OutboundConnectionResponse - 25
149.142.194.14 OutboundConnectionCommand - 25

In this case it only tried the first two email servers at
ucla.edu, which then results in the message being stuck in
the outbound queue. We have a reverse pointer record with
our ISO and I have run a successful scan on
www.dnsreports.com for our domain.

Any suggestions?

Peter Hope
IT Manager
Locus Pharmaceuticals, Inc.

 

[Ace Fekay [MVP]]

In

We recently upgraded our W2K/Exchange2000 box to SP4 (OS)
and Exchange SP3. After doing so, several domains that we
send messages to generate NDRs (ie. capgroup.com,
pcb.ub.es,ucla.edu). We could email these domains prior
to the SP upgrades. The common thread with the domains
that we cannot connect to is that they have multiple mx
records with mail relays. Apparently DNS will now only
attempt to connect to the 2 lowest mx records and then
fail. I have verifed this by examining the
c:\winnt\system32\logfiles\smtpsvc1\*.log. Within these
files you will see entries like:

149.142.194.218 OutboundConnectionResponse - 25
149.142.194.218 OutboundConnectionCommand - 25
149.142.194.14 OutboundConnectionResponse - 25
149.142.194.14 OutboundConnectionCommand - 25

In this case it only tried the first two email servers at
ucla.edu, which then results in the message being stuck in
the outbound queue. We have a reverse pointer record with
our ISO and I have run a successful scan on
www.dnsreports.com for our domain.

Any suggestions?

Peter Hope
IT Manager
Locus Pharmaceuticals, Inc.

The only thing I can see different is with those domains you mentioned they
seem to have a large return result, and when the result is larger than 512
bytes, the transport is changed from UDP to TCP to accomodate, unless EDNS0
is used (but that's only with W2k3 DNS). Any query attempt uses UDP first
unless the result is greater then 512 bytes, which then TCP is attempted.
Using nslookup I couldn't see the full results until I did a "set vc" which
forces it to use TCP instead of UDP.

My only thought is a firewall?
Are you using a forwarder? If not, try using 4.2.2.2.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Ace Fekay [MVP]]

In

The only thing I can see different is with those domains you
mentioned they seem to have a large return result, and when the
result is larger than 512 bytes, the transport is changed from UDP to
TCP to accomodate, unless EDNS0 is used (but that's only with W2k3
DNS). Any query attempt uses UDP first unless the result is greater
then 512 bytes, which then TCP is attempted. Using nslookup I
couldn't see the full results until I did a "set vc" which forces it
to use TCP instead of UDP.

My only thought is a firewall?
Are you using a forwarder? If not, try using 4.2.2.2.

I wanted to add, here's more information on the TCP vs UDP use, which this
one states that it uses TCP by default.
263237 - XCON Windows 2000 and Exchange 2000 SMTP Use TCP DNS Queries:
http://support.microsoft.com/default.aspx?scid=kb;en-us;263237

But do try that forwarder. If you feel the forwarder is not working, you can
force the SMTP service to use a DNS server other than your internal servers.
:

Scroll down to the "Query an Exchange SMTP Service External DNS Server"
section:
http://www.tacteam.net/isaserverorg/exchangekit/dnssupport/dnssupport.htm

Hope all of these options steer you in the right direction. I would try the
forwarder first.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Guest]

Ace,

Maybe so... however when you try to telnet to these
domains two lowest mx-valued email servers on port 25 you
cannot connect. The higher valued mail servers allow
connections. I don't understand why someone would deny
mail connections on the highest priority mail server
unless they are being used in some sort of anti-spam
configurations. Any thoughts?...

Peter.

 

[Ace Fekay [MVP]]

In

Ace,

Maybe so... however when you try to telnet to these
domains two lowest mx-valued email servers on port 25 you
cannot connect. The higher valued mail servers allow
connections. I don't understand why someone would deny
mail connections on the highest priority mail server
unless they are being used in some sort of anti-spam
configurations. Any thoughts?...

Peter.

I tried to connect to snog2.capgroup.com and it didn't connect. Maybe
they're down or their records are out of date. Not much you can do about
that. Did you call their NOC and ask them?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Guest]

Ace,

I didn't call their NOC. The fact that this is happening
with other domain (of which you can't connect to their
lowest numbered MX records) leads me to believe that the
problem is not only with their confiuration. This looks
to me as some sort of anti-spam strategy. Do you think
that the problem manifested itself as a result of Exchange
SP3 or W2K SP4 application? Can Exchange SP3 be rolled
back?

Peter.

 

[Ace Fekay [MVP]]

In

Ace,

I didn't call their NOC. The fact that this is happening
with other domain (of which you can't connect to their
lowest numbered MX records) leads me to believe that the
problem is not only with their confiuration. This looks
to me as some sort of anti-spam strategy. Do you think
that the problem manifested itself as a result of Exchange
SP3 or W2K SP4 application? Can Exchange SP3 be rolled
back?

Peter.

Hmm, honestly I can't see Ex SP3 doing this at all. This is a lookup issue.
If you or I can't connect using telnet, then I can't see a server being able
to do so. Make sense? If its an antispam strategy, its a lame one.

The only thing that broke with Windows SP4 is only if you have a single
label AD DNS domain name. I'm assuming that's not the case here. Otherwise,
nothing else.

I would suggest to give them a call and see what they have to say, just to
rule that out. If I hear of anything else, I'll post back.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================