glue problem for usda.gov

[themeanies]

I am having lots of trouble delivering e-mail to @tx.usda.gov and
@ok.usda.gov addresses and I think the problem is DNS related.

Does anyone think that the delivery errors could be related to the glue
problem reported for usda.gov at www.dnsreport.com

What happens is that our mail server attempts to lookup the delivery
information for these addresses at a local W2K3 DNS server. Sometimes
it is returned properly, but sometimes it is not. The only way I'm able
to fix is to clear the DNS cache and retry until the lookup is successful.

This is the only domain to which we have trouble delivering and we
deliver approx 10,000 messages a day worldwide.

Any Ideas?

tM

 

[Kevin D. Goodknecht Sr. [MVP]]

I am having lots of trouble delivering e-mail to @tx.usda.gov and
@ok.usda.gov addresses and I think the problem is DNS related.

Does anyone think that the delivery errors could be related to the
glue problem reported for usda.gov at www.dnsreport.com

What happens is that our mail server attempts to lookup the delivery
information for these addresses at a local W2K3 DNS server. Sometimes
it is returned properly, but sometimes it is not. The only way I'm
able to fix is to clear the DNS cache and retry until the lookup is
successful.

This is the only domain to which we have trouble delivering and we
deliver approx 10,000 messages a day worldwide.

I don't think the glue would affect this because the DNS server seems to be
answering authoritatively on both addresses.
Are you behind a firewall?
828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP

 

[themeanies]

I don't think the glue would affect this because the DNS server seems to be
answering authoritatively on both addresses.
Are you behind a firewall?
828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP

Yep already did that several months ago to fix another problem. We are
behind a PIX and modified the PIX to allow large packets.

Can you tell what it is they are doing with the .tx. and .ok. parts of
their domain? There are not sub-domains, but exist for mail delivery.
It's really quite unlike anything I've seen before.

tM

 

[Kevin D. Goodknecht Sr. [MVP]]

Yep already did that several months ago to fix another problem. We
are behind a PIX and modified the PIX to allow large packets.

Can you tell what it is they are doing with the .tx. and .ok. parts of
their domain? There are not sub-domains, but exist for mail delivery.
It's really quite unlike anything I've seen before.

These are just MX records with a host name, you can easily do this.

Are you using a forwarder?
It does take 281 ms to get them the first time, which is a little slow, but
it isn't that slow.

 

[themeanies]

Are any of you doing anything with your non-public DNS's to help in the
battle against grey-ware? Our previous DNS admin did some stuff to
hijack for lack of a better word the p2p and IM domains. If internal
hosts tried to resolve these domains they would be directed to a aup for
the company.

Is anyone doing anything similar with proxys, host files, DNS etc.
Would you mind sharing?

tM

 

[Herb Martin]

Are any of you doing anything with your non-public DNS's to help in the
battle against grey-ware? Our previous DNS admin did some stuff to hijack
for lack of a better word the p2p and IM domains. If internal hosts tried
to resolve these domains they would be directed to a aup for the company.

Is anyone doing anything similar with proxys, host files, DNS etc. Would
you mind sharing?

I do -- but there are disagreements if this "is a job for DNS".

It's and easy thing to do and costs me no real effort so I use it
as another line of defense.

Personally, I load a big file of bad names into my "caching only
BIND DNS servers cache file".

I can't use MS DNS for this (even though I prefer MS DNS for
most jobs in a Microsoft Network) since it won't let me preload
the cache file.

My caching-only DNS server is at the firewall and is used by
all of the internal DNS servers for forwarding.