Navigation

spr · #1 1st August 2010, 11:22

Hi

We've widen up our Serverstructure and outsourced our DNS and Mailserver on two new machines. Boths are in different datacenters.

Server 1 ist the Master DNS and Mailserver
Server 2 is a complete Mirror of Server 1

Now we've the problem that Google-Mail (and some other little providers) can't send mails to our Servers!!
Only the .com Domains aren't working...

Here is what dig says:

Dig via Google-Public-DNS

dig @8.8.8.8 ns datengarten.com

; <<>> DiG 9.7.0-P1 <<>> @8.8.8.8 ns datengarten.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50702
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;datengarten.com. IN NS

;; Query time: 2449 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 1 11:19:26 2010
;; MSG SIZE rcvd: 33

Dig via T-Online DNS:

dig ns datengarten.com

; <<>> DiG 9.7.0-P1 <<>> ns datengarten.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9721
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;datengarten.com. IN NS

;; ANSWER SECTION:
datengarten.com. 11872 IN NS ns1.datengarten.net.
datengarten.com. 11872 IN NS ns2.datengarten.net.

;; ADDITIONAL SECTION:
ns1.datengarten.net. 11872 IN A 78.46.233.41

;; Query time: 3 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Sun Aug 1 11:19:51 2010
;; MSG SIZE rcvd: 100

Again, this is only on .com Domains.
Look here at .de domain also via Google-Public-DNS

dig @8.8.8.8 ns datengarten.de

; <<>> DiG 9.7.0-P1 <<>> @8.8.8.8 ns datengarten.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29605
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;datengarten.de. IN NS

;; ANSWER SECTION:
datengarten.de. 83999 IN NS ns1.datengarten.net.
datengarten.de. 83999 IN NS ns2.datengarten.net.

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 1 11:20:45 2010
;; MSG SIZE rcvd: 83

----

I absolutly helpless!
Please somebody tell me whats wrong there.

regards
spr

P.S. I've installed all servers following "Perfect Server How To for Lenny (on Lenny)" and all other features are working fine!

till · #2 1st August 2010, 17:10

To get nearer to the problem, first test if it is a problem with the servers by running:

dig @localhost ALL datengarten.com

on the shell of both servers and post the output.

Additionally, post the output of:

iptables -L

from both servers.

spr · #3 1st August 2010, 19:18

Hi,

output of Server 1:

dig @localhost ALL datengarten.com

; <<>> DiG 9.6-ESV-R1 <<>> @localhost ALL datengarten.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 25338
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ALL. IN A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 1 19:07:02 2010
;; MSG SIZE rcvd: 21

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19402
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;datengarten.com. IN A

;; ANSWER SECTION:
datengarten.com. 86400 IN A 88.198.55.45

;; AUTHORITY SECTION:
datengarten.com. 86400 IN NS ns1.datengarten.net.
datengarten.com. 86400 IN NS ns2.datengarten.net.

;; ADDITIONAL SECTION:
ns1.datengarten.net. 86400 IN A 78.46.233.41

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 1 19:07:02 2010
;; MSG SIZE rcvd: 116

iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (18 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:tacacs-ds
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dpt

op3
PAROLE tcp -- anywhere anywhere tcp dpt:imap2
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:munin
PAROLE tcp -- anywhere anywhere tcp dpt:6999
PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
PAROLE tcp -- anywhere anywhere tcp dpt:9367
PAROLE tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:tacacs-ds
ACCEPT udp -- anywhere anywhere udp dpt:mysql
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Output of Server 2:

dig @localhost ALL datengarten.com

; <<>> DiG 9.6-ESV-R1 <<>> @localhost ALL datengarten.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 45876
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ALL. IN A

;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 1 17:17:04 2010
;; MSG SIZE rcvd: 21

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58057
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;datengarten.com. IN A

;; ANSWER SECTION:
datengarten.com. 86400 IN A 88.198.55.45

;; AUTHORITY SECTION:
datengarten.com. 86400 IN NS ns1.datengarten.net.
datengarten.com. 86400 IN NS ns2.datengarten.net.

;; ADDITIONAL SECTION:
ns1.datengarten.net. 86400 IN A 78.46.233.41

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 1 17:17:04 2010
;; MSG SIZE rcvd: 116

iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (17 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dpt

op3
PAROLE tcp -- anywhere anywhere tcp dpt:imap2
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:munin
PAROLE tcp -- anywhere anywhere tcp dpt:6999
PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
PAROLE tcp -- anywhere anywhere tcp dpt:9742
PAROLE tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:mysql
ACCEPT udp -- anywhere anywhere udp dpt:3307
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

I hope you can help me solving this.

thanks till.

spr

matty · #4 2nd August 2010, 01:33

It looks like you haven't redelegated datengarten.com onto your new nameservers, as whois lists the nameservers as dns[1-3].nsdns.info. Having said that, ns1 & ns2.datengarten.net both respond for me with .com records.

Edit: You have something funky with the records for your nameservers. It looks like you are using a wildcard record in datengarten.net. Put proper A records in for each of ns1 and ns2.datengarten.net. Currently both come up as 78.46.233.41, where ns2 should be 85.114.140.111 according to your delegation records.

spr · #5 2nd August 2010, 10:09

Hi

I´ve switched it to our "Domain/DNS Provider" yesterday evening to get our Mailserver reliable connected!
But if you now dig for daten-garten.com you can still see what´s happening (or not)!!

spr

matty · #6 3rd August 2010, 03:39

Quote:

Originally Posted by spr

But if you now dig for daten-garten.com you can still see what´s happening (or not)!!

Everything in daten-garten.com resolves to 88.198.55.45, but it otherwise appears to be working fine.

In my other post, I recommended you add an A record for ns2.datengarten.net in the datengarten.net zone. I think I've figured out what's actually happening. The zone for your nameservers, datengarten.net is actually delegated to ns[1-3].domaindiscount24.net. In there, you have records for ns1 & ns2.datengarten.net which point at your nameservers. Your nameserver also have a zone configured for datengarten.net, but in there you don't have a record for ns2.datengarten.net.

Also, the MX records for daten-garten.com & datengarten.com include mta1 & mta2.datengarten.net (datengarten.de doesn't) which have different answers from your servers and the domaindiscount ones. I'd really suggest you either remove the datengarten.net zone from your nameservers, or redelegate the zone to them (and add the ns2 record).

When I query records against your nameservers, I see the following error which I believe is because of the above.

Quote:

;; WARNING: recursion requested but not available

Navigation

Facebook

News

Recent comments

Newsletter