Questions

DNS and MX Records

+
0 Votes
Locked

DNS and MX Records

brennan.johnson
Hello all,

We are currently experiencing some problems with AOL's new SPAM filter policy as I'm sure some other have been and it has caused us to take another look at our dns setup.

We currently have an outside ISP providing us with several public IPs and such. We have correctly setup this information within our Gateways/Firewalls (SonicWalls).

Our public IPs are NAT'd through to our private subnet and everything works fine this way (email, ftp, mysql, etc all works).

Our DNS servers are hosted on a Windows SBS 2003 and a Windows Server 2003 Standard platform. We have the appropriate FLZs setup for our domain and I think we have the correct RLZs as well.

Under our FLZ - domain.com we have 1 MX record pointing to our mailserver, priority 10, host/child domain is blank. The FQDN of the mailserver it references is a private IP (is this correct?).

The public IP of our SonicWall (which controls the NATs) is configured as a Reverse Lookup Zone. Within this zone we have Pointer records for our domain.com but when I check our domain using a service such as intodns.com I receive an error stating: "No reverse DNS (PTR) entries" and then it lists our public ip xxx.xxx.xxx.xx.in-addr.arpa

Also note that within the DNS server - properties - Forwarders - I have configured 2 the 2 public IPs of our ISP within the 'selected domain's forwarder IP address list' box.

So at the moment I'm not sure what to do next. If anyone could help it would be much appreciated. And if further information is required please just ask.

Edit: Within our Sonicwall we have our ISP's DNS servers defined within the DNS configuration. Is it necessary to contact our ISP to add the appropriate PTR and Host(A)records for our domain if we handle the rest of our DNS?

Thank you,
  • +
    0 Votes
    CG IT

    Unless the Sonicwall device is authoritative for your FQDN, you shouldn't have it doing DNS resolutions.

    I know many do this but... having a firewall router device also handle DNS services for the FQDN zone can cause untold problems with DNS and Active Directory.

    +
    0 Votes
    brennan.johnson

    The appropraite ports on the Sonicwall device are configured with our ISP's information: Public IP, Gateway, DNS.

    The SonicWall device also handles DHCP requests and within those settings we have defined the IPs of the DNS servers within our network.

    This setup has caused no problems with AD nor DNS.

    +
    0 Votes
    CG IT

    Though there are many SMB consultants who swear buy it. It has a really good upsell.

    Your SBS box CIECW wizard basically configures your SBS DNS server with all the necessary records for both your AD and Exchange server including the sharepoint site. This includes accepting email on the FQDN and the private .local domain name.

    The only thing a system administrator needs to do is have the authoritative name servers for the FQDN point to the public IP address.

    So if the FQDN is <yourdomain>.com = Public IP 10.X.X.X

    then the MX record is

    <yourdomain>.com 10<yourdomain>.com

    where <yourdomain>.com resolves to your public IP address.

    if your SBS box doesn't have a reverse lookup zone, you should have it on the SBS box because that's for the .local zone.

    If you trying to have a reverse lookup zone for the FQDN, then that's for the authoritative name server listed on the domain name registars name servers.

    This isn't anything you probably don't already know, but having a router handle DNS services .... my preference would be to not do that.

    +
    0 Votes

    You probably want to do three things:
    1. Set up a SPF record for your domain. This tells AOL (and everyone else) that any email from your domain (that's not from YOUR SMTP server) is probably a spammer.

    2. Go to www.aol.com and jump through their hoops to get un-blacklisted.

    3. go to http://www.dnsbl.com/ and put in your IP address of your SMTP server to make sure your ip address isn't blacklisted elsewhere. If it is, follow the instructions to get un-blacklisted.

    +
    0 Votes
    brennan.johnson

    1. Already have one: v=spf1 mx -all
    Correct, yes?
    2. Do they blanket blacklist by default?
    3. Not blacklisted.

    +
    0 Votes

    I think the SPF should have the IP address of the valid SMTP server.

    AOL doesn't blacklist by default, but once you get blacklisted, you need to be nice to them to get un-blacklisted.

    Good thing you aren't blacklisted. Checking regularly will help.

  • +
    0 Votes
    CG IT

    Unless the Sonicwall device is authoritative for your FQDN, you shouldn't have it doing DNS resolutions.

    I know many do this but... having a firewall router device also handle DNS services for the FQDN zone can cause untold problems with DNS and Active Directory.

    +
    0 Votes
    brennan.johnson

    The appropraite ports on the Sonicwall device are configured with our ISP's information: Public IP, Gateway, DNS.

    The SonicWall device also handles DHCP requests and within those settings we have defined the IPs of the DNS servers within our network.

    This setup has caused no problems with AD nor DNS.

    +
    0 Votes
    CG IT

    Though there are many SMB consultants who swear buy it. It has a really good upsell.

    Your SBS box CIECW wizard basically configures your SBS DNS server with all the necessary records for both your AD and Exchange server including the sharepoint site. This includes accepting email on the FQDN and the private .local domain name.

    The only thing a system administrator needs to do is have the authoritative name servers for the FQDN point to the public IP address.

    So if the FQDN is <yourdomain>.com = Public IP 10.X.X.X

    then the MX record is

    <yourdomain>.com 10<yourdomain>.com

    where <yourdomain>.com resolves to your public IP address.

    if your SBS box doesn't have a reverse lookup zone, you should have it on the SBS box because that's for the .local zone.

    If you trying to have a reverse lookup zone for the FQDN, then that's for the authoritative name server listed on the domain name registars name servers.

    This isn't anything you probably don't already know, but having a router handle DNS services .... my preference would be to not do that.

    +
    0 Votes

    You probably want to do three things:
    1. Set up a SPF record for your domain. This tells AOL (and everyone else) that any email from your domain (that's not from YOUR SMTP server) is probably a spammer.

    2. Go to www.aol.com and jump through their hoops to get un-blacklisted.

    3. go to http://www.dnsbl.com/ and put in your IP address of your SMTP server to make sure your ip address isn't blacklisted elsewhere. If it is, follow the instructions to get un-blacklisted.

    +
    0 Votes
    brennan.johnson

    1. Already have one: v=spf1 mx -all
    Correct, yes?
    2. Do they blanket blacklist by default?
    3. Not blacklisted.

    +
    0 Votes

    I think the SPF should have the IP address of the valid SMTP server.

    AOL doesn't blacklist by default, but once you get blacklisted, you need to be nice to them to get un-blacklisted.

    Good thing you aren't blacklisted. Checking regularly will help.