Internal Mail won’t resolve to emailserver domain, but LAN ip works

[paulievox]

Internal Mail won’t resolve to emailserver domain, but LAN ip works

Hey gang, longtime reader first time poster.

After wrestling with this issue, i’m about out of ideas.
Here’s my setup.

Leopard server 10.5.4, running OD master (all rocking),
AFP, Firewall, DNS, (mobile) network home directories.
I’ll call this “xserve.mydomain.com ”
Its NAT’d IP is 192.168.1.102.
It’s a FQDN, kerberos is running and happy, all is well.

There are about 12
clients, each with a desktop (imac) and laptop (macbook).

I have a second (windows 2003 sbe) server hosting the following
services: Exchange and Web (for now).
I’ll call this winsbe.mydomain.com
Its NAT’d IP is 192.168.1.101

My External DNS setup is this.

Our DNS hosting is done by our registrar (network solutions).
We own 4 static IPs from our ISP.
One IP is for our router/firewall providing NAT
to internal clients, and the xserve is on DMZ, with
its OSX firewall service turned on.

One IP is for the
windows server. (the last two, if you’ve been counting, are unused :).

Via Network Solutions “advanced DNS”, I have our zone
configured. “xserve.mydomain.com” points to its WAN
IP (66.xxx.xxx.198).
www points to 66.xxx.xxx.194.
MX records refer to “winsbe.mydomain.com” via
WAN IP 66.xxx.xxx.194 as well.

All outside services resolve correctly.
IE, i can hit the website and send/receive email from mydomain.com.

My internal DNS as setup as this:
primary zone= mydomain.com
nameserver= xserve.mydomain.com
mx record= winsbe.mydomain.com
xserve.mydomain.com has an A record to LAN IP.
winsbe.mydomain.com has an A record to LAN IP.
www is a CNAME record to winsbe.mydomain.com. <----i'm not sure about this one but it works..... My forwarder IP points back to my Router (which seems to give me better performance than using ISP DNS from here..) I know this is working fine insofar as the webserver, as an nslookup (www.mydomain.com) internally resolves www to 192.168.1.101. mydomain.com and http://www.mydomain.com hit the webserver internally
on client browsers. rock.

Again, forward AND reverse nslookups internally resolve to winsbe.mydmain.com/92.168.1.101

Here is my guess as to my problem,

my internal hostname + a record for the windows server the same as the MX record
which has an alias from www.

I think it's getting effed in there somewhere?

If I setup email clients with the windows server LAN IP rather than
the domain "winsbe.mydomain.com" it all works fine.
I'd frankly be willing to half-ass it with this solution,
but each client will require a mobile computer, so we can't have that 🙂

I feel like i'm on the right track, but
just can't make the breakthrough.
Am I barking up the wrong tree here?

Here is a last question,
I have my firewall/router as the "Forwarder IP Address"
in the last page of Settings in server admin. When i put
my ISP's DNS servers, i always get a 2 second delay
for any web query on any client.
I have "127.0.0.1" as the first DNS entry in xserve Network Preferences.
The xserve is the only DNS entry in the client computers.
This isn't a "bad practice" or anything is it?

[paulievox]

My bad mods, i should have posted in DNS section no?

Here’s my named.conf setup fwiw

// Include keys file
//
include “/etc/rndc.key”;

// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.

//
// Default controls
//
controls {
inet 127.0.0.1 port 54 allow {any; }
keys { “rndc-key”; };
};

options {
include “/etc/dns/options.conf.apple”;

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
logging {
include “/etc/dns/loggingOptions.conf.apple”;
};

// Public view read by Server Admin

include “/etc/dns/publicView.conf.apple”;

// Server Admin declares all zones in a view. BIND therefore dictates
// that all other zone declarations must be contained in views.

[deemery]

A simple check: do you have the IP of your server listed as the -first- DNS server in that machine’s System Preferences -> Network settings?

dave

[paulievox]

[QUOTE][u]Quote by: deemery[/u][p]A simple check: do you have the IP of your server listed as the -first- DNS server in that machine’s System Preferences -> Network settings?

dave[/p][/QUOTE]

Yup,
127.0.0.1.
The next DNS server is the router/firewall.

I have horsed around with DNS servers in general
ie, add the windows server lan IP as a DNS server both to client computers and the xserve.
all it does is introduce a lag in lookups/forwarding.

i’m pretty confident the forwarding is all working correctly.

[paulievox]

sample DNS log (information level logging)

as you can see, the xserve’s DNS isn’t having the MX record i setup for the “winserver”

30-Jul-2008 02:43:12.971 zone mydomain.com/IN/com.apple.ServerAdmin.DNS.public: mydomain.com/MX ‘winserver.mydomain.com’ has no address records (A or AAAA)
30-Jul-2008 02:44:53.896 /var/named/zones/db.mydomain.com.zone.apple:14: ignoring out-of-zone data (winserver)
30-Jul-2008 02:44:53.900 /var/named/zones/db.mydomain.com.zone.apple:14: ignoring out-of-zone data (winserver)

[deemery]

[QUOTE]Yup,
127.0.0.1.[/QUOTE]

Well…. Try replacing 127.0.0.1 (which resolves to localhost) with the actual IP address of the machine, and see if that works. I’m wondering if the fact this is a ‘special’ (non-routable?) address is causing the problem.

But I could be totally off here.

dave

[paulievox]

[QUOTE][u]Quote by: deemery[/u][p][QUOTE]Yup,
127.0.0.1.[/QUOTE]

Well…. Try replacing 127.0.0.1 (which resolves to localhost) with the actual IP address of the machine, and see if that works. I’m wondering if the fact this is a ‘special’ (non-routable?) address is causing the problem.

But I could be totally off here.

dave[/p][/QUOTE]

Good call to try it, but no dice.

I removed 127.0.0.1, plugged in 192.168.1.102 (its lan ip), reset dns cache,
and restarted DNS service – mail issue persists.

[deemery]

[QUOTE]Good call to try it, but no dice.[/QUOTE]

Well, you’ve run off the edge of my knowledge here. Good Luck! Maybe someone with a deeper knowledge can chime in.

dave

[paulievox]

[QUOTE][u]Quote by: deemery[/u][p][QUOTE]Good call to try it, but no dice.[/QUOTE]

Well, you’ve run off the edge of my knowledge here. Good Luck! Maybe someone with a deeper knowledge can chime in.

dave[/p][/QUOTE]

You were great to give it a shot man. thanks again.

[paulievox]

Just spoke with applecare enterprise.

After running through my DNS settings, the agent declared
“well your DNS is configured properly – all your services work.
you’ll need to contact microsoft”.

blah.
he suggested my answer may be somewhere inside the “network services”
support docs.

It may be of note that my Exchange server is configure internally as the “.local” out of the box variety they tote for “maximum protection” against hacking.

Should i setup a slave zone to the DNS on windows box, and switch recursion on it?
I know exchange/AD is based on DNS.

this is a nightmare.

[Author]

Posts