Another Internal/External MX question

  • Thread starter Thread starter aptrsn
  • Start date Start date
A

aptrsn

I'm currently setting up a new 2003 domain in our company and have run into
a problem with MX records. We currently run Domino as our mail server and
have our ISP host the external MX records. This directs any incoming SMTP
traffic to our firewall which is setup to redirect the traffic to the
internal SMTP server. Internal clients have always used "hosts" records to
resolve our FQDN to the internal address with no problem. However, since we
are using 2003 we want everything to be fullly integrated with DNS, so now
all our host will be registered on our root controller. Knowing that I
needed an MX record to resolve to the Domino server, I went created a new
foreward lookup zone with our external FQDN, added the neceassary A (host)
and MX record and then tried to ping the Domino server from the root dc
(which is also the primary DNS). Instead of getting a reply with the
internal address however, I received a reply (actually a request timed out)
from the external address of our firewall!

Now, while I'm happy that our firewall is doing it's job filtering our ICMP
traffic, I'm stumped as to why the root dc did not resolve the Domino server
to it's internal address. I would understand if there was no MX or A (host)
record entered, because then the DNS forewarder would send the query on to
the Internet to resolve (as it's supposed to do) and come back with the
external MX records address.

Any ideas?
 
Just as a side not, when I do an nslookup the reply comes back:
DOMINO.domain.com
Click to expand...
Server: UnKnown
Address: 127.0.0.1

Name: DOMINO.domain.com
Address: 172.18.0.14

Which is the correct internal address... yet again when ping
DOMINO.domain.com it comes back trying to ping the external address.
 
Ok, I may have solved my problem but I'm not sure I understand why.

Originally, I had forewarding turned on (prior to creating my external zone)
and so the query for our mail server under the external FQDN was cached on
the client side (is this a correct assumption????). So even though I entered
the Host and MX record, the client was still referencing the cached record.
Once I turned forewarding off, restarted the service, entered the external
FQDN of the Domino server (I had already deleted it in frustration) and
tried pinging the external host name, it finaly resolved to the internal
address!

Someone let me know if I'm on the right track with this, I mean it's great
when something works... but I would like to know WHY it worked.
 
In
aptrsn said:
Ok, I may have solved my problem but I'm not sure I understand why.

Originally, I had forewarding turned on (prior to creating my
external zone) and so the query for our mail server under the
external FQDN was cached on the client side (is this a correct
assumption????). So even though I entered the Host and MX record, the
client was still referencing the cached record. Once I turned
forewarding off, restarted the service, entered the external FQDN of
the Domino server (I had already deleted it in frustration) and tried
pinging the external host name, it finaly resolved to the internal
address!

Someone let me know if I'm on the right track with this, I mean it's
great when something works... but I would like to know WHY it worked.
Click to expand...

Sounds like, but you didn't specify, that your AD name is the same as your
external name. This can cause issues, but we'll address that if you have any
questions on it.

As for an MX record, internally, and assuming your are using the Domino
client (just like an Outlook client with Exchange), it directly connects to
the server's stores and therefore the internal infrastructure does not
require an MX record. So don't bother with that record. The Domino server
will resolve external recipient domains when attempting an SMTP connection
to send mail.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks for your reply!

Here is some of the information you asked about:
Sounds like, but you didn't specify, that your AD name is the same as your
external name.
Click to expand...

No, we are using "ourdomain.local" for internal and "ourdomain.com" for
external.
As for an MX record, internally, and assuming your are using the Domino
client
Click to expand...

Nope, we are only using it for SMTP relay and internal POP3 service. Our WAN
links preclude us from using the full Notes client (bandwidth constraints),
so instead they are just using Outlook or Outlook Express as clients to the
Domino server. We are most likely going to switch to Exchange 2003 next year
(but thats whole different ball of wax).

Look foreward to your insights.




"Ace Fekay [MVP]"
 
In
aptrsn said:
Thanks for your reply!

Here is some of the information you asked about:


No, we are using "ourdomain.local" for internal and "ourdomain.com"
for external.


Nope, we are only using it for SMTP relay and internal POP3 service.
Our WAN links preclude us from using the full Notes client (bandwidth
constraints), so instead they are just using Outlook or Outlook
Express as clients to the Domino server. We are most likely going to
switch to Exchange 2003 next year (but thats whole different ball of
wax).

Look foreward to your insights.
Click to expand...

Ok, then you wouldn't need an MX record internally at all. Since your Domino
machine would be the only thing that really needs the MX, and assuming that
your DNS is hosted externally, then the MX would be required for the
external domain name so other mail servers on the Internet will know what
server is recieving mail for your domain. Since you are using forwarding (if
you disabled it, renable it), it will resolve external queries. Either way,
since trying to re-read the thread, whether using the Domino client or a
POP3 client, internally, no MX is required. Just the external domain zone
needs the MX for others...

I hope that addressed the issue. If I missed anything, please post back.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks again for your replies and insight!

Just some observations, you stated:
Ok, then you wouldn't need an MX record internally at all. Since your Domino
machine would be the only thing that really needs the MX, and assuming that
your DNS is hosted externally, then the MX would be required for the
external domain name so other mail servers on the Internet will know what
server is recieving mail for your domain.
Click to expand...

This is our current setup and it works just fine IF our internet connection
is up and not congested. However, if the connection goes down (rarely) or is
congested (frequently) then the resolution for all mail addresses (external
or internal) either hangs or times out. While there is not much I can do
about the resolution for external addresses, internal addresses should not
have to be dependant on the MX record on the external DNS. Instead, I
figured I could set up the root dc for resolving the mail queries with an MX
record that points to the LAN nic of our Domino server.

While I was typing this I realized that I left out some information
regarding this whole process. I'm not sure if this is the same with MS
Exchange, but when Domino is configure to "verify sender's domain in DNS" it
verifies EVERYONE's domain (ie. those user's with accounts on Domino). Since
our Domino server resolves to the DNS hosted by our ISP, it resolves our
internal users addresses to that DNS. If the connection is congested or
down, mail does not get sent, internal or external. So, knowing this, maybe
you can understand my desire to route our Domain MX queries to the our root
dc, rather then continuing to route them to the ISP's DNS. I do have
forewarding turned on, in which case all other DNS queries by the mail
server would then be passed on to our ISP's DNS. At this point, everything
seems to be working, and in having this discussion, I think I know have a
better understanding as to why it's working.

Thanks again for the discussion.


"Ace Fekay [MVP]"
 
Thanks again for your replies and insight!

Just some observations, you stated:
Ok, then you wouldn't need an MX record internally at all. Since your Domino
machine would be the only thing that really needs the MX, and assuming that
your DNS is hosted externally, then the MX would be required for the
external domain name so other mail servers on the Internet will know what
server is recieving mail for your domain.
Click to expand...

This is our current setup and it works just fine IF our internet connection
is up and not congested. However, if the connection goes down (rarely) or is
congested (frequently) then the resolution for all mail addresses (external
or internal) either hangs or times out. While there is not much I can do
about the resolution for external addresses, internal addresses should not
have to be dependant on the MX record on the external DNS. Instead, I
figured I could set up the root dc for resolving the mail queries with an MX
record that points to the LAN nic of our Domino server.

While I was typing this I realized that I left out some information
regarding this whole process. I'm not sure if this is the same with MS
Exchange, but when Domino is configure to "verify sender's domain in DNS" it
verifies EVERYONE's domain (ie. those user's with accounts on Domino). Since
our Domino server resolves to the DNS hosted by our ISP, it resolves our
internal users addresses to that DNS. If the connection is congested or
down, mail does not get sent, internal or external. So, knowing this, maybe
you can understand my desire to route our Domain MX queries to the our root
dc, rather then continuing to route them to the ISP's DNS. I do have
forewarding turned on, in which case all other DNS queries by the mail
server would then be passed on to our ISP's DNS. At this point, everything
seems to be working, and in having this discussion, I think I know have a
better understanding as to why it's working.

Thanks again for the discussion.


"Ace Fekay [MVP]"
 
In
aptrsn said:
Thanks again for your replies and insight!

Just some observations, you stated:


This is our current setup and it works just fine IF our internet
connection is up and not congested.
Click to expand...

Honestly I'm not sure what's happening, but MX records just denote who is
the mail server for a domain and are just for mail servers to send mail to
another mail server. That's it.
However, if the connection goes
down (rarely) or is congested (frequently) then the resolution for
all mail addresses (external or internal) either hangs or times out.
Click to expand...

I would look at your network infrastructure design, your WAN speed or
problems with the ISP. Sounds like in your case you need to bump up your WAN
speed.
While there is not much I can do about the resolution for external
addresses, internal addresses should not have to be dependant on the
MX record on the external DNS.
Click to expand...

That is correct!
Instead, I figured I could set up the
root dc for resolving the mail queries with an MX record that points
to the LAN nic of our Domino server.
Click to expand...

I am assuming you are talking about altering your MX record on the external
DNS server, whomever that is you're using to host your external name space,
possibly your ISP...

While I was typing this I realized that I left out some information
regarding this whole process. I'm not sure if this is the same with MS
Exchange, but when Domino is configure to "verify sender's domain in
DNS" it verifies EVERYONE's domain (ie. those user's with accounts on
Domino).
Click to expand...

Yes, there is a setting to verify Reverse DNS in Exchange.
Since our Domino server resolves to the DNS hosted by our
ISP, it resolves our internal users addresses to that DNS. If the
connection is congested or down, mail does not get sent, internal or
external. So, knowing this, maybe you can understand my desire to
route our Domain MX queries to the our root dc, rather then
continuing to route them to the ISP's DNS.
Click to expand...

I'm not understanding your use of the terminology here, since routing is an
IP functionality, not a DNS functionality. Routing is also used in mail
delivery between mutli mail servers in an enterprise environment.

Besides, if you're talking about how to resolve external queries, MX queries
are done by the Domino server when attempting to send mail and NOT by
internal clients, whether they are POP clients or Domino clients.

And if your infrastructure is setup properly, you would forward all to the
ISP. If maybe I am understanding this, maybe you want to create your
external zone name on your internal DNS, then go ahead, but keep in mind you
would need to also create your www, ftp and other records too.

Are you currently using your ISP's mail system to receive and send mail and
you have an ETRN or TRN setup to retrieve mail periodically?

I do have forewarding
turned on, in which case all other DNS queries by the mail server
would then be passed on to our ISP's DNS. At this point, everything
seems to be working, and in having this discussion, I think I know
have a better understanding as to why it's working.

Thanks again for the discussion.
Click to expand...

I hope that helps .....



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
:
: > While I was typing this I realized that I left out some information
: > regarding this whole process. I'm not sure if this is the same with MS
: > Exchange, but when Domino is configure to "verify sender's domain in
: > DNS" it verifies EVERYONE's domain (ie. those user's with accounts on
: > Domino).
:
: Yes, there is a setting to verify Reverse DNS in Exchange.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;297412

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
 
I'm not understanding your use of the terminology here, since routing is
an
IP functionality, not a DNS functionality. Routing is also used in mail
delivery between mutli mail servers in an enterprise environment.
Click to expand...

Your right in regards to terminology, routing was a poor choice of words to
use on my part. To re-clarify, our Domino server seeks to resolve all DNS
queries, whether of external or internal mail addresses, to the DNS of our
ISP.
And if your infrastructure is setup properly, you would forward all to the
ISP.
Click to expand...

Which is exactly what we do.
If maybe I am understanding this, maybe you want to create your
external zone name on your internal DNS, then go ahead, but keep in mind you
would need to also create your www, ftp and other records too.
Click to expand...

This is what I believe I did in adding a new foreward lookup zone for our
external domain name. However, since the only thing we host on this domain
is a mail server, only the host (A) and MX record of the Domino server (with
the internal IP address) was necessary.
Are you currently using your ISP's mail system to receive and send mail and
you have an ETRN or TRN setup to retrieve mail periodically?
Click to expand...

No, the only thing our ISP does is maintain our external MX and host (A)
record on thier DNS. All SMTP traffic comes directly to us.

I believe that I found my answer in understanding why this works the way it
does in your response regarding the creation of an external zone. Thanks for
all your help!
















"Ace Fekay [MVP]"
 
In
aptrsn said:
Your right in regards to terminology, routing was a poor choice of
words to use on my part. To re-clarify, our Domino server seeks to
resolve all DNS queries, whether of external or internal mail
addresses, to the DNS of our ISP.


Which is exactly what we do.


This is what I believe I did in adding a new foreward lookup zone for
our external domain name. However, since the only thing we host on
this domain is a mail server, only the host (A) and MX record of the
Domino server (with the internal IP address) was necessary.


No, the only thing our ISP does is maintain our external MX and host
(A) record on thier DNS. All SMTP traffic comes directly to us.

I believe that I found my answer in understanding why this works the
way it does in your response regarding the creation of an external
zone. Thanks for all your help!
Click to expand...

No problem. :-)

Just want to touch base on one more thing you mentioned, concerning Domino
using your ISP's DNS. By best practices, it's fundamental to only use the
internal DNS and let that forward out for you. I'm not sure if Domino is an
AD enabled app (don't think it is), but either way, we would normally like
everything to use the internal server and work from there....

Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
"Ace Fekay [MVP]"
message : In : Roland Hall <nobody@nowhere> posted their thoughts, then I offered mine
: > "Ace Fekay [MVP]" wrote:
: >>> While I was typing this I realized that I left out some information
: >>> regarding this whole process. I'm not sure if this is the same with
: >>> MS Exchange, but when Domino is configure to "verify sender's
: >>> domain in DNS" it verifies EVERYONE's domain (ie. those user's with
: >>> accounts on Domino).
: >>
: >> Yes, there is a setting to verify Reverse DNS in Exchange.
: >
: > http://support.microsoft.com/default.aspx?scid=kb;EN-US;297412
:
: Thanks for the link Roland.
: :-)

You're welcome. I was surprised to find out it had changed from how it
originally worked.
 
In
Roland Hall said:
"Ace Fekay [MVP]"


You're welcome. I was surprised to find out it had changed from how
it originally worked.
Click to expand...

Yes, I agree...interesting article...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
a> I would like to know WHY it worked.

One possibility is that whilst you were doing all that the previously cached
answer expired from your DNS Client's cache.
 
Back
Top