glue problem for usda.gov

  • Thread starter Thread starter themeanies
  • Start date Start date
T

themeanies

I am having lots of trouble delivering e-mail to @tx.usda.gov and
@ok.usda.gov addresses and I think the problem is DNS related.

Does anyone think that the delivery errors could be related to the glue
problem reported for usda.gov at www.dnsreport.com

What happens is that our mail server attempts to lookup the delivery
information for these addresses at a local W2K3 DNS server. Sometimes
it is returned properly, but sometimes it is not. The only way I'm able
to fix is to clear the DNS cache and retry until the lookup is successful.

This is the only domain to which we have trouble delivering and we
deliver approx 10,000 messages a day worldwide.

Any Ideas?

tM
 
themeanies said:
I am having lots of trouble delivering e-mail to @tx.usda.gov and
@ok.usda.gov addresses and I think the problem is DNS related.

Does anyone think that the delivery errors could be related to the
glue problem reported for usda.gov at www.dnsreport.com

What happens is that our mail server attempts to lookup the delivery
information for these addresses at a local W2K3 DNS server. Sometimes
it is returned properly, but sometimes it is not. The only way I'm
able to fix is to clear the DNS cache and retry until the lookup is
successful.

This is the only domain to which we have trouble delivering and we
deliver approx 10,000 messages a day worldwide.
Click to expand...

I don't think the glue would affect this because the DNS server seems to be
answering authoritatively on both addresses.
Are you behind a firewall?
828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP
 
Kevin said:
I don't think the glue would affect this because the DNS server seems to be
answering authoritatively on both addresses.
Are you behind a firewall?
828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP
Click to expand...

Yep already did that several months ago to fix another problem. We are
behind a PIX and modified the PIX to allow large packets.

Can you tell what it is they are doing with the .tx. and .ok. parts of
their domain? There are not sub-domains, but exist for mail delivery.
It's really quite unlike anything I've seen before.

tM
 
themeanies said:
Yep already did that several months ago to fix another problem. We
are behind a PIX and modified the PIX to allow large packets.

Can you tell what it is they are doing with the .tx. and .ok. parts of
their domain? There are not sub-domains, but exist for mail delivery.
It's really quite unlike anything I've seen before.
Click to expand...

These are just MX records with a host name, you can easily do this.

Are you using a forwarder?
It does take 281 ms to get them the first time, which is a little slow, but
it isn't that slow.
 
Are any of you doing anything with your non-public DNS's to help in the
battle against grey-ware? Our previous DNS admin did some stuff to
hijack for lack of a better word the p2p and IM domains. If internal
hosts tried to resolve these domains they would be directed to a aup for
the company.

Is anyone doing anything similar with proxys, host files, DNS etc.
Would you mind sharing?

tM
 
themeanies said:
Are any of you doing anything with your non-public DNS's to help in the
battle against grey-ware? Our previous DNS admin did some stuff to hijack
for lack of a better word the p2p and IM domains. If internal hosts tried
to resolve these domains they would be directed to a aup for the company.

Is anyone doing anything similar with proxys, host files, DNS etc. Would
you mind sharing?
Click to expand...

I do -- but there are disagreements if this "is a job for DNS".

It's and easy thing to do and costs me no real effort so I use it
as another line of defense.

Personally, I load a big file of bad names into my "caching only
BIND DNS servers cache file".

I can't use MS DNS for this (even though I prefer MS DNS for
most jobs in a Microsoft Network) since it won't let me preload
the cache file.

My caching-only DNS server is at the firewall and is used by
all of the internal DNS servers for forwarding.
 
Back
Top