Hi all,

I've been searching the net for days now trying to get an answer/fix to
this problem.
I have several FreeBSD servers running different versions from 4.11 to
6.1 with different versions of sendmail. (i have upgraded a couple to
8.13.8 to test the latest version hasnt fixed anything) They all have
the following problem:

Our LAN is on a private subnet, behind a NAT enabled firewall. the DNS
servers on this subnet are MS Windows 2000 domain controllers, that are
configured as forwarders to our public DNS servers (not on the local
subnet). All servers on the LAN subnet use these servers without
problem for name resolution.

However, I have root's messages aliases to my email account, and when
the FreeBSD servers try and send mail to it, i get a "host name lookup
failure" error message. AFTER it lists all the correct mailservers
listed in the MX records of the domain my account is on.

If i configure the boxes to query the public servers in resolv.conf and
not the local ones, it works fine!

The public dns servers are authorititive for the domain my email
account is on.

Microsoft domain = domain.local
BSD servers hostnames = bsd1.domain.net
My email address = me@doamin.net

Any would be greatly appreciated, as the machines need to
reference some of the other local boxes using their local DNS names, I
dont want to maintain complicated hosts files on a large number of
servers and it would be a security risk to add a secondary copy of the
private dns domain to the publice servers.

Regards,

Paul

PoDd wrote:
> Hi all,
>
> I've been searching the net for days now trying to get an answer/fix to
> this problem.
> I have several FreeBSD servers running different versions from 4.11 to
> 6.1 with different versions of sendmail. (i have upgraded a couple to
> 8.13.8 to test the latest version hasnt fixed anything) They all have
> the following problem:
>
> Our LAN is on a private subnet, behind a NAT enabled firewall. the DNS
> servers on this subnet are MS Windows 2000 domain controllers, that are
> configured as forwarders to our public DNS servers (not on the local
> subnet). All servers on the LAN subnet use these servers without
> problem for name resolution.
>

Drop the forwarders. It gains you nothing but exposure to
vulnerabilities and external dependencies.


> However, I have root's messages aliases to my email account, and when
> the FreeBSD servers try and send mail to it, i get a "host name lookup
> failure" error message. AFTER it lists all the correct mailservers
> listed in the MX records of the domain my account is on.

use debugging flags to see what dns queries sendmail makes and what the
answers are.


>
> If i configure the boxes to query the public servers in resolv.conf and
> not the local ones, it works fine!
>

Drop the forwarders and see what happens.


> The public dns servers are authorititive for the domain my email
> account is on.
>
> Microsoft domain = domain.local
> BSD servers hostnames = bsd1.domain.net
> My email address = me@doamin.net

PoDd wrote:
> Hi all,
>
> Our LAN is on a private subnet, behind a NAT enabled firewall. the DNS
> servers on this subnet are MS Windows 2000 domain controllers, that are
> configured as forwarders to our public DNS servers (not on the local
> subnet). All servers on the LAN subnet use these servers without
> problem for name resolution.
>
> However, I have root's messages aliases to my email account, and when
> the FreeBSD servers try and send mail to it, i get a "host name lookup
> failure" error message. AFTER it lists all the correct mailservers
> listed in the MX records of the domain my account is on.

Try some digs to make sure you're getting the right hosts. Try dig -t mx
@server domain on the internal and external DNS servers and compare the
result.

> If i configure the boxes to query the public servers in resolv.conf and
> not the local ones, it works fine!
>
> The public dns servers are authorititive for the domain my email
> account is on.
>
> Microsoft domain = domain.local
> BSD servers hostnames = bsd1.domain.net
> My email address = me@doamin.net
>
> Any would be greatly appreciated, as the machines need to
> reference some of the other local boxes using their local DNS names, I
> dont want to maintain complicated hosts files on a large number of
> servers and it would be a security risk to add a secondary copy of the
> private dns domain to the publice servers.

If the results to the dig above are not as expected, add the external
domains to the Win2k servers as secondaries and see if that resolves it.
You can also try playing with the hosts file on BSD box.

This sort of problem occurs because people often configure the Active
Directory domain to be the same as their Internet domain, and then
wonder why they can't see hosts configured in the external DNS servers
but not in the internal version of the domain, but you stated that you
internal domain was domain.local, not domain.com, so you should be in
the clear.

Thanks for the replys...

> Drop the forwarders. It gains you nothing but exposure to
> vulnerabilities and external dependencies.

Dropping the forwarders made no difference..however,
I have been under the impression for many years from
training/certification and experience that it is the very much
preferred method to disable recursion on private DNS servers and
forward all queries to public ones (also under your control) to provide
the greatest security. Is that not the case?

> Try some digs to make sure you're getting the right hosts. Try dig -t mx
> @server domain on the internal and external DNS servers and compare the
> result.

Dig's/nslookups return identical information on both the private and
public DNS servers.

> If the results to the dig above are not as expected, add the external
> domains to the Win2k servers as secondaries and see if that resolves it.
> You can also try playing with the hosts file on BSD box.

There are thousands of domains hosted on the public DNS servers. This
problem is apparent for all of them. I cannot run secondaries for all
of the possible domains mail could be required to be sent to on our
private DNS servers.

Does anyone know what is causing this problem? The DNS is definately
correct. Can sendmail/bsd/bind/m$ dns just not play together? I would
rather try and fix the global issue than per box/per domain solutions,
i.e. host files or secondaries on the private servers.

All greatly appreciated as this is getting extremely frustrating.
I have tried smart host and nullclient in my config but still get host
name lookup failure. -

[root@* ~]# sendmail -v -qR

Running /var/spool/mqueue/k8L95YTf015444 (sequence 1 of 2)
<me@domain.net>... Connecting to *.domain.net. via esmtp...
<me@domain.net>... Connecting to *.domain.net. via esmtp...
<me@domain.net>... Connecting to *.domain.net. via esmtp...
<me@domain.net>... Deferred: Name server: *domain.net.: host name
lookup failure

the *'s represent the correct servers listed in domain.net's zone
records.

In article <1158830959.163041.315070@k70g2000cwa.googlegroups .com>
"PoDd" <podd69@hotmail.com> writes:
>Thanks for the replys...
>
>> Drop the forwarders. It gains you nothing but exposure to
>> vulnerabilities and external dependencies.
>
>Dropping the forwarders made no difference..however,
>I have been under the impression for many years from
>training/certification and experience that it is the very much
>preferred method to disable recursion on private DNS servers and
>forward all queries to public ones (also under your control) to provide
>the greatest security. Is that not the case?

Huh? Surely you got that backwards, hopefully only in the posting - you
want to disable recursion on your *public* servers, since they otherwise
can be subject to cache poisoning. Hence you want to leave it enabled on
your private servers, or otherwise your standard non-recursing stub
resolver library won't have anyone to ask.:-)

The issue of using forwarders is basically orthogonal to this, and the
obvious security issue with that is that you shouldn't forward to
servers that you don't trust (which depending on your outlook may be all
that you don't run yourself). E.g. it may make sense in a large private
network to have many private servers forwarding to one or a few other
private servers, but otherwise I would agree with jmaimon that using
forwarders is generally a bad idea.

>Does anyone know what is causing this problem? The DNS is definately
>correct. Can sendmail/bsd/bind/m$ dns just not play together?

Probably m$ can't play by the rules, as usual.:-) I would have suspected
the problem that is worked around by

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')

- but it doesn't really fit the details of your description:

>[root@* ~]# sendmail -v -qR
>
>Running /var/spool/mqueue/k8L95YTf015444 (sequence 1 of 2)
><me@domain.net>... Connecting to *.domain.net. via esmtp...
><me@domain.net>... Connecting to *.domain.net. via esmtp...
><me@domain.net>... Connecting to *.domain.net. via esmtp...
><me@domain.net>... Deferred: Name server: *domain.net.: host name
>lookup failure
>
>the *'s represent the correct servers listed in domain.net's zone
>records.

This looks quite weird, but it's really hard to analyze due to your
mangling of the names. The first three failures wouldn't normally have
anything to do with DNS - if sendmail gets to "Connecting", DNS is out
of the picture. Is the failure to connect to those three hosts expected?
If not, can you check e.g. with a packet trace which addresses it is
actually trying to connect to and if they are correct? And try a telnet
connection to port 25 for them (using the IP addresses that sendmail
uses) - if that doesn't succeed, it's obviously not a sendmail issue at
all but one of general net connectivity.

And the final *domain.net, which does seem to indicate a DNS problem, is
that the same as one of the other three, and if so which one? If not, is
it another host listed as MX for domain.net? And any difference between
that and the other three?

--Per Hedeland
per@hedeland.org