EFA4 DNS config problem

Bugs in eFa 4
Post Reply
toddh
Posts: 69
Joined: 16 Feb 2015 18:52

EFA4 DNS config problem

Post by toddh »

I setup 2 boxes and neither were passing emails.

Rejecting connections with:
Recipient address rejected: Domain not found

The domain was entered into EFA during config. Postfix config and transport files looked fine.

I thought maybe a DNS issue?

EFA4 during initial config defaulted to DNS Recursion Enabled. Not understanding the ramifications I accepted the default. It did not ask me configure DNS Servers so I left them blank.

I looked at the config for our current EFA3 production boxes and configured EFA4 DNS the same way,
DNS Recursion = disabled
Primary and Secondary = our DNS

EFA then starting bouncing with:
Sender address rejected: Domain not found;

Change but no progress. I then tried using Google DNS, EFA4 started processing mails.

Moving back to our DNS once again started rejecting emails.

So I have EFA4 processing emails using Google DNS, but I dont know why. And I dont know why the DNS setup for EFA3 does not work on EFA4 :D


.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA4 DNS config problem

Post by shawniverson »

When you configure DNS to your local dns servers, what do you have in the following configs?

/etc/resolv.conf

/etc/unbound/conf.d/forwarders.conf

and what happens when you do this?

Code: Select all

dig mx google.com
toddh
Posts: 69
Joined: 16 Feb 2015 18:52

Re: EFA4 DNS config problem

Post by toddh »

With external DNS server 1.1.1.1

/etc/resolv.confg
# Generated by NetworkManager
search smart-mail.net

/etc/unbound/conf.d/forwarders.conf
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 4.4.4.4


[admin@EFA4Beta4 ~]$ dig mx google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> mx google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43623
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN MX

;; ANSWER SECTION:
google.com. 205 IN MX 40 alt3.aspmx.l.google.com.
google.com. 205 IN MX 50 alt4.aspmx.l.google.com.
google.com. 205 IN MX 10 aspmx.l.google.com.
google.com. 205 IN MX 20 alt1.aspmx.l.google.com.
google.com. 205 IN MX 30 alt2.aspmx.l.google.com.

;; Query time: 14 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 18 12:15:30 CST 2019
;; MSG SIZE rcvd: 147


With our DNS Servers

/etc/resolv.confg
# Generated by NetworkManager
search smart-mail.net

/etc/unbound/conf.d/forwarders.conf
forward-zone:
name: "."
forward-addr: 172.22.22.15
forward-addr: 172.22.22.34


[admin@EFA4Beta4 ~]$ dig mx google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> mx google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6428
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN MX

;; Query time: 57 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 18 12:00:32 CST 2019
;; MSG SIZE rcvd: 39

However when I run this on our EFA3 boxes which use our DNS they resolve the same as the external DNS servers do.

On a side note, whenever updating DNS from EFA-Configure it throws and error and kicks you back to the main menu.

Enter your new primary DNS: 1.1.1.1
sed: -e expression #1, char 13: unknown command: `C'
All done
Press [Enter] key to continue...

It saves the changes so you can go back in and upate the 2nd DNS server, but I do not know if it is restarting the NIC.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: EFA4 DNS config problem

Post by henk »

As I have no issues with DNS in efa Rc2, recursion enabled.
Current working config.

/etc/eFa/eFa-Config

Code: Select all

CONFIGURED:YES
HOSTNAME:testefa4
DOMAINNAME:example.lan
IPV4ADDRESS:172.16.xx.xx
IPV6ADDRESS:
DNSIP1:
DNSIP2:
RECURSION:ENABLED
INTERFACE:eth0
IPV4NETMASK:255.255.0.0
IPV4GATEWAY:172.16.yy.yy    # pfsense firewall
IPV6MASK:
IPV6GATEWAY:
TZONE:Europe/Amsterdam
IANA:nl
ORGNAME:efa
MAILSERVER:127.0.0.1
ADMINEMAIL:me@example.lan
ISUTC:true
IPV6DNS:no 
/etc/resolv.conf

Code: Select all

# Generated by NetworkManager
search example.lan example.man
nameserver 127.0.0.1
/etc/unbound/conf.d/forwarders.conf

Code: Select all

forward-zone:
  name: "."
  forward-addr: 172.16.yy.yy   # pfsense firewall running unbound
  forward-first: yes
I did not change anything in the /etc/unbound/unbound.conf
I did add a Unbound config in /etc/unbound/conf.d/unbound.conf as described in viewtopic.php?t=2567
When I dig inside or outside my local network, (tcp or upd) the answer comes within 0msec.

Code: Select all

dig +notcp mx google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> +notcp mx google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61935
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN MX

;; ANSWER SECTION:
google.com. 806 IN MX 10 aspmx.l.google.com.
google.com. 806 IN MX 50 alt4.aspmx.l.google.com.
google.com. 806 IN MX 40 alt3.aspmx.l.google.com.
google.com. 806 IN MX 20 alt1.aspmx.l.google.com.
google.com. 806 IN MX 30 alt2.aspmx.l.google.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 18 21:34:24 CET 2019
;; MSG SIZE rcvd: 147
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA4 DNS config problem

Post by shawniverson »

toddh wrote: 18 Feb 2019 18:22
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6428
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
You are getting a SERVFAIL status. Is there a firewall or ACL between you and these dns servers?
On a side note, whenever updating DNS from EFA-Configure it throws and error and kicks you back to the main menu.

Enter your new primary DNS: 1.1.1.1
sed: -e expression #1, char 13: unknown command: `C'
All done
Press [Enter] key to continue...
Thanks for the find, flagging this for a fix.
toddh
Posts: 69
Joined: 16 Feb 2015 18:52

Re: EFA4 DNS config problem

Post by toddh »

I will turn on Recursion again and post the results.

Recursion was originally on default with no DNS Primary/Secondary servers defined and mails were not passing. But it was generating a different error than with it off as I recall.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: EFA4 DNS config problem

Post by henk »

Most likely, Shawn did ask the nr 1 question: "Is there a firewall or ACL between you and these dns servers?"
(I do have a firewall rule that blocks all DNS trafic with destination Not the firewall-dns server )

Check your dns config.

Code: Select all

unbound-control list_forwards
unbound-control lookup google.com
Check caching

Code: Select all

unbound-control stats_noreset |grep total
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
toddh
Posts: 69
Joined: 16 Feb 2015 18:52

Re: EFA4 DNS config problem

Post by toddh »

No firewall between the EFA boxes and Our DNS. They are on the same subnet.

There is a firewall between the EFA boxes and the External DNS.

We checked logs our DNS servers and no errors for requests being rejected for the EFA4 boxes.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: EFA4 DNS config problem

Post by henk »

did you read? viewtopic.php?t=2567

can you post (for efa3 and efa4)

Code: Select all

unbound-control list_forwards
unbound-control lookup google.com
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
toddh
Posts: 69
Joined: 16 Feb 2015 18:52

Re: EFA4 DNS config problem

Post by toddh »

Installed RC3 and DNS Recursion not working.

With default setting DNS Recursion Enabled it does not route emails.

From mailog

Code: Select all

Mar 13 21:11:02 SC-EFA4RC3-01 postfix/smtpd[7260]: connect from mail-wm1-f48.google.com[209.85.128.48]
Mar 13 21:11:02 SC-EFA4RC3-01 postfix/smtpd[7260]: Anonymous TLS connection established from mail-wm1-f48.google.com[209.85.128.48]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 13 21:11:33 SC-EFA4RC3-01 postfix/smtpd[7260]: NOQUEUE: reject: RCPT from mail-wm1-f48.google.com[209.85.128.48]: 450 4.1.2 <hunter@progressivesystems.biz>: Recipient address rejected: Domain not found; from=<todd.d.hunter@gmail.com> to=<hunter@progressivesystems.biz> proto=ESMTP helo=<mail-wm1-f48.google.com>
Mar 13 21:11:33 SC-EFA4RC3-01 postfix/smtpd[7260]: disconnect from mail-wm1-f48.google.com[209.85.128.48] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
cat /etc/resolv.conf

Code: Select all

[root@SC-EFA4RC3-01 ~]# cat /etc/resolv.conf
domain smartcloudllc.com
# Generated by NetworkManager
[root@SC-EFA4RC3-01 ~]#
dig google mail server

Code: Select all

root@SC-EFA4RC3-01 ~]# dig mail-wm1-f48.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> mail-wm1-f48.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59892
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail-wm1-f48.google.com.	IN	A

;; ANSWER SECTION:
mail-wm1-f48.google.com. 86130	IN	A	209.85.128.48

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 13 21:15:32 CDT 2019
;; MSG SIZE  rcvd: 68
When I Disable Recursion and use EFA Configure set Primary DNS = 8.8.8.8, No email delivery.

Code: Select all

[root@SC-EFA4RC3-01 ~]# cat /etc/resolv.conf
domain smartcloudllc.com
# Generated by NetworkManager
[root@SC-EFA4RC3-01 ~]# dig mail-wm1-f48.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> mail-wm1-f48.google.com
;; global options: +cmd
;; connection timed out; no servers could be reached
If I edit /etc/resolv.conf and add the DNS Server email is delivered. Delivery also works with our Internal DNS which was a previous problem.

Code: Select all

nameserver 8.8.8.8
domain smartcloudllc.com
# Generated by NetworkManager

Code: Select all

[root@SC-EFA4RC3-01 ~]# dig mail-wm1-f48.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> mail-wm1-f48.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28399
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail-wm1-f48.google.com.	IN	A

;; ANSWER SECTION:
mail-wm1-f48.google.com. 21599	IN	A	209.85.128.48

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 13 21:24:45 CDT 2019
;; MSG SIZE  rcvd: 68
It appears that EFA-Config is not updating /etc/resolv.conf files.

Todd
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: EFA4 DNS config problem

Post by zane93 »

I can confirm I'm having the same issue as @toddh on a new EFA3 install.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: EFA4 DNS config problem

Post by henk »

Can you post:

Code: Select all

/etc/sysconfig/network-scripts/ifcfg-*
To prevent Network Manager to overwrite your resolv.conf changes, remove the DNS1, DNS2, ...
lines from /etc/sysconfig/network-scripts/ifcfg-*.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply