Top Senders report "No Domain Information"

Unanswered Question
Oct 14th, 2009
User Badges:

In the Top Senders report, our largest graph at the top states No Domain Information. For clean messages this is 367. The next line item is, which for clean messages is 41.

What is "No Domain Information"? Why can't it determine the domain?

Top Senders by total Threat Messages shows
No Domain Information 34.6 k
localhost 1,847 684 537

Top Senders by Clean Messages show
No Domain Information 367 41 27

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Donald Nash Wed, 10/14/2009 - 21:50
User Badges:

That category is for IP addresses with no reverse DNS information (that is, no PTR records).

steven_geerts Fri, 10/30/2009 - 22:56
User Badges:

(Provided as extra info on dlnash:)

Most likely your own downstream mail servers can not be (reversed DNS) resolved by the Ironports. This is expected when you use the default Ironport DNS configuration (used root servers). I assume your downstream systems use a private range IP and those can never be resolved by the public DNS system.

It might be a solution to use your local DNS server for your Ironport….. but be very careful, Ironport generates a massive load on your DNS system.


Donald Nash Fri, 10/30/2009 - 23:59
User Badges:

One way to deal with the load that IronPort appliances place on DNS servers is to have a dedicated set of DNS servers specifically and exclusively for them, with a little hot-wiring so they know how to find the zones for your RFC 1918 space.

You may even be able to prevent these servers from caching anything. The IronPorts do their own DNS caching, so these external servers don't need to do so as well. They just need to be a conduit that can send queries to the right places. Eliminating caching on these servers means they won't consume very much memory (and also eliminates one avenue of cache poisoning attacks). They'll just need enough CPU and network bandwidth to handle the query rate that the IronPorts will generate. And let's face it, DNS processing isn't very hard. IronPort units generate a flood of DNS while still managing to do all the really heavy lifting they do, and all on reasonably inexpensive (for enterprise-grade, anyway) commodity hardware.


This Discussion