Issue sending e-mails to certain domain

Unanswered Question
Jan 25th, 2012

I'm having an issue sending e-mails to domain capitaliii.com from my Ironport.  I see the following message in the Ironport log.

"DNS Temporary Failure capitaliii.com MX - unable to reach nameserver on any valid IP"

When I issue a nslookup on the MX record from the Ironport, I get the below message.

Temporary query error:  "unable to reach nameserver on any valid IP" looking up A record for "capitaliii.com" to nameserver
ns3.digipark.com


I can however do a successful a successful nslookup from my workstation.  See the results below.  Any ideas?  I've done
a flushdns on the Ironport to no avail.

Non-authoritative answer:

capitaliii.com  MX preference = 10, mail exchanger = mail1.digipark.com

mail1.digipark.com      internet address = 64.111.26.141
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
jorona Mon, 02/13/2012 - 17:28

Hello Doug,

This may just be an issue with the DNS servers that your IronPort is configured to query. Are you using root(default setting) DNS servers or are have you configured your appliance to query internal servers?

Regards,

-Jerry Orona

andmuell Tue, 02/14/2012 - 07:47

Hello Doug,

check if your firewall in front of the IronPort appliance allows TCP for DNS on port 53.  The query results I get are close to the 512 byte limit, where DNS switches from UDP to TCP:

cisco$  dig mx capitaliii.com +trace

; <<>> DiG 9.6-ESV-R4-P3 <<>> mx capitaliii.com +trace

;; global options: +cmd

.                       274955  IN      NS      f.root-servers.net.

.                       274955  IN      NS      g.root-servers.net.

.                       274955  IN      NS      h.root-servers.net.

.                       274955  IN      NS      i.root-servers.net.

.                       274955  IN      NS      j.root-servers.net.

.                       274955  IN      NS      k.root-servers.net.

.                       274955  IN      NS      l.root-servers.net.

.                       274955  IN      NS      m.root-servers.net.

.                       274955  IN      NS      a.root-servers.net.

.                       274955  IN      NS      b.root-servers.net.

.                       274955  IN      NS      c.root-servers.net.

.                       274955  IN      NS      d.root-servers.net.

.                       274955  IN      NS      e.root-servers.net.

;; Received 260 bytes from xxx.xxx.xxx.xxx in 189 ms

com.                    172800  IN      NS      a.gtld-servers.net.

com.                    172800  IN      NS      b.gtld-servers.net.

com.                    172800  IN      NS      c.gtld-servers.net.

com.                    172800  IN      NS      d.gtld-servers.net.

com.                    172800  IN      NS      e.gtld-servers.net.

com.                    172800  IN      NS      f.gtld-servers.net.

com.                    172800  IN      NS      g.gtld-servers.net.

com.                    172800  IN      NS      h.gtld-servers.net.

com.                    172800  IN      NS      i.gtld-servers.net.

com.                    172800  IN      NS      j.gtld-servers.net.

com.                    172800  IN      NS      k.gtld-servers.net.

com.                    172800  IN      NS      l.gtld-servers.net.

com.                    172800  IN      NS      m.gtld-servers.net.

;; Received 504 bytes from 198.41.0.4#53(a.root-servers.net) in 23 ms

capitaliii.com.         172800  IN      NS      ns4.digipark.com.

capitaliii.com.         172800  IN      NS      ns3.digipark.com.

;; Received 109 bytes from 192.55.83.30#53(m.gtld-servers.net) in 50 ms

capitaliii.com.         86400   IN      MX      10 mail1.digipark.com.

capitaliii.com.         86400   IN      NS      ns3.digipark.com.

capitaliii.com.         86400   IN      NS      ns4.digipark.com.

;; Received 147 bytes from 64.111.26.135#53(ns4.digipark.com) in 148 ms

Hope that helps,

Andreas

doug.dockter@ut... Thu, 02/16/2012 - 13:25

I’ve made the below change on my ASA, but that doesn’t seem to have helped.

policy-map global_policy

class inspection_default

inspect dns maximum-length 4096

kstieers1 Mon, 02/20/2012 - 08:19

I had a similiar problem, it was an issue on our border routers.  Someone had put in a bogon list, but not kept it updated, so the router was dropping the traffic...

Do you have connectivity to 64.111.26.141???

doug.dockter@ut... Tue, 02/28/2012 - 07:18

Yes it has finally been resolved.  I had to change my Ironport DNS  setting to NOT use the Internet's root DNS servers.  If I use my  internal DNS servers or Google's DNS server, it works.

Actions

Login or Register to take actions

This Discussion

Posted January 25, 2012 at 2:55 PM
Stats:
Replies:8 Avg. Rating:5
Views:1839 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard