Solved: IronPort DNS Hard Error Lookup (Emails Bouncing)

e.kiprotich · ‎09-05-2014

Hi,

One of our clients running Cisco IronPort ESA is having a challenge sending mails to some local domains (e.g. recipient.co.ke - sample non-existent domain) and keeps getting the error below:

#< #5.0.0 smtp; 5.1.2 - Bad destination host 'DNS Hard Error looking up recipient.co.ke (MX): NXDomain' (delivery attempts: 0)> #SMTP#

Mails to other domains such as gmail.com & yahoo.com are working just fine.

Doing a dnsflush on the ESA temporarily solves the problem but it keeps recurring. Note that the client is able to receive mails from the same domains they can't send to.

The ESA appliance is able to do nslookups to the same domains.

Has anybody else experienced this challenge and how did you solve it?

Regards,

Emmon.

e.kiprotich · ‎09-18-2014

Go the solution.

Used Internet Root Domain Servers instead of local DNS IPs.

All is well now.

View solution in original post

e.kiprotich · ‎09-18-2014

Go the solution.

Used Internet Root Domain Servers instead of local DNS IPs.

All is well now.

NetworkSecurity Service · ‎01-27-2015

Dear Ser

I have a question

How to Configuration Internet Root Domain Servers

- Domain (How to Check it is @xxx.com ?)

- DNS Server FQDN (DNS Server Name ?)

- DNS Server IP Address ( Internal DNS IP Address ?)

Action: failed
Status: 5.0.0 (permanent failure)
Diagnostic-Code: smtp; 5.1.2 - Bad destination host 'DNS Hard Error looking up gate xxx.co.jp (MX): NXDomain' (delivery attempts: 0)

Thanks,

Ake V

Mathew Huynh · ‎01-27-2015

Check whether you're using a local DNS server or already on root dns server.

VIA GUI

GUI > Network > DNS

Click on the radio button to use internet root DNS servers.

VIA CLI:

C370.lab> dnsconfig

Currently using the local DNS cache servers:
1. Priority: 0  1.1.1.8

Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> delete

Do you want to delete a local DNS cache server or an alternate domain server?
1. Delete a local DNS cache server.
2. Delete an alternate domain server.
[]> 1

Currently using the local DNS cache servers:
1. Priority: 0  1.1.1.8
Enter the number of the server you wish to remove.
[]> 1

Note: You have removed the last local nameserver entry.  DNS will now use the
Internet root servers.

Currently using the Internet root DNS servers.

No alternate authoritative servers configured.

Choose the operation you want to perform:
- NEW - Add a new server.
- SETUP - Configure general settings.

Then commit the changes if you decide to move to Root DNS.

To check the domain's DNS records (or in your case MX records)

Use the command line.

CLI > nslookup xxx.co.jp mx

It will show you results if any DNS records can be found.


C370.lab> nslookup cisco.com mx

MX=alln-mx-01.cisco.com PREF=10 TTL=1d
MX=rcdn-mx-01.cisco.com PREF=20 TTL=1d
MX=aer-mx-01.cisco.com PREF=30 TTL=1d

janerivarez · ‎08-10-2016

I also have this kind of problem, some of our users cannot send to any of the DNS of the receiver (ie: yahoo.com, gmail.com, even government and banks). They can receive emails from such but their emails are not received at either one of the destinations. Upon tracking ..."bounce profile HW-Bounce-Yahoo-Gmail' for the last event. The appliance Network - DNS configuration is already at " Internet Root Domain Servers " and DNS records are found upon nslookup. Any help for this? TIA