Solved: E-mails to specific domain not send - strange DNS behaviour

chrismes · ‎05-17-2023

We try to send e-mails to customer of 123-reg.co.uk. Our Cisco ESA C190 uses internet root-dns.
So the DNS-requests are send to ns.123-reg.co.uk, ns2.123-reg.co.uk.
But they have a strange behaviour. They do not respond to the first MX-DNS-request, the respond to the 2nd DNS-request which is send after 5 seconds. This works with Linux-servers, tried it with 3 different Linux-servers. When they send a MX-DNS-request and get no response, they send the next MX-DNS-request after 5 seconds and then they get DNS-response from ns.123-reg.co.uk, ns2.123-reg.co.uk.
But Cisco ESA does not work like the Linux-servers. It sends MX-DNS-request and then waits...
But because the ns.123-reg.co.uk, ns2.123-reg.co.uk do not respond to a single MX-DNS-request, the target domain is always marked down on the ESA. "DNS Temporary Failure - unable to reach nameserver on any valid IP".
Any suggestions?
Thanks.

chris@ubuntu:~$ nslookup -type=MX 123-reg.co.uk ns.123-reg.co.uk
22:14:08.204492 IP 192.168.1.1.57403 > 212.67.202.2.53: 6927+ MX? 123-reg.co.uk. (31)
22:14:13.208185 IP 192.168.1.1.50028 > 212.67.202.2.53: 6927+ MX? 123-reg.co.uk. (31)
22:14:13.256006 IP 212.67.202.2.53 > 192.168.1.1.50028: 6927*- 1/0/0 MX mx0.hosteurope.de. 5 (64)

chris@ubuntu:~$ nslookup -type=MX 123-reg.co.uk ns2.123-reg.co.uk
22:14:29.035463 IP 192.168.1.1.34789 > 62.138.132.21.53: 49199+ MX? 123-reg.co.uk. (31)
22:14:34.039138 IP 192.168.1.1.49591 > 62.138.132.21.53: 49199+ MX? 123-reg.co.uk. (31)
22:14:34.068576 IP 62.138.132.21.53 > 192.168.1.1.49591: 49199*- 1/0/0 MX mx0.hosteurope.de. 5 (64)

Ken Stieers · ‎05-17-2023

In the DNS config, under "Alternate DNS servers Overrides (Optional)" set the DNS servers for this domain to something OTHER than the roots... for example, set it to 8.8.8.8 (google) or 1.1.1.1 (cloudflare).
That may get you around whatever is causing issues for you.
Ken

View solution in original post

chrismes · ‎05-18-2023

Well it does not work with 1.1.1.1 or 8.8.8.8 because it needs to be an authoritative DNS-server.
But I found they also have ns3.123-reg.co.uk 212.67.203.246 and this one responds to DNS-requests immediately.
It works fine with nslookup on the ESA, now I try to send email.

View solution in original post

Ken Stieers · ‎05-17-2023

In the DNS config, under "Alternate DNS servers Overrides (Optional)" set the DNS servers for this domain to something OTHER than the roots... for example, set it to 8.8.8.8 (google) or 1.1.1.1 (cloudflare).
That may get you around whatever is causing issues for you.
Ken

chrismes · ‎05-17-2023

Thanks.
Yes, that is what I've tried, but this does not work. You can not put in there any DNS-server, it must be the the authoritative DNS-server for that domain, so these would be for my case ns.123-reg.co.uk, ns2.123-reg.co.uk which are causing the problem.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_0100001.html

Specifying DNS Servers

AsyncOS can use the Internet root DNS servers, your own DNS servers, or the Internet root DNS servers and authoritative DNS servers you specify. When using the Internet root servers, you may specify alternate servers to use for specific domains. Since an alternate DNS server applies to a single domain, it must be authoritative (provide definitive DNS records) for that domain.

chrismes · ‎05-18-2023

Well it does not work with 1.1.1.1 or 8.8.8.8 because it needs to be an authoritative DNS-server.
But I found they also have ns3.123-reg.co.uk 212.67.203.246 and this one responds to DNS-requests immediately.
It works fine with nslookup on the ESA, now I try to send email.

Ken Stieers · ‎05-18-2023

It really depends upon what's borked on whether you have to have an authortative or not. We still have Windows 2012 domain controllers, and they choke on some larger retruned dns replies from spf flattening services. So I just go around the 2012 boxes for a few things.