Results 1 to 7 of 7

Thread: Need help understanding how DNS works with Zimbra from behind a firewall

  1. #1
    tommyf is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9
    Rep Power
    4

    Default Need help understanding how DNS works with Zimbra from behind a firewall

    I've been reading and searching for days and do not grasp how to resolve this issue. DNS is obviously something I need to study up on.

    I am moving a Zimbra server to a new datacenter where it will be behind a firewall for the first time.

    When I moved this server to the new datacenter and reconfigured for the new IPs, everything 'seemed' to work:
    All mail was received.
    Mail could be sent out.
    All web interfaces functioned, mail and admin.

    The problem was that mail was received into the queue, but it would NOT deliver to the mailboxes. Research indicated that being behind a firewall now the mail server needed a local DNS server that would resolve the names to the local subnet IP. They said to add an A record and PTR for the mail server. There is a Microsoft DNS server on the subnet.

    The PTR records were easy and work fine. However I am not grasping something in getting the A record entries right.

    Zimbra Hostname: mail.myserver.com

    The DNS server is: localdns.net

    If I add an A record of mail.myserver.com pointing to 10.xx.xx.30, it becomes mail.myserver.com.localdns.net.

    Running "host mail.myserver.com" yields the public IP, not the local subnet IP.
    Running "nslookup mail.myserver.com" from inside a Windows server on the same subnet returns the proper local subnet IP of 10.xx.xx.30.

    Modified resolve.conf to: nameserver 10.xx.xx.56 (the MS DNS Server)

    Any help appreciated.

    Thanks,

    ~ Tommy

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    The simple answer is that if you are behind a NAT router (or firewall) you need a Split DNS, read that article and if you still have problems you should post the output of all the commands in the 'Verify....' section of that article. If you're getting "mail.myserver.com.localdns.net. " as the domain name when you add the A record then you are configuring the record incorrectly, I heven't used MS DNS for a while so I can't offer any immediate advice on that problem. Is this an AD server or just an MS DNS server?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    tommyf is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9
    Rep Power
    4

    Default

    Thanks for the URL. I think I understand what the goal is, to get the domain and mx to resolve locally within the subnet. I had to have a new zone added to the MS DNS server, and now things resolve. I followed the verify steps, results below.

    host $(hostname)

    mail.mydomain.com has address 10.xx.xx.30
    mail.mydomain.com mail is handled by 10 mail.mydomain.com.
    dig mail.mydomain.com mx

    ; <<>> DiG 9.7.0-P1 <<>> mail.mydomain.com mx
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63132
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;mail.mydomain.com. IN MX

    ;; ANSWER SECTION:
    mail.mydomain.com. 3600 IN MX 10 mail.mydomain.com.

    ;; ADDITIONAL SECTION:
    mail.mydomain.com. 3600 IN A 10.xx.xx.30

    ;; Query time: 2 msec
    ;; SERVER: 10.xx.xx.56#53(10.xx.xx.56)
    ;; WHEN: Sun Mar 3 10:41:07 2013
    ;; MSG SIZE rcvd: 68
    dig mail.mydomain.com any

    ; <<>> DiG 9.7.0-P1 <<>> mail.mydomain.com any
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46395
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;mail.mydomain.com. IN ANY

    ;; ANSWER SECTION:
    mail.mydomain.com. 3600 IN A 10.xx.xx.30
    mail.mydomain.com. 3600 IN MX 10 mail.mydomain.com.

    ;; ADDITIONAL SECTION:
    mail.mydomain.com. 3600 IN A 10.xx.xx.30

    ;; Query time: 2 msec
    ;; SERVER: 10.xx.xx.56#53(10.xx.xx.56)
    ;; WHEN: Sun Mar 3 10:41:11 2013
    ;; MSG SIZE rcvd: 84

    /etc/hosts
    127.0.0.1 localhost
    10.xx.xx.30 mail.mydomain.com mail
    /etc/resolv.conf
    search mydomain.com
    nameserver 10.xx.xx.56

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    As explained in the Split DNS wiki article, this is the incorrect format for the dig command:

    Code:
    dig mail.mydomain.com any
    You use the domain not a sub-domain or the FQDN of your server so the command should be:

    Code:
    dig mydomain.com any
    What does the output of the two dig commands show when you use the correct format?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    tommyf is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9
    Rep Power
    4

    Default

    Different output now. Now I'm confused again, argh!

    dig mydomain.com mx
    Code:
    ; <<>> DiG 9.7.0-P1 <<>> mydomain.com mx
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44758
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;mydomain.com.			IN	MX
    
    ;; AUTHORITY SECTION:
    mydomain.com.		3600	IN	SOA	dc1.mydomain.net. hostmaster.mydomain.net. 3 900 600 86400 3600
    
    ;; Query time: 2 msec
    ;; SERVER: 10.xx.xx.56#53(10.xx.xx.56)
    ;; WHEN: Sun Mar  3 11:23:21 2013
    ;; MSG SIZE  rcvd: 95
    dig mydomain.com any
    Code:
    ; <<>> DiG 9.7.0-P1 <<>> mydomain.com any
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39657
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;mydomain.com.			IN	ANY
    
    ;; ANSWER SECTION:
    mydomain.com.		3600	IN	NS	dc1.mydomain.net.
    mydomain.com.		3600	IN	SOA	dc1.mydomain.net. hostmaster.mydomain.net. 3 900 600 86400 3600
    
    ;; ADDITIONAL SECTION:
    dc1.mydomain.net.	3600	IN	A	10.xx.xx.56
    
    ;; Query time: 10 msec
    ;; SERVER: 10.xx.xx.56#53(10.xx.xx.56)
    ;; WHEN: Sun Mar  3 11:23:14 2013
    ;; MSG SIZE  rcvd: 125

  6. #6
    tommyf is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9
    Rep Power
    4

    Default

    The new zone in the MS DNS does not seem correct. I have to get that fixed. It won't resolve mydomain.com for some reason.

  7. #7
    tommyf is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9
    Rep Power
    4

    Default

    I switched it to use the DNSMasq and not the MS DNS server.

    I modified the /etc/hosts and /etc/resolv.conf according to the instructions, as well as the /etc/dnsmasq.conf.
    The output of the dig commands are below. The output of host $(hostname) gives the external public IP for the mx record.

    host $(hostname)
    Code:
    mail.mydomain.com has address 10.xx.xx.30
    mail.mydomain.com mail is handled by 10 8.xx.xx.30.
    /etc/dnsmasq.conf
    Code:
    server=4.2.2.2
    server=4.2.2.3
    domain=mydomain.com
    mx-host=mydomain.com,mail.mydomain.com,5
    listen-address=127.0.0.1
    /etc/hosts
    Code:
    127.0.0.1 localhost.localdomain localhost
    10.xx.xx.30	mail.mydomain.com	mail
    /etc/resolv.conf
    Code:
    search mydomain.com
    nameserver 127.0.0.1
    dig mydomain.com mx
    Code:
    ; <<>> DiG 9.7.0-P1 <<>> mydomain.com mx
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60359
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;mydomain.com.			IN	MX
    
    ;; ANSWER SECTION:
    mydomain.com.		0	IN	MX	5 mail.mydomain.com.
    
    ;; ADDITIONAL SECTION:
    mail.mydomain.com.	0	IN	A	10.xx.xx.30
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Mar  3 13:16:42 2013
    ;; MSG SIZE  rcvd: 81
    dig mydomain.com any
    Code:
    ; <<>> DiG 9.7.0-P1 <<>> mydomain.com any
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27181
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;mydomain.com.			IN	ANY
    
    ;; ANSWER SECTION:
    mydomain.com.		0	IN	MX	5 mail.mydomain.com.
    
    ;; ADDITIONAL SECTION:
    mail.mydomain.com.	0	IN	A	10.xx.xx.30
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Mar  3 13:17:51 2013
    ;; MSG SIZE  rcvd: 81

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Toward understanding ZCS better
    By mickier in forum Administrators
    Replies: 1
    Last Post: 03-17-2011, 10:56 AM
  2. Need help understanding Zimbra
    By alekseyn in forum Administrators
    Replies: 0
    Last Post: 04-04-2010, 06:41 AM
  3. Understanding BES and Zimbra
    By tkramis in forum Zimbra Connector for BlackBerry
    Replies: 0
    Last Post: 11-02-2008, 07:19 AM
  4. Replies: 1
    Last Post: 09-21-2008, 10:09 PM
  5. Replies: 6
    Last Post: 11-18-2006, 12:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •