Tag Archives: dns

networking

DNS SPF Record to Reduce Rejection Rate of Your E-Mail

1 Comment

E-mail (and internet) was invented long time ago with the assumption only very few people will do evil, but it’s not the case nowadays. It is possible to send e-mail to anyone posing as anyone else (ie: if you own the domain apple.com, you can send email as banana.com).

SPF stands for Sender Policy Framework. Long story short, it is set on the DNS zone record to configure What host is allowed to send email as your domain

Testing If Your Domain Is Setup Properly

The openspf website has list of tools you can use to check if your domain already has SPF setup properly. For example:

  1. Go to http://www.openspf.org/Why
  2. Enter the email address you’re sending as on MAIL FROM field and your smtp server under Sender's IP address (eg: smtp.apple.com)
  3. The tool was originally designed to debug rejection.. so although it passes it will say “your mail server rejected a message because”. If you read further, if your SPF record was correct it should say The domain mycompany.com has authorized to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected., whereas if it’s incorrect it will say The domain mycompany.com has not published an SPF policy. It is possible that the receiving mail server refuses all mail from domains that do not have an SPF policy.

Configuring SPF Record on Your DNS Zone

This can be done on your domain hosting. Add following DNS record to you domain name (eg: mycompany.com)

v=spf1 a mx ?all

This syntax basically says:

  1. Authorize the IP specified by A record as outbound mailer
  2. Authorize the IP specified by MX record as outbound mailer
  3. Mark everything else as Neutral

More Examples

Further Reading

  • SPF Syntax:
  • Excellent article by Jeff Attwood on his Coding Horror blog about sending email through code: http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-email-through-code.html
  • http://aplawrence.com/Blog/B961.html
Uncategorized

Windows 7 nslookup Resolves But Ping And Others Failed

1 Comment

As a wannabe network admin at the office, I’ve been dealing with a really tricky problem for the past few days. Long story short, I have few development servers and I want to setup CNAMEs pointing to it so it’s easy to remember.

The problem is every 15-20min the CNAME will stop resolving. If I try to ping it gives name not found. However nslookup still resolves fine.

I’ve tried many different things with no luck until I finally found the problem: we mistakenly configured multiple public DNS on our DHCP settings alongside our primary internal DNS hosted on Windows Small Business Server 2011 (SBS). As shown below the configuration after we fixed it, only 1 entry is listed pointing to our internal DNS

ipconfig

It seems if multiple DNS servers are configured, windows will pick a primary one at random / round robin. If the primary happens to be the one other than our internal DNS, it won’t be able to resolve the CNAME entries.

This setting can be changed on DHCP configuration tool on SBS as shown below

dhcpconfig

And to make sure internet-wide name resolution still works. The public DNS have to be setup on the internal DNS forwarder on SBS DNS configuration

dnsforwarder

Add to the original confusion was I kept wondering why non CNAME alias still can be resolved all this time. This turns out due to the fact Windows uses not only DNS, but a set of other services to translate hostname into IP:

  1. Client check if the name queried is of its own
  2. Client checks local hosts file (eg: %Systemroot%System32Driversetc)
  3. DNS are queried
  4. NetBIOS

(Quoted from http://support.microsoft.com/kb/172218)

Notice that if DNS fails on step 3 regular PC names still can be resolved using NetBIOS, but in the case of CNAME it wouldn’t work.