Unable to send email - unable to resolve domain

Hello all, I have a problem with sending the e-mails to the specific domain. After the investigation, I’ve found out that I can’t ping that domain of that address as well.

For example:

Working:
I can send email to john.doe @ gmail . com
I can ping gmail.com

Not working:
I can’t send email to john.doe @ something . si
I can’t ping something . si as well.

From other computer I can easily ping the second address and it works normally.

These are just the samples if you need real names I can provide them, but first I would like to see if anyone had problems like that.

I’m running version v0.43.

In the system settings I only get the following warning:

Nameserver glue records (ns1. box. xxx.com and ns2. box.xxx .com) should be configured at your domain name registrar as having the IP address of this box (139 .XX. 128.95). They currently report addresses of [Not Set]/[Not Set]. If you have set up External DNS, this may be OK.

But this is not a problem, because I’ve external DNS.

Thank you.

Hello!

While MiaB can support using external DNS server to manage all of the DNS records, this is not really what the project was set up for supporting, so it will be much more work for you to go this route.

My recommendation is to use a domain exclusively for the MiaB server, that way you can easily assign domains with external DNS to use Miab as their mail server.

@openletter

I am not certain that your response has any correlation on the OP’s issue. It seems that his MiaB is unable to resolve a specific domain on the internet.

@Superlukec

I have seen the issue you mention, but it was only a momentary glitch, not a long term problem. Would you mention or PM me with the domain name in question as my curiousity is piqued.

Thank you both for quick replies.

@openletter if I’ll not found the solution I’ll then try that one.

@alento

Yes of course, there is no secret. When I try to ping aktiva.si I get the following error:

ping: aktiva.si: Temporary failure in name resolution

The other command:
nslookup -type=mx aktiva.si

and the output:
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find aktiva.si: SERVFAIL

If I try the same command on the other computer I get:
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
aktiva.si mail exchanger = 20 mail2.aktiva.si.
aktiva.si mail exchanger = 10 mail.aktiva.si.

Authoritative answers can be found from:
aktiva.si       nameserver = ns5.webicom.si.
aktiva.si       nameserver = ns6.webicom.si.

The mail server is hosted on box.kompas-telekom.com.

Hi

SRVFAIL can be caused by a failure to reach the target nameserver. I did have a look at the domain myself and like you I found the nameservers and I actually found the following:

C:\Users\timdu_000>dig +short ns5.webicom.si.
91.185.212.16

C:\Users\timdu_000>dig +short ns6.webicom.si.
91.185.212.16

Meaning that there is no redundancy in the DNS lookup. As both you and I can get the MX records from computer OTHER than your outbound mail server, this could suggest a routing issue.
Try posting the output of the following command from your box.

root@box:~# traceroute -I ns6.webicom.si.
traceroute to ns6.webicom.si. (91.185.212.16), 30 hops max, 60 byte packets
 1  10.255.255.2 (10.255.255.2)  0.164 ms  0.151 ms  0.162 ms
 2  109.228.63.130 (109.228.63.130)  0.553 ms * *
 3  ae-4.bb-b.thn.lon.gb.oneandone.net (88.208.255.158)  5.285 ms  5.280 ms  5.678 ms
 4  ae-0-0.bb-a.ba.slo.gb.oneandone.net (212.227.120.105)  4.725 ms  4.717 ms  5.071 ms
 5  ae-11-0.bb-a.fra3.fra.de.oneandone.net (212.227.120.154)  16.771 ms  16.777 ms  16.768 ms
 6  de-fra-r-1-hu6-1.sbb.rs (80.81.194.190)  18.432 ms  18.176 ms  18.261 ms
 7  at-vie-r-1-be6.sbb.rs (89.216.5.96)  37.507 ms  37.304 ms  37.290 ms
 8  bg-tp-m-0-be1.sbb.rs (89.216.5.77)  39.411 ms  39.405 ms  39.408 ms
 9  peer-AS3212.sbb.rs (82.117.193.165)  39.295 ms  39.293 ms  39.432 ms
10  185.66.148.89.ipv4.telemach.net (185.66.148.89)  39.368 ms  39.363 ms  39.544 ms
11  185.66.148.89.ipv4.telemach.net (185.66.148.89)  39.249 ms  38.936 ms  38.947 ms
12  217-72-74-106.ipv4.telemach.net (217.72.74.106)  39.943 ms  40.073 ms  40.168 ms
13  discovery.webicom.si (91.185.212.16)  40.331 ms  40.466 ms  40.462 ms

Note the command has to be run as root so you may need to prefix it with sudo in order for it to work.

Tim

Hi,

I’ve ran the command with root privilege and I get the following output:

root@box:~# traceroute -I ns6.webicom.si. ns6.webicom.si.: Temporary failure in name resolution Cannot handle "host" cmdline arg 'ns6.webicom.si.' on position 1 (argc 2)

On the other computers I get the same result as you.

Can you try the following?
root@box:~# dig +trace +nodnssec mx aktiva.si.

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> +trace +nodnssec mx aktiva.si.
;; global options: +cmd
.                       503342  IN      NS      i.root-servers.net.
.                       503342  IN      NS      c.root-servers.net.
.                       503342  IN      NS      l.root-servers.net.
.                       503342  IN      NS      j.root-servers.net.
.                       503342  IN      NS      f.root-servers.net.
.                       503342  IN      NS      g.root-servers.net.
.                       503342  IN      NS      h.root-servers.net.
.                       503342  IN      NS      d.root-servers.net.
.                       503342  IN      NS      a.root-servers.net.
.                       503342  IN      NS      e.root-servers.net.
.                       503342  IN      NS      m.root-servers.net.
.                       503342  IN      NS      b.root-servers.net.
.                       503342  IN      NS      k.root-servers.net.
;; Received 839 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si.                     172800  IN      NS      i.dns.si.
si.                     172800  IN      NS      b.dns.si.
si.                     172800  IN      NS      j.dns.si.
si.                     172800  IN      NS      f.dns.si.
si.                     172800  IN      NS      h.dns.si.
si.                     172800  IN      NS      c.dns.si.
si.                     172800  IN      NS      g.dns.si.
;; Received 462 bytes from 202.12.27.33#53(m.root-servers.net) in 19 ms

aktiva.si.              7200    IN      NS      ns5.webicom.si.
aktiva.si.              7200    IN      NS      ns6.webicom.si.
;; Received 94 bytes from 194.0.1.20#53(g.dns.si) in 33 ms

aktiva.si.              300     IN      MX      10 mail.aktiva.si.
aktiva.si.              300     IN      MX      20 mail2.aktiva.si.
aktiva.si.              86400   IN      NS      ns6.webicom.si.
aktiva.si.              86400   IN      NS      ns5.webicom.si.
;; Received 185 bytes from 91.185.212.16#53(ns6.webicom.si) in 52 ms

Tim

Well I hate to resort to this kludge, but if it is only the one domain and you simply want to get email to work … add the ns5.webicom.si IP address to your hosts file at /etc/hosts

This invariably will stop working at some point in the future (I have to do this often on other servers to be able to reach the Let’s Encrypt server) as the IP address may change some day. But for now, it should get mail flowing again to that domain.

I’m certainly not disputing that the kludge would work. I personally hate such things, and would only consider such things as a last resort.

This is the ouput of the following command:

root@box:~# dig +trace +nodnssec mx aktiva.si.

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> +trace +nodnssec mx aktiva.si.
;; global options: +cmd
. 493282 IN NS c.root-servers.net.
. 493282 IN NS j.root-servers.net.
. 493282 IN NS e.root-servers.net.
. 493282 IN NS g.root-servers.net.
. 493282 IN NS a.root-servers.net.
. 493282 IN NS h.root-servers.net.
. 493282 IN NS i.root-servers.net.
. 493282 IN NS d.root-servers.net.
. 493282 IN NS l.root-servers.net.
. 493282 IN NS k.root-servers.net.
. 493282 IN NS b.root-servers.net.
. 493282 IN NS f.root-servers.net.
. 493282 IN NS m.root-servers.net.
;; Received 839 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si. 172800 IN NS b.dns.si.
si. 172800 IN NS c.dns.si.
si. 172800 IN NS f.dns.si.
si. 172800 IN NS g.dns.si.
si. 172800 IN NS h.dns.si.
si. 172800 IN NS i.dns.si.
si. 172800 IN NS j.dns.si.
;; Received 462 bytes from 192.203.230.10#53(e.root-servers.net) in 0 ms

aktiva.SI. 7200 IN NS ns5.webicom.si.
aktiva.SI. 7200 IN NS ns6.webicom.si.
couldn't get address for 'ns5.webicom.si': failure
couldn't get address for 'ns6.webicom.si': failure
dig: couldn't get address for 'ns5.webicom.si': no more

Thanks for suggestion @alento. I hope that we could resolve this problem. If everything fails I’ll try your solutions.

Thank you both for helping me.

I absolutely agree … but wanted to put it out there for the OP in case he wasn’t aware.

Ok … one thing I often do is to check Glue records as quite often people miss that step, and the tool I use is: https://mebsd.com/glue

Here is the thing, when I check webicom.si there are no glue records present for ns5 or ns6, which is also what the above dig is suggesting.

ns1.webicom.si.	7200	IN	A	91.185.202.230
ns2.webicom.si.	7200	IN	A	91.185.202.231
ns3.webicom.si.	7200	IN	A	91.185.202.237
ns4.webicom.si.	7200	IN	A	91.185.202.238

There are no IPv6 Glue records for webicom.si

I did a nslookup earlier for ns5 and it returned the IP. I am never getting an AUTHORITATIVE lookup for ns5 or ns6. I do not know if somehow MiaB requires an AUTHORITATIVE answer?

I think that I want to conclude that the DNS for the webicom.si domain is not configured correctly as they have not announced all of their glue records.

The way they’re set up - it looks like they haven’t announced all 6 nameservers with the registrar: but when you do a trace, their own authoritative nameservers are announcing the address.

C:\Users\timdu_000>dig +trace +nodnssec ns5.webicom.si

; <<>> DiG 9.11.8 <<>> +trace +nodnssec ns5.webicom.si
;; global options: +cmd
.                       70958   IN      NS      a.root-servers.net.
.                       70958   IN      NS      b.root-servers.net.
.                       70958   IN      NS      c.root-servers.net.
.                       70958   IN      NS      d.root-servers.net.
.                       70958   IN      NS      e.root-servers.net.
.                       70958   IN      NS      f.root-servers.net.
.                       70958   IN      NS      g.root-servers.net.
.                       70958   IN      NS      h.root-servers.net.
.                       70958   IN      NS      i.root-servers.net.
.                       70958   IN      NS      j.root-servers.net.
.                       70958   IN      NS      k.root-servers.net.
.                       70958   IN      NS      l.root-servers.net.
.                       70958   IN      NS      m.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si.                     172800  IN      NS      i.dns.si.
si.                     172800  IN      NS      g.dns.si.
si.                     172800  IN      NS      b.dns.si.
si.                     172800  IN      NS      f.dns.si.
si.                     172800  IN      NS      c.dns.si.
si.                     172800  IN      NS      h.dns.si.
si.                     172800  IN      NS      j.dns.si.
;; Received 495 bytes from 2001:500:2::c#53(c.root-servers.net) in 27 ms

webicom.SI.             7200    IN      NS      ns4.webicom.si.
webicom.SI.             7200    IN      NS      ns1.webicom.si.
webicom.SI.             7200    IN      NS      ns2.webicom.si.
webicom.SI.             7200    IN      NS      ns3.webicom.si.
;; Received 205 bytes from 2a02:e180:7::1#53(j.dns.si) in 18 ms

ns5.webicom.si.         14400   IN      A       91.185.212.16
webicom.si.             14400   IN      NS      ns3.webicom.si.
webicom.si.             14400   IN      NS      ns2.webicom.si.
webicom.si.             14400   IN      NS      ns4.webicom.si.
webicom.si.             14400   IN      NS      ns1.webicom.si.
;; Received 163 bytes from 91.185.215.197#53(ns3.webicom.si) in 64 ms

This by the way has also been done on my MIAB box the built in DNS resolver. So whatever is going on here, I don’t think that MIAB is responsible.
@Superlukec could you try using the DIG command above?

Tim

@ravenstar68 yes of course. The command ouput of
dig +trace +nodnssec ns5.webicom.si
is:

root@box:~# dig +trace +nodnssec ns5.webicom.si

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> +trace +nodnssec ns5.webicom.si
;; global options: +cmd
.                       485672  IN      NS      j.root-servers.net.
.                       485672  IN      NS      g.root-servers.net.
.                       485672  IN      NS      b.root-servers.net.
.                       485672  IN      NS      a.root-servers.net.
.                       485672  IN      NS      f.root-servers.net.
.                       485672  IN      NS      m.root-servers.net.
.                       485672  IN      NS      e.root-servers.net.
.                       485672  IN      NS      k.root-servers.net.
.                       485672  IN      NS      c.root-servers.net.
.                       485672  IN      NS      h.root-servers.net.
.                       485672  IN      NS      d.root-servers.net.
.                       485672  IN      NS      i.root-servers.net.
.                       485672  IN      NS      l.root-servers.net.
;; Received 839 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si.                     172800  IN      NS      b.dns.si.
si.                     172800  IN      NS      c.dns.si.
si.                     172800  IN      NS      f.dns.si.
si.                     172800  IN      NS      g.dns.si.
si.                     172800  IN      NS      h.dns.si.
si.                     172800  IN      NS      i.dns.si.
si.                     172800  IN      NS      j.dns.si.
;; Received 467 bytes from 199.7.91.13#53(d.root-servers.net) in 98 ms

webicom.si.             7200    IN      NS      ns1.webicom.si.
webicom.si.             7200    IN      NS      ns2.webicom.si.
webicom.si.             7200    IN      NS      ns3.webicom.si.
webicom.si.             7200    IN      NS      ns4.webicom.si.
couldn't get address for 'ns1.webicom.si': failure
couldn't get address for 'ns2.webicom.si': failure
couldn't get address for 'ns3.webicom.si': failure
couldn't get address for 'ns4.webicom.si': failure
dig: couldn't get address for 'ns1.webicom.si': no more

Ok - now this is getting weird. You’re getting the server names but not the IP addresses.

The servers looking after the si. TLD are the one’s that hold the glue records. Normally if you try the following you should see both the names and the IP addresses of the Glue records

C:\Users\timdu_000>dig -6 @b.dns.si ns5.webicom.si

; <<>> DiG 9.11.8 <<>> -6 @b.dns.si ns5.webicom.si
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2755
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns5.webicom.si.                        IN      A

;; AUTHORITY SECTION:
webicom.si.             7200    IN      NS      ns2.webicom.si.
webicom.si.             7200    IN      NS      ns3.webicom.si.
webicom.si.             7200    IN      NS      ns4.webicom.si.
webicom.si.             7200    IN      NS      ns1.webicom.si.

;; ADDITIONAL SECTION:
ns1.webicom.si.         7200    IN      A       91.185.202.230
ns2.webicom.si.         7200    IN      A       91.185.202.231
ns3.webicom.si.         7200    IN      A       91.185.202.237
ns4.webicom.si.         7200    IN      A       91.185.202.238

;; Query time: 60 msec
;; SERVER: 2001:1470:8000:53::44#53(2001:1470:8000:53::44)
;; WHEN: Tue Sep 10 15:33:35 GMT Summer Time 2019
;; MSG SIZE  rcvd: 179

Tim

Is it possible that I receive such errors because I’m blocked from their side?

Thanks.

It’s not you being blocked.

The webicom.si. domain appears to be a mess This will cause all sorts of problems both for that domain and for any customers of theirs.

https://mxtoolbox.com/SuperTool.aspx?action=dns%3Awebicom.si&run=toolpage

1. Two of the servers glue records have the wrong IP address. If your DNS resolver selects one of those two servers then you won’t get a result

   ;; ADDITIONAL SECTION:
   ns1.webicom.si. 7200 IN A 91.185.202.230
   ns3.webicom.si. 7200 IN A 91.185.202.237
   ns4.webicom.si. 7200 IN A 91.185.202.238
   ns2.webicom.si. 7200 IN A 91.185.202.231

The glue records should match the A lookups

root@box:~# dig +short ns1.webicom.si @91.185.202.238
91.185.209.27
root@box:~# dig +short ns2.webicom.si @91.185.202.238
91.185.202.231
root@box:~# dig +short ns3.webicom.si @91.185.202.238
91.185.215.197
root@box:~# dig +short ns4.webicom.si @91.185.202.238
91.185.202.238

Basically your any server has a 1 in 2 chance of picking a valid Glue record. I’m not 100% up on how the fallback should work in DNS. But having bad Glue on one record is bad enough, let alone two. (I’ll do some digging into fallback)

2. The DNS servers records don’t match, this could even be why the fallback isn’t working, as master and secondary servers should have identical zones and identical SOA records.

Tim

I’ve dropped an email to webicom.si technical support contact address.

Tim

@alento - I think it’s now time to try your Kludge, or at least a variation of it. Now that we know that two of the Glue records are wrong, we can put the working values in the /etc/hosts file.

@Superlukec add the following to the bottom of your existing /etc/hosts file on your box

91.185.209.27        ns1.webicom.si
91.185.215.197      ns3.webicom.si

These will allow your box to find ns5 and ns6 regardless of which of the four initial nameservers it chooses.which in turn will allow it to find the nameservers for the actual domain you want.

Thank you very much @ravenstar68 and @alento for your help!

I will add the lines to the /etc/hosts file.

Best,
Luka

Do let us know if this solves your issue.