Unable to send email - unable to resolve domain

Hi,

I’ve ran the command with root privilege and I get the following output:

root@box:~# traceroute -I ns6.webicom.si. ns6.webicom.si.: Temporary failure in name resolution Cannot handle "host" cmdline arg 'ns6.webicom.si.' on position 1 (argc 2)

On the other computers I get the same result as you.

Can you try the following?
root@box:~# dig +trace +nodnssec mx aktiva.si.

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> +trace +nodnssec mx aktiva.si.
;; global options: +cmd
.                       503342  IN      NS      i.root-servers.net.
.                       503342  IN      NS      c.root-servers.net.
.                       503342  IN      NS      l.root-servers.net.
.                       503342  IN      NS      j.root-servers.net.
.                       503342  IN      NS      f.root-servers.net.
.                       503342  IN      NS      g.root-servers.net.
.                       503342  IN      NS      h.root-servers.net.
.                       503342  IN      NS      d.root-servers.net.
.                       503342  IN      NS      a.root-servers.net.
.                       503342  IN      NS      e.root-servers.net.
.                       503342  IN      NS      m.root-servers.net.
.                       503342  IN      NS      b.root-servers.net.
.                       503342  IN      NS      k.root-servers.net.
;; Received 839 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si.                     172800  IN      NS      i.dns.si.
si.                     172800  IN      NS      b.dns.si.
si.                     172800  IN      NS      j.dns.si.
si.                     172800  IN      NS      f.dns.si.
si.                     172800  IN      NS      h.dns.si.
si.                     172800  IN      NS      c.dns.si.
si.                     172800  IN      NS      g.dns.si.
;; Received 462 bytes from 202.12.27.33#53(m.root-servers.net) in 19 ms

aktiva.si.              7200    IN      NS      ns5.webicom.si.
aktiva.si.              7200    IN      NS      ns6.webicom.si.
;; Received 94 bytes from 194.0.1.20#53(g.dns.si) in 33 ms

aktiva.si.              300     IN      MX      10 mail.aktiva.si.
aktiva.si.              300     IN      MX      20 mail2.aktiva.si.
aktiva.si.              86400   IN      NS      ns6.webicom.si.
aktiva.si.              86400   IN      NS      ns5.webicom.si.
;; Received 185 bytes from 91.185.212.16#53(ns6.webicom.si) in 52 ms

Tim

Well I hate to resort to this kludge, but if it is only the one domain and you simply want to get email to work … add the ns5.webicom.si IP address to your hosts file at /etc/hosts

This invariably will stop working at some point in the future (I have to do this often on other servers to be able to reach the Let’s Encrypt server) as the IP address may change some day. But for now, it should get mail flowing again to that domain.

1 Like

I’m certainly not disputing that the kludge would work. I personally hate such things, and would only consider such things as a last resort.

1 Like

This is the ouput of the following command:

root@box:~# dig +trace +nodnssec mx aktiva.si.

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> +trace +nodnssec mx aktiva.si.
;; global options: +cmd
. 493282 IN NS c.root-servers.net.
. 493282 IN NS j.root-servers.net.
. 493282 IN NS e.root-servers.net.
. 493282 IN NS g.root-servers.net.
. 493282 IN NS a.root-servers.net.
. 493282 IN NS h.root-servers.net.
. 493282 IN NS i.root-servers.net.
. 493282 IN NS d.root-servers.net.
. 493282 IN NS l.root-servers.net.
. 493282 IN NS k.root-servers.net.
. 493282 IN NS b.root-servers.net.
. 493282 IN NS f.root-servers.net.
. 493282 IN NS m.root-servers.net.
;; Received 839 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si. 172800 IN NS b.dns.si.
si. 172800 IN NS c.dns.si.
si. 172800 IN NS f.dns.si.
si. 172800 IN NS g.dns.si.
si. 172800 IN NS h.dns.si.
si. 172800 IN NS i.dns.si.
si. 172800 IN NS j.dns.si.
;; Received 462 bytes from 192.203.230.10#53(e.root-servers.net) in 0 ms

aktiva.SI. 7200 IN NS ns5.webicom.si.
aktiva.SI. 7200 IN NS ns6.webicom.si.
couldn't get address for 'ns5.webicom.si': failure
couldn't get address for 'ns6.webicom.si': failure
dig: couldn't get address for 'ns5.webicom.si': no more

Thanks for suggestion @alento. I hope that we could resolve this problem. If everything fails I’ll try your solutions.

Thank you both for helping me.

I absolutely agree … but wanted to put it out there for the OP in case he wasn’t aware.

1 Like

Ok … one thing I often do is to check Glue records as quite often people miss that step, and the tool I use is: https://mebsd.com/glue

Here is the thing, when I check webicom.si there are no glue records present for ns5 or ns6, which is also what the above dig is suggesting.

ns1.webicom.si.	7200	IN	A	91.185.202.230
ns2.webicom.si.	7200	IN	A	91.185.202.231
ns3.webicom.si.	7200	IN	A	91.185.202.237
ns4.webicom.si.	7200	IN	A	91.185.202.238

There are no IPv6 Glue records for webicom.si

I did a nslookup earlier for ns5 and it returned the IP. I am never getting an AUTHORITATIVE lookup for ns5 or ns6. I do not know if somehow MiaB requires an AUTHORITATIVE answer?

I think that I want to conclude that the DNS for the webicom.si domain is not configured correctly as they have not announced all of their glue records.

The way they’re set up - it looks like they haven’t announced all 6 nameservers with the registrar: but when you do a trace, their own authoritative nameservers are announcing the address.

C:\Users\timdu_000>dig +trace +nodnssec ns5.webicom.si

; <<>> DiG 9.11.8 <<>> +trace +nodnssec ns5.webicom.si
;; global options: +cmd
.                       70958   IN      NS      a.root-servers.net.
.                       70958   IN      NS      b.root-servers.net.
.                       70958   IN      NS      c.root-servers.net.
.                       70958   IN      NS      d.root-servers.net.
.                       70958   IN      NS      e.root-servers.net.
.                       70958   IN      NS      f.root-servers.net.
.                       70958   IN      NS      g.root-servers.net.
.                       70958   IN      NS      h.root-servers.net.
.                       70958   IN      NS      i.root-servers.net.
.                       70958   IN      NS      j.root-servers.net.
.                       70958   IN      NS      k.root-servers.net.
.                       70958   IN      NS      l.root-servers.net.
.                       70958   IN      NS      m.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si.                     172800  IN      NS      i.dns.si.
si.                     172800  IN      NS      g.dns.si.
si.                     172800  IN      NS      b.dns.si.
si.                     172800  IN      NS      f.dns.si.
si.                     172800  IN      NS      c.dns.si.
si.                     172800  IN      NS      h.dns.si.
si.                     172800  IN      NS      j.dns.si.
;; Received 495 bytes from 2001:500:2::c#53(c.root-servers.net) in 27 ms

webicom.SI.             7200    IN      NS      ns4.webicom.si.
webicom.SI.             7200    IN      NS      ns1.webicom.si.
webicom.SI.             7200    IN      NS      ns2.webicom.si.
webicom.SI.             7200    IN      NS      ns3.webicom.si.
;; Received 205 bytes from 2a02:e180:7::1#53(j.dns.si) in 18 ms

ns5.webicom.si.         14400   IN      A       91.185.212.16
webicom.si.             14400   IN      NS      ns3.webicom.si.
webicom.si.             14400   IN      NS      ns2.webicom.si.
webicom.si.             14400   IN      NS      ns4.webicom.si.
webicom.si.             14400   IN      NS      ns1.webicom.si.
;; Received 163 bytes from 91.185.215.197#53(ns3.webicom.si) in 64 ms

This by the way has also been done on my MIAB box the built in DNS resolver. So whatever is going on here, I don’t think that MIAB is responsible.
@Superlukec could you try using the DIG command above?

Tim

@ravenstar68 yes of course. The command ouput of
dig +trace +nodnssec ns5.webicom.si
is:

root@box:~# dig +trace +nodnssec ns5.webicom.si

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> +trace +nodnssec ns5.webicom.si
;; global options: +cmd
.                       485672  IN      NS      j.root-servers.net.
.                       485672  IN      NS      g.root-servers.net.
.                       485672  IN      NS      b.root-servers.net.
.                       485672  IN      NS      a.root-servers.net.
.                       485672  IN      NS      f.root-servers.net.
.                       485672  IN      NS      m.root-servers.net.
.                       485672  IN      NS      e.root-servers.net.
.                       485672  IN      NS      k.root-servers.net.
.                       485672  IN      NS      c.root-servers.net.
.                       485672  IN      NS      h.root-servers.net.
.                       485672  IN      NS      d.root-servers.net.
.                       485672  IN      NS      i.root-servers.net.
.                       485672  IN      NS      l.root-servers.net.
;; Received 839 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

si.                     172800  IN      NS      b.dns.si.
si.                     172800  IN      NS      c.dns.si.
si.                     172800  IN      NS      f.dns.si.
si.                     172800  IN      NS      g.dns.si.
si.                     172800  IN      NS      h.dns.si.
si.                     172800  IN      NS      i.dns.si.
si.                     172800  IN      NS      j.dns.si.
;; Received 467 bytes from 199.7.91.13#53(d.root-servers.net) in 98 ms

webicom.si.             7200    IN      NS      ns1.webicom.si.
webicom.si.             7200    IN      NS      ns2.webicom.si.
webicom.si.             7200    IN      NS      ns3.webicom.si.
webicom.si.             7200    IN      NS      ns4.webicom.si.
couldn't get address for 'ns1.webicom.si': failure
couldn't get address for 'ns2.webicom.si': failure
couldn't get address for 'ns3.webicom.si': failure
couldn't get address for 'ns4.webicom.si': failure
dig: couldn't get address for 'ns1.webicom.si': no more

Ok - now this is getting weird. You’re getting the server names but not the IP addresses.

The servers looking after the si. TLD are the one’s that hold the glue records. Normally if you try the following you should see both the names and the IP addresses of the Glue records

C:\Users\timdu_000>dig -6 @b.dns.si ns5.webicom.si

; <<>> DiG 9.11.8 <<>> -6 @b.dns.si ns5.webicom.si
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2755
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns5.webicom.si.                        IN      A

;; AUTHORITY SECTION:
webicom.si.             7200    IN      NS      ns2.webicom.si.
webicom.si.             7200    IN      NS      ns3.webicom.si.
webicom.si.             7200    IN      NS      ns4.webicom.si.
webicom.si.             7200    IN      NS      ns1.webicom.si.

;; ADDITIONAL SECTION:
ns1.webicom.si.         7200    IN      A       91.185.202.230
ns2.webicom.si.         7200    IN      A       91.185.202.231
ns3.webicom.si.         7200    IN      A       91.185.202.237
ns4.webicom.si.         7200    IN      A       91.185.202.238

;; Query time: 60 msec
;; SERVER: 2001:1470:8000:53::44#53(2001:1470:8000:53::44)
;; WHEN: Tue Sep 10 15:33:35 GMT Summer Time 2019
;; MSG SIZE  rcvd: 179

Tim

Is it possible that I receive such errors because I’m blocked from their side?

Thanks.

It’s not you being blocked.

The webicom.si. domain appears to be a mess This will cause all sorts of problems both for that domain and for any customers of theirs.

https://mxtoolbox.com/SuperTool.aspx?action=dns%3Awebicom.si&run=toolpage

  1. Two of the servers glue records have the wrong IP address. If your DNS resolver selects one of those two servers then you won’t get a result

    ;; ADDITIONAL SECTION:
    ns1.webicom.si. 7200 IN A 91.185.202.230
    ns3.webicom.si. 7200 IN A 91.185.202.237
    ns4.webicom.si. 7200 IN A 91.185.202.238
    ns2.webicom.si. 7200 IN A 91.185.202.231

The glue records should match the A lookups

root@box:~# dig +short ns1.webicom.si @91.185.202.238
91.185.209.27
root@box:~# dig +short ns2.webicom.si @91.185.202.238
91.185.202.231
root@box:~# dig +short ns3.webicom.si @91.185.202.238
91.185.215.197
root@box:~# dig +short ns4.webicom.si @91.185.202.238
91.185.202.238

Basically your any server has a 1 in 2 chance of picking a valid Glue record. I’m not 100% up on how the fallback should work in DNS. But having bad Glue on one record is bad enough, let alone two. (I’ll do some digging into fallback)

  1. The DNS servers records don’t match, this could even be why the fallback isn’t working, as master and secondary servers should have identical zones and identical SOA records.

Tim

I’ve dropped an email to webicom.si technical support contact address.

Tim

@alento - I think it’s now time to try your Kludge, or at least a variation of it. Now that we know that two of the Glue records are wrong, we can put the working values in the /etc/hosts file.

@Superlukec add the following to the bottom of your existing /etc/hosts file on your box

91.185.209.27        ns1.webicom.si
91.185.215.197      ns3.webicom.si

These will allow your box to find ns5 and ns6 regardless of which of the four initial nameservers it chooses.which in turn will allow it to find the nameservers for the actual domain you want.

Thank you very much @ravenstar68 and @alento for your help!

I will add the lines to the /etc/hosts file.

Best,
Luka

Do let us know if this solves your issue.

I’ve tried to send an email to @aktiva.si but still doesn’t work.

I’ve added the lines:
91.185.209.27 ns1.webicom.si
91.185.215.197 ns3.webicom.si

to /etc/hosts file.

@Superlukec

Humor me and add this line as well to /etc/hosts

91.185.212.16          ns5.webicom.si

IMHO adding the two lines you added straighten out that domain’s problem with their announced name servers, but still doesn’t give you a path to the name server that is handling this domain. Remember, aktiva.si is only announcing ns5 and ns6 at their registrar.

@alento

No, still doesn’t work.

In my /var/log/mail.log I receive:

(Host or domain name not found. Name service error for name=aktiva.si type=MX: Host not found, try again)

@Superlukec

213.250.37.174 mail.aktiva.si

add that one then … sigh. :frowning:

@alento

Still:

Sep 13 20:25:49 box postfix/smtp[5170]: B5A6817D065: to=<xxx@aktiva.si>, relay=none, delay=10, delays=0.27/0.02/10/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=aktiva.si type=MX: Host not found, try again)

I know.