MX records not responsive in DNS

When I enter a new MX record, DNS is not recognizing it.

I can go to another domain, emulate its setup precisely, and it will not be
visible externally.

In a domain that I do have running, if I delete the working MX record and
re-enter it, it will not work if queried externally, but it was working fine
before I deleted it.

I also noticed when I sort using the data column, the old entries sort with
the MX records all in order. If I enter a new one, the new one that is NOT
working shows up below the SOA in the list, while the working one will be
above the SOA in the sort order.

This is very perplexing, and I am under a DNS DoS attack now for the entire
week.

Does anyone have any ideas?

One more thing, In the attack that I am getting, they have tried to access
the server using the administrator user name with all sorts of incorrect
passwords. I counted more than 6000 attempts (about 1 every 2 seconds in the
log). I also had to increase the MSExchangeIS 8192 quota limit which was
exceeded due to Event 9667.

Thanks

Hi Chris,

They are on a public DNS server... which is the same one as my internal DNS
server, so they must have MX records or SMTP servers cannot connect to it. I
know, not standard or acceptable practice according to MS. I do have a router
on the front end performing NAT, and port forwarding, and only open the ports
necessary. Windows firewall is turned off to allow serving DNS publicly.

My attitude is MS must be willing and able to secure its OS from malicious
activity or it isn't worth having and I'll switch to something else
permanently.

I also run a server AV product on the SBS server.

Ace was able to provide what I was looking for, so the issue has been
resolved completely.

Thanks

"Cris Hanna [SBS - MVP]" wrote:

> MX records do not belong on your internal DNS Server...they should be on public DNS Server
>
> --
> Cris Hanna [SBS - MVP] (since 1997)
> Co-Contributor, Windows Small Business Server 2008 Unleashed
> http://www.amazon.com/Windows-Small-...7269967&sr=8-1
> Owner, CPU Services, Belleville, IL
> A Microsoft Registered Partner
> ------------------------------------
> MVPs do not work for Microsoft
> Please do not submit questions directly to me.
>
> "CMElec" <> wrote in message news:4E7F7495-BC08-4DCE-93C3-...
> When I enter a new MX record, DNS is not recognizing it.
>
> I can go to another domain, emulate its setup precisely, and it will not be
> visible externally.
>
> In a domain that I do have running, if I delete the working MX record and
> re-enter it, it will not work if queried externally, but it was working fine
> before I deleted it.
>
> I also noticed when I sort using the data column, the old entries sort with
> the MX records all in order. If I enter a new one, the new one that is NOT
> working shows up below the SOA in the list, while the working one will be
> above the SOA in the sort order.
>
> This is very perplexing, and I am under a DNS DoS attack now for the entire
> week.
>
> Does anyone have any ideas?
>
> One more thing, In the attack that I am getting, they have tried to access
> the server using the administrator user name with all sorts of incorrect
> passwords. I counted more than 6000 attempts (about 1 every 2 seconds in the
> log). I also had to increase the MSExchangeIS 8192 quota limit which was
> exceeded due to Event 9667.
>
> Thanks

On 29/07/10 15:49, CMElec wrote:
>
> My attitude is MS must be willing and able to secure its OS from malicious
> activity or it isn't worth having and I'll switch to something else
> permanently.
>
> I also run a server AV product on the SBS server.
>
> Ace was able to provide what I was looking for, so the issue has been
> resolved completely.
>

Excellent. With regard to the point above, Microsoft does sell server
software that can be used to provide DNS and/or other services securely.

SBS isn't it.

Any service may have bugs, or may be compromised by other means,
particularly by local users/malware. The more services you run from a
single server, the larger the attack surface, and the more services that
can be killed by a single vulnerability. SBS runs many services, and
generally also has local users, so that it cannot be considered a secure
platform, and it isn't sold as such. In particular, nothing which runs a
general-purpose web server can ever be a secure platform for other services.

As to switching to something else, you cannot avoid the issue. If you
run multiple services on any OS, you make it less secure than if it is
optimised and hardened for a single purpose. I run a server which isn't
Windows, but the large range of services make it impossible to secure,
and it is separated from the Net by layers of independent security. My
OS, like Windows Server, is widely used in public servers on the Net,
but not while running the range of services I use, which is broadly
similar to that provided by SBS.

--
Joe

Not to be flippant, but ttbomk the only platform that would be "secure from
malicious activity" is a typewriter, and only then if you keep it under lock
and key.

If there were such a platform in the computer world, why would *anyone* particulary
government, use anything else?

-Larry

-Please post the resolution to your issue so others may benefit.

-Get Your SBS Health Check at www.sbsbpa.com


> Hi Chris,
>
> They are on a public DNS server... which is the same one as my
> internal DNS server, so they must have MX records or SMTP servers
> cannot connect to it. I know, not standard or acceptable practice
> according to MS. I do have a router on the front end performing NAT,
> and port forwarding, and only open the ports necessary. Windows
> firewall is turned off to allow serving DNS publicly.
>
> My attitude is MS must be willing and able to secure its OS from
> malicious activity or it isn't worth having and I'll switch to
> something else permanently.
>
> I also run a server AV product on the SBS server.
>
> Ace was able to provide what I was looking for, so the issue has been
> resolved completely.
>
> Thanks
>
> "Cris Hanna [SBS - MVP]" wrote:
>
>> MX records do not belong on your internal DNS Server...they should be
>> on public DNS Server
>>
>> --
>>
>> Cris Hanna [SBS - MVP] (since 1997)
>>
>> Co-Contributor, Windows Small Business Server 2008 Unleashed
>>
>> http://www.amazon.com/Windows-Small-...eashed/dp/0672
>> 329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr= 8-1
>>
>> Owner, CPU Services, Belleville, IL
>>
>> A Microsoft Registered Partner
>>
>> ------------------------------------
>>
>> MVPs do not work for Microsoft
>>
>> Please do not submit questions directly to me.
>>
>> "CMElec" <> wrote in message
>> news:4E7F7495-BC08-4DCE-93C3-...
>>
>> When I enter a new MX record, DNS is not recognizing it.
>>
>> I can go to another domain, emulate its setup precisely, and it will
>> not be visible externally.
>>
>> In a domain that I do have running, if I delete the working MX record
>> and re-enter it, it will not work if queried externally, but it was
>> working fine before I deleted it.
>>
>> I also noticed when I sort using the data column, the old entries
>> sort with the MX records all in order. If I enter a new one, the new
>> one that is NOT working shows up below the SOA in the list, while the
>> working one will be above the SOA in the sort order.
>>
>> This is very perplexing, and I am under a DNS DoS attack now for the
>> entire week.
>>
>> Does anyone have any ideas?
>>
>> One more thing, In the attack that I am getting, they have tried to
>> access the server using the administrator user name with all sorts of
>> incorrect passwords. I counted more than 6000 attempts (about 1 every
>> 2 seconds in the log). I also had to increase the MSExchangeIS 8192
>> quota limit which was exceeded due to Event 9667.
>>
>> Thanks
>>

In article <A090AD23-0A9B-4ECD-977D->,
says...
> My attitude is MS must be willing and able to secure its OS from malicious
> activity or it isn't worth having and I'll switch to something else
> permanently.
>

The you won't be using ANY OS as there is no secure OS on the planet
that works well as a server or workstation.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

On 01/08/10 12:27, Leythos wrote:
> In article<A090AD23-0A9B-4ECD-977D->,
> says...
>> My attitude is MS must be willing and able to secure its OS from malicious
>> activity or it isn't worth having and I'll switch to something else
>> permanently.
>>
>
> The you won't be using ANY OS as there is no secure OS on the planet
> that works well as a server or workstation.
>

I think you and Larry know what he means: sufficiently secure to be
useful as a public server.

There are a great many Internet servers out there, and while not a
single one is completely, absolutely, 100% secure, they are sufficiently
secure that they can typically run for days, weeks, months or years
without compromise while exposed to the planet's crackers.

SBS can never be made that secure, and Microsoft have never pretended it
can. You yourself were fond of pointing out that ISA on SBS2003 was not
certified secure, whereas it was when installed on a dedicated firewall
using Windows Server 2003.

--
Joe

In article <Geg5o.7$lF5.4@hurricane>, says...
>
> On 01/08/10 12:27, Leythos wrote:
> > In article<A090AD23-0A9B-4ECD-977D->,
> > says...
> >> My attitude is MS must be willing and able to secure its OS from malicious
> >> activity or it isn't worth having and I'll switch to something else
> >> permanently.
> >>
> >
> > The you won't be using ANY OS as there is no secure OS on the planet
> > that works well as a server or workstation.
> >
>
> I think you and Larry know what he means: sufficiently secure to be
> useful as a public server.
>
> There are a great many Internet servers out there, and while not a
> single one is completely, absolutely, 100% secure, they are sufficiently
> secure that they can typically run for days, weeks, months or years
> without compromise while exposed to the planet's crackers.
>
> SBS can never be made that secure, and Microsoft have never pretended it
> can. You yourself were fond of pointing out that ISA on SBS2003 was not
> certified secure, whereas it was when installed on a dedicated firewall
> using Windows Server 2003.

I don't believe that ANY server is secure if you're doing anything with
it, even a dedicated firewall server that isn't part of a domain.

I do believe that you can limit exposure by installing a good qualify
firewall, but the OP said NAT ROUTER, not firewall, so that means there
is no protection.

We've already seen how DNS can be compromised on Windows based systems,
why anyone would face Windows DNS to the public is a mystery to me. At
best, a dedicated linux box, stripped, running DNS and facing the public
through a firewall appliance....

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)