A colleague rang to ask if I had any thoughts about a problem that they were having, we do a lot of VMware VCSA upgrades for customers, the process fails if there is no DNS resolution of the FQDN during the upgrade process. We had tried to fix the problem by creating hosts records (typically we don’t have access to the client’s DNS servers that run in the virtual environment). I had thought (wrongly) that it simply needed to lookup the FQDN, but I’m told it also needs to do a reverse lookup (locate a PTR record).
We could of course just spin up either a Windows server and put DNS on it, or a Linux BIND server, but what if we could use the firewall? With Cisco this is a non starter, but what about the clients that have FortiGate?
FortiGate DNS
By default the feature isn’t enabled, you need to go to System > Feature Visibility > DNS Database > Enable it > Apply.
Network > DNS Servers > Create New.
Select the interface that will serve DNS queries > OK.
Back at the min page under DNS Database > Create New > Give the zone a sensible name > Set the domain name > Under DNS Entries > Create New.
First create a host (A Record) that will point the FQDN to the correct IP address.
Then create a pointer (PTR Record) that will point the IP address back to the FQDN.
It should look something like this > OK.
Then test from a client that’s connected to the Interface serving DNS requests.
Related Articles, References, Credits, or External Links
Simply purchasing a domain name is not enough to get email flowing in your direction, and people onto your website. you also need your DNS Records to point to your IP address(s) as well.
For those people, that needs either an email or fax (on company headed note paper) to request that these records be set up correctly. You will need to send this request to your ISP (or whoever is hosting your public DNS records).
This runs through what information you should request and why.
Remember if you have a security device on the outside of your network (like a firewall or a router providing firewall services) the correct ports will need to be open to your web server (usually TCP Port 80 and/or 443), or your mail server (TCP Port 25, though Exchange may require 443 for OWA and ActiveSync).
Note: This assumes your ISP has given you either a static public IP address, or a range of public IP addresses. While it is possible to use services like no-ip if you don’t have a static IP address.
To get to http://www.yourwebsite.com people need to be able to translate that address to the IP address of your web server. You do this by sending a “query” to a DNS server, which either checks with other DNS servers, or sends you the IP address directly.
1. You need to purchase your domain name. This may sound obvious but I’ve seen people who own companya.com, simply add company.co.uk to their Exchange server and expect it to work!
2. This website is on my petenetlive.com domain, the people who host my DNS records have a record called an “A Record” (may be called a “host” record depending on your ISP) that points www to the public address of my website, like so;
Note: Above I’ve shown you how the record would look in a Windows DNS server, just so you can get an idea of what these records are that you are requesting. (also they take seconds to create, don’t let your ISP take ages to do this!).
Testing your DNS Host Records
On a windows client you have a command that can test, and show you what your machine sees when it looks for DNS records, this is called nslookup, below you can see I’m issuing a query to see what IP address www.petenetlive.com should be on.
Note: I’m not on this IP address, I’ve just set it up this way for the purpose of demonstration. Drop to command line and issue the above command and you will see my real current IP address.
What do I need to Request from my ISP / Domain Host?
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for my www record to point to 234.234.234.234
Signed
{Someone your ISP has on record}
[/box]
Setting up DNS Records for a Email Server (A, MX, PTR and SPF Records)
1. Just as above your mail server(s) will need an “A Record“, I’m going to create two (just to demonstrate mail preferences later on), one for mail.petenetlive.com and the other for mail2.petenetlive.com
2. Now, you need an MX (Mail Exchange) Record that points to the A Record(s) you created earlier, you can set them with preferences.
What are MX Record Preferences
If you have multiple mail servers, or a backup mail system you can create as many MX Records as you like, by default mail will be sent to the LOWEST preference first, if that IP address is offline or unreachable it will try the NEXT HIGHEST preference.
Testing your MX Records
As above I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for to MX, before I issue my query.
Note: Helpfully it also shows you the correct A Records as well.
3. Though not essential to get your mail, you should also have a PTR (Pointer) record(s) set up as well. These work the opposite way round to an A Record. An A Record converts a name into an IP address, a PTR Record converts an IP address back to the name again.
Why Do I Need PTR Records?
With the explosion in the amount of spam being sent, people have sought a system that will cut it down. So some email systems (famously Hotmail) started doing reverse lookups on incoming mail, they lookup the address that is sending them mail (THAT WOULD BE YOU) and if it does not resolve back to the domain name of the email being sent they drop the mail (This is called a Reverse Lookup Failure). So without PTR records you may find you cannot email some domains. If your ISP cannot provide PTR records you may need to ask if you can route your mail through your ISP’s “Smart Host”.
Testing your PTR Records
As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for PTR records, before I issue my query.
4. The last type of record you MAY need is an SPF (Sender Policy Framework) Record. They are designed so you can list your mail servers and domains in a special record (either a text record or a DNS option 99 record). They are designed to cut down spam, but to be honest YOU ONLY NEED ONE IF you have some external entity that sends mail that comes from your email addresses (i.e. your web hosted CRM system).
How do I create an SPF Record?
An SPF Record is just some text (see above), the simplest way to work out what you need in yours, is to use this wizard.
Testing your PTR Records
As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for TXT records, before I issue my query.
What do I need to Request from my ISP / Domain Host?
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for the following records to be created;.
A/Host Record for mail.xyz-company.com to point to 234.234.234.234
MX Record (Preference 10) that points to mail.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
Signed
{Someone your ISP has on record}
[/box]
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234, and a backup mail server at your secondary site that has an IP address off 333.333.333.333. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for the following records to be created;.
A/Host Record for mail.xyz-company.com to point to 234.234.234.234
A/Host Record for mail2.xyz-company.com to point to 333.333.333.333
MX Record (Preference 10) that points to mail.xyz-company.com
MX Record (Preference 20) that points to mail2.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
PTR Record that points 333.333.333.333 to mail2.xyz-company.com
Signed
{Someone your ISP has on record}
[/box]
Related Articles, References, Credits, or External Links