Hi,

I recently discovered that my ISP (Telenet.be located in Belgium) uses a transparent proxy and are redirecting all MX records to an unusable server (it just generates an smtp error and closes the connection), this effectively cuts me off from using my private mail server ... and who knows what else I haven't discovered yet.

Is there any way around this problem? By using DNSCrypt for example if it becomes available for Windows/Linux, or tunneling dns through another port?

After a search through the older discussions I found the closest relevant discussion were from 2008
http://forums.opendns.com/comments.php?DiscussionID=915
http://forums.opendns.com/comments.php?DiscussionID=975
and a slightly relevant from 2011
http://forums.opendns.com/comments.php?DiscussionID=11461
none of which provided a permanent fix that could be implemented within a reasonable time.

... So any suggestion is more than welcome :)

no joy on port 587, I'm even getting an active reject back (wireshark).

(a typo in my opening post: on the 1st line when I said "transparent proxy", I meant "transparent dns")

“because almost all mail exchangers do not accept mail from dynamic IP address ranges”
That could seriously spoil things.
I'm trying to set up a whole infrastructure (virtualised Linux and Windows boxes with open source software) to make a fully functional test rig I can actually use and access off-site to learn from, and eventually use it as demo to promote my L33T *cough, hack* IT skills.


“Do they really, or do they just block port 25? These would be totally different things.”

They do both actually ... and even a third bump.
- Outgoing port 25 is blocked (and so are incoming low ports) but this is something I'm already working on directly with my ISP … they just want to be sure I'm not trying to set up a business on a home internet connection. So far my main problem in the learning curve is when something doesn't work, I first have to figure out if it's my fault or it's something fishy my ISP is doing.
Anyhow, your tests for 74.125.79.26 and 173.194.65.26 on port 25 both time out, and so does every single other smtp server (except for their own ones).

- I'm already using OpenDNS (not getting the “Oops” page) and MX records are still forged.

Example (from windows box):
>nslookup
Default Server: resolver1.opendns.com
Address: 208.67.222.222

> set type=MX
> gmail.com
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
gmail.com.telenet.be MX preference = 0, mail exchanger = smtp.telenet-ops.be
>
>
> server 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> gmail.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
gmail.com.telenet.be MX preference = 0, mail exchanger = smtp.telenet-ops.be
>
>
> server 195.130.131.2 (<--- My ISP's dns)
Default Server: gent.dnscache02.telenet-ops.be
Address: 195.130.131.2

> gmail.com
Server: gent.dnscache02.telenet-ops.be
Address: 195.130.131.2

Non-authoritative answer:
gmail.com.telenet.be MX preference = 0, mail exchanger = smtp.telenet-ops.be

This happens to _every_ MX record, even their own. As the working smtp server within their network we need to use out.telenet.be (or uit.telenet.be) in our clients



- when I do try to connect to smtp.telenet-ops.be on port 25, I get the following:
(from Linux box this time, Win7 home doesn't have telnet anymore … at least not a standard out-of-box installation)
#telnet smtp.telenet-ops.be 25
connected to smtp.telenet-ops.be.
Escape character is '^]'.
421 napoleon.telenet.ops.be bizsmtp 78.20.160.54 please use out.telenet.be instead
Connection closed by foreign host.
#
(I didn't even have to type 'quit' to end the connection)


“post the output of the following command to prove this”
>nslookup -type=txt which.opendns.com. 208.67.222.222
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
which.opendns.com text =

"10.ams"

I don't think everything is forged … just the MX records (as I've noticed so far)



!!!!! port 5353, that's what I needed !!!!
>nslookup -type=MX -port=5353 gmail.com. 208.67.222.222
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com
gmail.com MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com

With this I can duct-tape something together so my own dns forwarder uses opendns on port 5353,now I can at least get correct results.

Thanks!

"I'm already using OpenDNS (not getting the “Oops” page) and MX records are still forged."

No, you just forgot the trailing dot after the domain to make it an FQDN. Therefore your (unnecessary) DNS suffix telenet-ops.be is appended, as should be.
Try again now.

"This happens to _every_ MX record"

For sure, without the required trailing dot, yes.

"I don't think everything is forged … just the MX records (as I've noticed so far)"

Yes, because you used the trailing dot here.

"!!!!! port 5353, that's what I needed !!!!"

Probably not if you did it right.

After all, I think you don't have a problem with your ISP's DNS (anyway, as you use OpenDNS), but with your ISP blocking port 25 only. I.e. totally unrelated to DNS in general and OpenDNS in particular.

Also, you may want to remove your DNS suffix(es) from your network configuration.