Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorwimg
    • CommentTimeMar 2nd 2012
     permalink
    Hi,

    I recently discovered that my ISP (Telenet.be located in Belgium) uses a transparent proxy and are redirecting all MX records to an unusable server (it just generates an smtp error and closes the connection), this effectively cuts me off from using my private mail server ... and who knows what else I haven't discovered yet.

    Is there any way around this problem? By using DNSCrypt for example if it becomes available for Windows/Linux, or tunneling dns through another port?

    After a search through the older discussions I found the closest relevant discussion were from 2008
    http://forums.opendns.com/comments.php?DiscussionID=915
    http://forums.opendns.com/comments.php?DiscussionID=975
    and a slightly relevant from 2011
    http://forums.opendns.com/comments.php?DiscussionID=11461
    none of which provided a permanent fix that could be implemented within a reasonable time.

    ... So any suggestion is more than welcome :)
    • CommentAuthornpr
    • CommentTimeMar 2nd 2012
     permalink
    Is the proxy working on port 25 only?
    If so, try using port 587 in place of port 25 for the smtp server.
    • CommentAuthorwimg
    • CommentTimeMar 2nd 2012
     permalink
    no joy on port 587, I'm even getting an active reject back (wireshark).

    (a typo in my opening post: on the 1st line when I said "transparent proxy", I meant "transparent dns")
    • CommentAuthorrotblitz
    • CommentTimeMar 2nd 2012
     permalink
    Are you saying you're operating a mail server? In case you are behind a dynamic IP address, you had to use an SMTP relay anyway, because almost all mail exchangers do not accept mail from dynamic IP address ranges (even not if you have a static IP address within such a dynamic range).

    That said, why should "my ISP are redirecting all MX records to an unusable server"? Do they really, or do they just block port 25? These would be totally different things. You must first see what they really do to cause you problems. You can do this almost with easy measures as of below.

    If it is wrong DNS information returned for MX records by your ISP, then you can easily circumvent this by using an alternate DNS service like OpenDNS.
    Post the output of the following commands here:
    nslookup -type=mx gmail.com. <yourISPsDNS>
    nslookup -type=mx gmail.com. 208.67.222.222
    This would show if they really "are redirecting all MX records to an unusable server".

    If it is about blocking outbound port 25, then the use of an SMTP relay is indicated. SMTP relays can receive mail on several alternate ports.
    The following can show if your ISP blocks port 25:
    telnet 74.125.79.26 25
    telnet 173.194.65.26 25

    If it is about not being able using 3rd party DNS, then post the output of the following command to prove this:
    nslookup -type=txt which.opendns.com. 208.67.222.222
    You could use port 5353 with OpenDNS then instead of port 53.
    nslookup -type=txt -port=5353 which.opendns.com. 208.67.222.222
    • CommentAuthorwimg
    • CommentTimeMar 3rd 2012 edited
     permalink
    “because almost all mail exchangers do not accept mail from dynamic IP address ranges”
    That could seriously spoil things.
    I'm trying to set up a whole infrastructure (virtualised Linux and Windows boxes with open source software) to make a fully functional test rig I can actually use and access off-site to learn from, and eventually use it as demo to promote my L33T *cough, hack* IT skills.


    “Do they really, or do they just block port 25? These would be totally different things.”

    They do both actually ... and even a third bump.
    - Outgoing port 25 is blocked (and so are incoming low ports) but this is something I'm already working on directly with my ISP … they just want to be sure I'm not trying to set up a business on a home internet connection. So far my main problem in the learning curve is when something doesn't work, I first have to figure out if it's my fault or it's something fishy my ISP is doing.
    Anyhow, your tests for 74.125.79.26 and 173.194.65.26 on port 25 both time out, and so does every single other smtp server (except for their own ones).

    - I'm already using OpenDNS (not getting the “Oops” page) and MX records are still forged.

    Example (from windows box):
    >nslookup
    Default Server: resolver1.opendns.com
    Address: 208.67.222.222

    > set type=MX
    > gmail.com
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Non-authoritative answer:
    gmail.com.telenet.be MX preference = 0, mail exchanger = smtp.telenet-ops.be
    >
    >
    > server 8.8.8.8
    Default Server: google-public-dns-a.google.com
    Address: 8.8.8.8

    > gmail.com
    Server: google-public-dns-a.google.com
    Address: 8.8.8.8

    Non-authoritative answer:
    gmail.com.telenet.be MX preference = 0, mail exchanger = smtp.telenet-ops.be
    >
    >
    > server 195.130.131.2 (<--- My ISP's dns)
    Default Server: gent.dnscache02.telenet-ops.be
    Address: 195.130.131.2

    > gmail.com
    Server: gent.dnscache02.telenet-ops.be
    Address: 195.130.131.2

    Non-authoritative answer:
    gmail.com.telenet.be MX preference = 0, mail exchanger = smtp.telenet-ops.be

    This happens to _every_ MX record, even their own. As the working smtp server within their network we need to use out.telenet.be (or uit.telenet.be) in our clients



    - when I do try to connect to smtp.telenet-ops.be on port 25, I get the following:
    (from Linux box this time, Win7 home doesn't have telnet anymore … at least not a standard out-of-box installation)
    #telnet smtp.telenet-ops.be 25
    connected to smtp.telenet-ops.be.
    Escape character is '^]'.
    421 napoleon.telenet.ops.be bizsmtp 78.20.160.54 please use out.telenet.be instead
    Connection closed by foreign host.
    #
    (I didn't even have to type 'quit' to end the connection)


    “post the output of the following command to prove this”
    >nslookup -type=txt which.opendns.com. 208.67.222.222
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Non-authoritative answer:
    which.opendns.com text =

    "10.ams"

    I don't think everything is forged … just the MX records (as I've noticed so far)



    !!!!! port 5353, that's what I needed !!!!
    >nslookup -type=MX -port=5353 gmail.com. 208.67.222.222
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Non-authoritative answer:
    gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
    gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
    gmail.com MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com
    gmail.com MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
    gmail.com MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com

    With this I can duct-tape something together so my own dns forwarder uses opendns on port 5353,now I can at least get correct results.

    Thanks!
    • CommentAuthorwimg
    • CommentTimeMar 3rd 2012
     permalink
    as another example of the transparent dns forging results:

    >nslookup
    Default Server: resolver1.opendns.com
    Address: 208.67.222.222
    > ThisHostDoesNotExist.fakedomain.toplevel
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Non-authoritative answer:
    Name: ThisHostDoesNotExist.fakedomain.toplevel.telenet.be
    Address: 67.215.77.132

    >
    > set type=MX
    >
    > ThisHostDoesNotExist.fakedomain.toplevel
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Non-authoritative answer:
    ThisHostDoesNotExist.fakedomain.toplevel.telenet.be MX preference = 0, mail exchanger = smtp.telenet-ops.be
    >
    • CommentAuthorrotblitz
    • CommentTimeMar 3rd 2012
     permalink
    "I'm already using OpenDNS (not getting the “Oops” page) and MX records are still forged."

    No, you just forgot the trailing dot after the domain to make it an FQDN. Therefore your (unnecessary) DNS suffix telenet-ops.be is appended, as should be.
    Try again now.

    "This happens to _every_ MX record"

    For sure, without the required trailing dot, yes.

    "I don't think everything is forged … just the MX records (as I've noticed so far)"

    Yes, because you used the trailing dot here.

    "!!!!! port 5353, that's what I needed !!!!"

    Probably not if you did it right.

    After all, I think you don't have a problem with your ISP's DNS (anyway, as you use OpenDNS), but with your ISP blocking port 25 only. I.e. totally unrelated to DNS in general and OpenDNS in particular.

    Also, you may want to remove your DNS suffix(es) from your network configuration.
    • CommentAuthorwimg
    • CommentTimeMar 3rd 2012 edited
     permalink
    o .... m .... g
    you're right -.-

    I think I'm going to crawl in a corner and bump my head against the wall for the rest of the weekend :/

This discussion has been inactive for longer than 30 days, and is thus closed.