This page contains Frequently Asked Questions specifically related to DNS, for customers of EmailThatWorks.net. We welcome your questions and comments, posted below.
If you have specific instructions or questions for us about your DNS service, please send us a note privately.
See also the general FAQ for other issues about your email service.
Is DNS important for reliable email service?
Is my existing DNS service reliable?
Should I have EmailThatWorks.net serve DNS for me?
What is an MX record?
Why does some mail not go where my MX record points?
Can I make my MX point to an A record in my own domain?
Is DNS important for reliable email service?
Yes. And this is very under-appreciated, even by those who should know better.
Email delivery depends on the wide and reliable visibility of your MX record. In order to assure this, your zone should be published on at least two DNS servers, or nameservers, and preferably more -- four is typical. This is so that at least one of them is reachable and working correctly, from the standpoint of someone trying to send you mail.
If all of your nameservers are unreachable from a given point on the Internet (your correspondent's originating mailhost), at a given time (when they hit "send"), your domain will appear not to exist, and mail will likely bounce immediately with:
HOST UNKNOWN
This is what we most want to avoid. This is Email Cardinal Sin #3 1. If your nameservers are up, even if your mailhost is temporarily off the air, mail will queue at the origin, rather than bounce, and this is much to be preferred. It gives you a while to fix your mailhost(s) before the senders notice.
Your nameservers should be separated widely, in several ways, to avoid so-called common-mode failures that would otherwise affect them all. They should be:
- On multiple hosts
- Not on a single host that may be down.
- Separated in space
- Not in the same city, let alone the same building, or the same rack.
- On separate IP networks
- Not on the same IP network or physical (Ethernet) segment.
- In separate Autonymous Systems
- Not on networks sharing major routes from the Internet.
Why multiple hosts?
This shouldn't need much explanation. Computers do not run without incident for long times. Even with no errors and no equipment failures, they need maintenance and upgrades from time to time. DNS requires that every domain have at least two nameservers. Host redundancy is built into the protocol.
Why separated in space?
To protect against local physical accidents: fire, flood, tripping over the power strip, meteor hit, etc.
Why on separate IP networks or LAN segments?
To protect against common-mode network failures, such as routes being dropped, or border router or LAN switch equipment failures. This is the most commonly violated principle.
OK, Why separate Autonomous Systems (AS), and what on Earth is an AS?
Here we get into the core of routing in the Internet. An AS is a group of IP networks run by a single organization, such as an ISP. Where ISPs' networks connect to one another, they exchange routing information about their networks, but they summarize the exact path that a packet will take. They just advertise the so-called AS Path. It will get your packets to the right ISP, and then a more-detailed system takes over and routes the packet to the exact router and host.
If you have four nameservers, in four cities, on widely different IP networks, but all these networks terminate in the same AS (for example, data centers all run by one ISP), then there is still an important, but subtle, common failure mode. That ISP (that AS) can have a widespread failure that makes all of their networks unreachable. If at least one of your nameservers is in another AS entirely, you are protected against even this.
Should they be on separate nations/continents/tectonic plates?
Sure, why not? All the world is not the USA. Though of course there is a point of diminishing returns.
[Note 1]. Cardinal Sin number 2 is accepting mail and then dropping it on the floor. Number 1 is delivering it to the wrong user.
Is my existing DNS service reliable?
Unlikely.
Many domains belonging to our customers (except, of course, those for which we provide DNS) fail almost every one of the reliability tests. They have two nameservers (the minimum), but often on adjacent IP addresses, say x.y.z.1 and x.y.z.2. These are certainly on the same IP network, and therefore in the same AS. They're probably in the same rack, one sitting on top of the other. There is a large number of common failure modes that can make them both temporarily unreachable.
You can use the whois command (or any WHOIS-lookup web site) to look up the NS records by the name of your domain. It should tell you both their names and their IP addresses.
Here's a very bad example, but very typical:
$ whois example.com
(...)
Domain servers in listed order:
A.EXAMPLE.NET 192.0.34.43
B.EXAMPLE.NET 192.0.34.44
If there are only two of them, and their IP addresses are identical except in the last number (as in the bad example, above), you have a problem.
If they're not as close together as the example, finding out for sure whether they share an IP network takes local knowledge of the routing topology, which you probably can't determine on your own. Ask your DNS provider for details.
Finding the AS path for the IP addresses is easier, but the output takes some expertise to interpret. http://nitrous.digex.net/ has some Looking Glass web pages that will let you look up available routing information for any IP address. (Pick a site and choose a BGP Query.) If in doubt, ask your DNS provider to describe their redundancy in terms of IP networks, physical space, and AS diversity. If they don't even know what you mean, escalate. If they refuse to "disclose" this to you, vote with your feet.
See the other topics, above.
Edited 9 time(s). Last edit at 11/01/2006 02:12PM by jxh.