Problème DNS à Tahiti

[cvinh]

Bonjour

J'ai régulièrement un problème de DNS sur le domaine tahitiwakeboardfamily.com (tout est bien paramétré chez le registrar avec les serveurs ns1.dns-fc.com et ns2.dns-fc.com). Ce problème se produit uniquement à Tahiti. Je suis sur que le problème vient de l'unique fournisseur d'accès à Tahiti qui est très mauvais.

Le problème est qu'ils rejettent la faute sur edelweiss a cause d'un dnsreport affligeant pour edelweiss... http://www.dnsreport.com/tools/dnsreport.ch?domain=tahitiwakeboardfamily.com (5 FAIL et 3 WARN). Mais comme par hasard, a chaque fois que je leur envoie un mail, le problème se règle dans les 2 heures qui suivent...

Pouvez-vous régler les problèmes relevés par dnsreport pour me permettre de remonter à la charge la prochaine fois que leur DNS saute ?

Voici les infos :
whois :
###########
  domain: tahitiwakeboardfamily.com
  reg_created: 2006-12-19 19:52:07
  expires: 2007-12-19 19:52:07
  created: 2006-12-19 20:51:37
  changed: 2007-02-02 23:39:14
  ns0: ns1.dns-fc.com
  ns1: ns2.dns-fc.com
###########

nslookup :
###########
> server 202.3.225.10
Serveur par dÚfaut :  ns1.mana.pf
Address:  202.3.225.10
> set type=mx
> tahitiwakeboardfamily.com.
Serveur :  ns1.mana.pf
Address:  202.3.225.10

Réponse ne faisant pas autorité :
tahitiwakeboardfamily.com       MX preference = 10, mail exchanger = domain.not.configured

tahitiwakeboardfamily.com       nameserver = ns1.edelweisshosting.net
tahitiwakeboardfamily.com       nameserver = ns2.edelweisshosting.net
ns1.edelweisshosting.net        internet address = 63.219.151.3
ns2.edelweisshosting.net        internet address = 69.10.137.166
############

et la réponse du fournisseur d'accès :
######
Bonjour,

 

Il n’y a pas d’erreur dans la configuration DNS, il semble que la propagation du serveur DNS (qui n’est pas MANA) ne se fasse pas correctement, ce qui explique les valeurs données par notre DNS.

 

DNS Report for tahitiwakeboardfamily.com
Generated by www.DNSreport.com at 22:18:45 GMT on 20 Feb 2007.
Category
 Status
 Test Name
 Information
 
Parent
 PASS
 Missing Direct Parent check
 OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
 
INFO
 NS records at parent servers
 Your NS records at the parent servers are:

ns1.dns-fc.com. [75.126.133.212] [TTL=172800] [US]
ns2.dns-fc.com. [75.126.133.212] [TTL=172800] [US]
[These were obtained from c.gtld-servers.net]
 
PASS
 Parent nameservers have your nameservers listed
 OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
 
PASS
 Glue at parent nameservers
 OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.
 
PASS
 DNS servers have A records
 OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
 

 

NS
 INFO
 NS records at your nameservers
 Your NS records at your nameservers are:

ns1.edelweisshosting.net.
ns2.edelweisshosting.net.
 
FAIL
 Open DNS servers
 ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server 75.126.133.212 reports that it will do recursive lookups. [test] Server 75.126.133.212 reports that it will do recursive lookups. [test] See this page for info on closing open DNS servers.
 
PASS
 Mismatched glue
 OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
 
PASS
 No NS A records at nameservers
 OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
 
PASS
 All nameservers report identical NS records
 OK. The NS records at all your nameservers are identical.
 
PASS
 All nameservers respond
 OK. All of your nameservers listed at the parent nameservers responded.
 
PASS
 Nameserver name validity
 OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
 
FAIL
 Number of nameservers
 ERROR: You have 2 nameservers, but both are on the same IP! This is not a valid setup. You are required to have at least 2 nameservers, per RFC 1035 section 2.2.
 
PASS
 Lame nameservers
 OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
 
FAIL
 Missing (stealth) nameservers
 FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNS Report will not query these servers, so you need to be very careful that they are working properly.

ns1.edelweisshosting.net.
ns2.edelweisshosting.net.
This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).
 
FAIL
 Missing nameservers 2
 ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:
ns1.dns-fc.com.
ns2.dns-fc.com.
 
PASS
 No CNAMEs for domain
 OK. There are no CNAMEs for tahitiwakeboardfamily.com. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
 
PASS
 No NSs with CNAMEs
 OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
 
WARN
 Nameservers on separate class C's
 WARNING: All of your nameservers (listed at the parent nameservers) are in the same Class C (technically, /24) address space, which means that they are probably at the same physical location. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.
 
PASS
 All NS IPs public
 OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
 
PASS
 TCP Allowed
 OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
 
WARN
 Single Point of Failure
 WARNING: Although you have at least 2 NS records, they may both point to the same server (neither of our two tests is sure; it appears that there are one or more firewall(s) that intercept and alter DNS packets), which would result in a single point of failure. You are required to have at least 2 nameservers per RFC 1035 section 2.2.
 
INFO
 Nameservers versions
 [For security reasons, this test is limited to members]
 
FAIL
 Stealth NS record leakage
 Your DNS servers leak stealth information in non-NS requests:

Stealth nameservers are leaked [ns1.edelweisshosting.net.]!
Stealth nameservers are leaked [ns2.edelweisshosting.net.]!

This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries.
 

 

SOA
 INFO
 SOA record
 Your SOA record [TTL=14400] is:

Primary nameserver: ns1.edelweisshosting.net.
Hostmaster E-mail address: root.tahitiwakeboardfamily.com.
Serial #: 2007012400
Refresh: 14400
Retry: 3600
Expire: 1209600
Default TTL: 86400
 
PASS
 NS agreement on SOA serial #
 OK. All your nameservers agree that your SOA serial number is 2007012400. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS Report only checks the NS records listed at the parent servers (not any stealth servers).
 
WARN
 SOA MNAME Check
 WARNING: Your SOA (Start of Authority) record states that your master (primary) name server is: ns1.edelweisshosting.net.. However, that server is not listed at the parent servers as one of your NS records! This is legal, but you should be sure that you know what you are doing.
 
PASS
 SOA RNAME Check
 OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: root@tahitiwakeboardfamily.com. (techie note: we have changed the initial '.' to an '@' for display purposes).
 
PASS
 SOA Serial Number
 OK. Your SOA serial number is: 2007012400. This appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. So this indicates that your DNS was last updated on 24 Jan 2007 (and was revision #0). This number must be incremented every time you make a DNS change.
 
PASS
 SOA REFRESH value
 OK. Your SOA REFRESH interval is : 14400 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
 
PASS
 SOA RETRY value
 OK. Your SOA RETRY interval is : 3600 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
 
PASS
 SOA EXPIRE value
 OK. Your SOA EXPIRE time: 1209600 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
 
PASS
 SOA MINIMUM TTL value
 OK. Your SOA MINIMUM TTL is: 86400 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
 

 

MX
 INFO
 MX Record
 Your 1 MX record is:

10 mail.tahitiwakeboardfamily.com. [TTL=14400] IP=75.126.133.212 [TTL=14400] [US]
 
PASS
 Low port test
 OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not.
 
PASS
 Invalid characters
 OK. All of your MX records appear to use valid hostnames, without any invalid characters.
 
PASS
 All MX IPs public
 OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
 
PASS
 MX records are not CNAMEs
 OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
 
PASS
 MX A lookups have no CNAMEs
 OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
 
PASS
 MX is host name, not IP
 OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
 
INFO
 Multiple MX records
 NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable.
 
PASS
 Differing MX-A records
 OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).
 
PASS
 Duplicate MX records
 OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
 
PASS
 Reverse DNS entries for MX records
 OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are:

212.133.126.75.in-addr.arpa edelweisshosting.net. [TTL=66198]
 

 

Mail
 PASS
 Connect to mail servers
 OK: I was able to connect to all of your mailservers.
 
PASS
 Mail server host name in greeting
 OK: All of your mailservers have their host name in the greeting:

mail.tahitiwakeboardfamily.com:
    220 servertu1.edelweisshosting.net ESMTP Exim 4.60 Tue, 20 Feb 2007 22:18:56 +0000
 
PASS
 Acceptance of NULL <> sender
 OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).
 
PASS
 Acceptance of postmaster address
 OK: All of your mailservers accept mail to postmaster@tahitiwakeboardfamily.com (as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).
 
PASS
 Acceptance of abuse address
 OK: All of your mailservers accept mail to abuse@tahitiwakeboardfamily.com.
 
INFO
 Acceptance of domain literals
 WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[0.0.0.0]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

mail.tahitiwakeboardfamily.com's postmaster@[75.126.133.212] response:
>>> RCPT TO:<postmaster@[75.126.133.212]>
<<< 501 <postmaster@[75.126.133.212]>: domain literals not allowed
 
PASS
 Open relay test
 OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.

mail.tahitiwakeboardfamily.com OK: 550 authentication required
 
PASS
 SPF record
 You have an SPF record. This is very good, as it will help prevent spammers from abusing your domain. Your SPF record (I don't check to see if it is well designed!) is:
"v=spf1 a mx ip4:195.140.140.127 ?all" [TTL=14400]
 

 

WWW
 INFO
 WWW Record
 Your www.tahitiwakeboardfamily.com A record is:

www.tahitiwakeboardfamily.com. A 75.126.133.212 [TTL=14400] [US]
 
PASS
 All WWW IPs public
 OK. All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.
 
PASS
 CNAME Lookup
 OK. Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. There are no CNAMEs for www.tahitiwakeboardfamily.com, which is good.
 
INFO
 Domain A Lookup
 Your tahitiwakeboardfamily.com A record is:

tahitiwakeboardfamily.com. A 75.126.133.212 [TTL=14400]
 

 

 

_________________________
Support Technique Client
MANA SAS, APNIC Member IAP/ISP of Tahiti and her Islands
Box 40 001 Fare tony –98713 TAHITI- French Polynesia
Phone: (689) 47.99.99 – Fax: (689) 50.88.89

[staff]

Bonjour

Vous pouvez voir maintenant, vous avez quelque chose de plus clean. Il y a avait une erreur dans votre fichier de configuration DNS au niveau du serveur. Elle a été corrigée. Videz votre cache DNS de Windows et attendez quelques heures pour voir.

Merci de nous tenir au courant.

[cvinh]

Bonjour

Il y a toujours un FAIL au niveau du check "Open DNS Servers" et "Number of nameservers".
Pouvez-vous intervenir à ce niveau ?

Cordialement

[staff]

Bonjour

Ce ne sont pas des failles, mais juste des choix techniques. Ils ne posent aucun problème au niveau de la propagation des DNS ou de la vitesse de votre site.

Merci