Recently I have played some time with my previous example (Writing your own DNS server backend) and have discovered that, for my use case this will not work, at all 🙁
Let me just go thought the case once again:
- I wanted to be able to rewrite mail servers IPv4 address returned from the FQDN used in the “MX” record
- This way I could send IPv4 emails thought my ISPs SMPT relay server and IPv6 emails directly on the Internet using my IPv6 tunnel (HE.net)
I have successfully managed to send IPv6 emails, however utilising my DNS rewriting script has been somewhat troublesome, for a number of reasons;
- First I did not think about incoming emails also need DNS. My email spam appliance does DNS lookups to verify that MX records have correct PTR records, it also checks TXT records to validate and comply to Sender Framwork (SPF) entries along other things.
- Emails are not always sent from/to an top domain, for example most newsletter can be sent from newsletter.domain.com, my script has no support for that.
- My script was built around the fact that it would be easy to replace the IP address of the mail server for a particular domain. That is true if the domain has email servers in the same domain. For example gmail.com does not host their MX records on gmail.com, instead they are hosted on google.com – a different domain. Most domain names does not have MX pointers to their own domains, even I do not do that for most of my domains.
The main reason why my script fails for 2 and 3 is the fact that a DNS query normally is a two step process (at least what I’ve found with dig + powerdns + my script) when asking for MX records:
- request for SOA/ANY record for the domain.
- request for A/AAAA record for the mx records FQDN.
In my case I’m only interested to rewrite the A record for a specific mail server (MX FQDN record) and therefore I made the design decision to make another query for the TLD of an specific FQDN.
Let’s say I want to send email to foo.com:
- I do a dig MX foo.com to my powerdns server
- Powerdns returns mx01.foo.com and mx02.foo.com
- dig sends another request for their A/AAAA records
- My script notices that the request is for A/AAAA record and quickly looks up the MX record(s) for the domain that mx01.foo.com belongs to (foo.com) and if any of the records are the same as the FQDN as the A/AAAA query it will do it’s replacement of the A record.
But as we now have understood MX records does not always have the same top domain as the MX records, gmail.com uses goole.com hosts etc.
The only way my script could eventually work would be if I’m returning the additional records (Additional Section) at the first query (ANY) and that my email edge server understand those (needs some testing).
Please comment if you have another idea on how I could archive this 🙂