This part two of mistakes seen in DNS shares many more common problems, often caused by typos, copy-and-paste issues, or misunderstandings for what is allowed in DNS. What is the software, quality assurance, or auditing that allows these? The part one was about missing or mistakenly added trailing dots. (I have automated DNS and DNSSEC research for years. As far as we know, we run the most extensive DNS test suite.) This article shares several examples to consider when reviewing your own DNS configurations. (This data is from July 2020.)
Number in brackets included in the target MX hostname, and IP addresses used for MX "hostnames."
mwananchi.co.tz. 120 IN MX 0 [5]mail2.mwananchi.co.tz. mwananchi.co.tz. 120 IN MX 5 217.29.131.234. mwananchi.co.tz. 120 IN MX 10 217.29.131.234.
Literal spaces (Ascii \032) with parentheses and priority word and number. Assume copy and paste from instructions?
psydro.com. 300 IN MX 1 aspmx.l.google.com\032\(priority:\0321\). sample-cube.com. 299 IN MX 1 smtp.secureserver.net\032\(priority:\0320\).
Verification keys are supposed to be in TXT records, not MX. Also a copy and paste included literal quotes.
araby.games. 3600 IN MX 15 \"ydgave4awwq2x6gvrr67gadew3ujbq3ez3dht6cp34ymxpvp6akq.mx-verification.google.com.\". beanhunters.com. 3600 IN MX 15 2432ozecefk76ik4ibx42n6bqbixop7yght5q3hswjlxy6xohcfq.mx-verification.google.com. genistabio.com. 600 IN MX 15 6e7k3mn3er5edbayx7xgj7ztnhm2bvm23t6735sw5e32cslwuawa. mx-verification.GOOGLE.com.
SPF TXT records inserted into MX targets and turned into hostnames.
siirt.edu.tr. 3600 IN MX 10 v=spf1\032include:_spf.google.com\032~all. portalcarapicuiba.com.br. 300 IN MX 0 v=spf1\032ip4:54.39.159.133\032ip6:2607:5300:203:4985::\032include:spf.canada.ind.br\032+a\032+mx\032~all. ndls.ie. 299 IN MX 1 v=spf1\032include:spf.protection.outlook.com\032-all. filmesonlinehdgratis.com.br. 299 IN MX 14400 \"v=spf1\032include:spf.mx.hostinger.com\032include:relay.mailchannels.net\032~all\".
More literal spaces in MX target hostnames.
scotiabank.com.mx. 457 IN MX 10 smexstsipgdl31.scotiabank.com.mx\032. healthybrains.org. 28800 IN MX 10 alt4.aspmx.l.google.com\032\032. getbucks.com. 86400 IN MX 20 mx2.mtaroutes.com\032. getbucks.com. 86400 IN MX 30 mx3.mtaroutes.com\032. getbucks.com. 86400 IN MX 40 mx4.mtaroutes.com\032.
Refers to port 110, so maybe some POP3 notes were pasted into a MX target?
outpostinfo.com. 300 IN MX 0 mail.outpostinfo.com\032\(port:\032110\).
Looks like a period in quotes got inserted as a MX target hostname. And one has a literal space (Ascii 32) too.
getkansasbenefits.gov. 899 IN MX 10 \".\032\". werk.nl. 21599 IN MX 0 \".\".
More quotes in DNS.
mobhey.com. 3599 IN MX 0 mobhey-com.mail.protection.partner.outlook.cn.\". onifile.com. 300 IN MX 10 \"mx1.weblink.com.br\".
Typo: comma instead of a period.
speedjob.in. 300 IN MX 10 speedjob,in. puntajenacional.cl. 299 IN MX 10 aspmx3.googlemail.com,. academicpositions.com. 299 IN MX 1 aspmx.l.google.com,. academicpositions.com. 299 IN MX 10 alt3.aspmx.l.google.com,. academicpositions.com. 299 IN MX 10 alt4.aspmx.l.google.com. academicpositions.com. 299 IN MX 5 alt1.aspmx.l.google.com,. academicpositions.com. 299 IN MX 5 alt2.aspmx.l.google.com,. myabsorb.com. 2825 IN MX 0 myabsorb-com.mail.protection.outlook.com,. polkschoolsfl.com. polkschoolsfl.com. 3600 IN SOA ns1,polk-fl.net. hostmaster.dc.polk-fl.net. 60 900 600 86400 3600 samyangpackaging.co.kr. 1799 IN SOA ns.samyang.com. administrator,samyang.com. 7 900 600 86400 3600
Typo or errant single-quote added to end of the MX target hostname.
fakeyourdrank.com. 300 IN MX 3 mx3.vfemail.net'.
This has a Latin small letter dotless "ı" instead of a Latin "i". (The domain name puny encoded is xn--googlemal-2pb.com.)
son.tv. 300 IN MX 10 aspmx2.googlemaıl.com.
MX priority included in the MX target hostname. Maybe a copy and paste mistake. See the Ascii 32 space.
lupygames.com. 300 IN MX 10 10\032inbound-smtp.eu-west-1.amazonaws.com. acopian.com. 300 IN MX 30 10\032inbound-smtp.us-east-1.amazonaws.com. thunderdrive.io. 300 IN MX 10 10\032inbound-smtp.us-east-1.amazonaws.com. vaccineshoppe.com. 900 IN MX 10 5\032xspz11s657k.sanofi.com eaguingamp.com. 3600 IN MX 5 100\032mxb.ovh.net. dentalproductsreport.com. 299 IN MX 0 10\032us-smtp-inbound-1.mimecast.com. dentalproductsreport.com. 299 IN MX 0 10\032us-smtp-inbound-2.mimecast.com.
Literal space (Ascii 32) inserted in SOA field.
adek.gov.ae. 900 IN SOA \032s2gz0nm009.adnet.abudhabi.ae. hostmaster.abudhabi.ae. 161 28800 3600 2419200 900 webcom.com. 1799 IN SOA dns3.registeredsite.com. hostmaster.webcom.com\032. 2018072401 16384 2048 1048576 2560 tu.ac.kr. 1799 IN SOA \032ns2.tu.ac.kr. admin.tu.ac.kr. 1578 3600 300 604800 3600
SOA RNAME and Serial number inserted into same SOA field (see the Ascii 32 space between them).
cucn.edu.cn. 1799 IN SOA dns1.cucn.edu.cn. hostmaster.net.edu.cn\03220070601. 401 900 600 86400 3600
SOA RNAME has multiple spaces (Ascii 32) in it. Attempts to enter multiple email addresses or contacts.
wima.ac.id. 1200 IN SOA ns2.wima.ac.id. pusat\032data\032dan\032informasi. 2004086278 900 3600 86400 3600 arlingtonschools.org. 1799 IN SOA dns2.dcbcoes.org. info.csiny.com\032,\032jaime.keener. 2019080901 900 600 86400 3600 tanama.ir. 3600 IN SOA tanama.ir. saeed\032nouri. 40 86400 600 2419200 86400
Attempt to have two SOA MNAMEs (see the space Ascii 32 between them).
e-credit.ad. 180 IN SOA ns1.creditandorra.ad,\032nic.creditandorra.ad. prod.creditandorra.ad. 85 900 600 86400 180
We found many more examples of the problems above. We also found many other typing and date entry mistakes such as misspellings (like ``shanhai'' instead of ``shanghai''); missing period between DNS labels (e.g., ``mxbmail'' instead of ``mxb.mail'' or ``aspmx4googlemail''); translitered characters (e.g., ``squaer'' instead of ``square''); missing other letters (e.g., ``c'' in ``com''); added letters; and missing trailing letters (e.g., ``co'' instead of ``com'').
We will continue this series of articles with more examples of different DNS mistakes including insane values, more garbage, or technical issues. What do you use to verify your DNS is sane? The DNS Institute's checking tool looks at over 90 attributes to make sure they follow IETF/RFC requirements, government mandates, registry suggestions, and best practices. For over a year, we've ran it against thousands of Fortune 500, US government, and S&P 100 Global Banks owned domains and have identified hundreds of thousands of anomalies, including critical issues and security vulnerabilities.