DNSmonitor KB - DNS check KB

MX record validation

The check validate that the MX records configured for the zone remain unchanged.

Among other things the DNS does is to route emails. This is controlled by the MX resource records. The MX resource records assign host names for Mail Transfer Agents to which email destined for the domain are routed.

The MX resource records are rarely changed. The only time they are changed is when the mail infrastructure is changed.

By altering MX destinations a hacker can intercept both email data and mailbox credentials. This is one of the techniques used in Sea Turtle campaign and will be used by its predecessors. The check store the MX resource records in the configuration database as the domain is configured for monitoring. If authorised changes have been made to the MX resource records the domain need to be reconfigured.

Event severities and messages

WARNING

MX query timed out on all name servers.

The monitor node experienced timeouts from all authoritative name servers. If this happens from all monitoring nodes the DNS servers is obviously unable tor respond the queries.

Unexpected response from server: {response code}

The DNS responded with an error code. The error code will most likely contain information about the reason.

ERROR

Query response contained no MX records.

The check expected to receive a query response with a MX resource record set but received none. This is possible only if the MX resource records are intentionally (or unintentionally) removed from the domain. Validate that the MX resource record set should remain absent from the zone. If that is the case the domain needs to be reconfigured to avoid this message. If not re-enter the MX records.

The result from the MX query didn't match the expected values: {diff list}

As stated in the Ingres, the MX resource records are rarely subject to changes. The result from the query did not match the expected values stored in the configuration database. The message contain a list of MX records that differs from the expected values.

MX resource records are changed for the following reasons:

  • When the mail infrastructure is significantly changed or moved.
  • By accident
  • With intent. Quite possibly by an intruder looking to disrupt incoming mail traffic.

UNKNOWN

Unable to perform check due to input data failure.

When this message appear usually one of the queries leading up to the final query have received an empty or garbled query response. Please report this through the normal support channel.

Corrupt or malformed response from nameserver.

The check received a query response with unreadable data fields. Please report this through the normal support channel.

Solutions, tips & tricks

The MX preference represent the order of receiving MTA's which a sending MTA should try to deliver a mail. In short this mean that the host name with the lowest preference is the primary MTA or relay host.