outlook nameserver no host found

Question

outlook nameserver no host found

Kirutian opened this issue a year ago · comments

I'm having issues when sending to hostnames with outlook. My email works fine for every other domain. but when i send to someone using microsoft i get a no host found error. my ip is not blocked as I've checked it with microsoft. i believe this has something to do with dns routing. for example:

Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
for name=XXX.mail.eo.outlook.com type=AAAA: Host not found, try
again

OR

Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
for name=microsoft-com.mail.protection.outlook.com type=AAAA: Host not
found, try again

Kiru Mondictwtz · Answer 1 · Thu Jul 20 2023 11:53:52 GMT+0800 (China Standard Time)

After prolonged tinkering, I have been able to temporarily resolve this issue by adding Cloudflares nameserver to /etc/resolv.conf

resolv.conf now contains:

Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

127.0.0.53 is the systemd-resolved stub resolver.

run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.1
nameserver 1.1.1.1

Though doesn't this file get overwritten? What's a permanent solution. Clearly this is caused by my box using a bad nameserver

Kiru Mondictwtz · Answer 2 · Thu Jul 20 2023 18:49:06 GMT+0800 (China Standard Time)

This appears to be postfix related.

I also found this:
https://techcommunity.microsoft.com/t5/microsoft-365-admin-center/host-not-found-mail-protection-outlook-com/m-p/203226

I'm having problems with sending to Microsoft exchange servers.

I can force sending to these exchange servers by manipulating the resolv.conf file and using the netplan apply or postqueue -f

I have no idea what's wrong or how to fix this, but I'm confident the error is coming from my box.

babywhale321 · Answer 3 · Fri Jul 21 2023 10:56:54 GMT+0800 (China Standard Time)

you mentioned cloudflare, do you have your A records proxied on cloudflare? iv always had issues with that so you could try turning of the proxy toggle in cloudflare.

Kiru Mondictwtz · Answer 4 · Tue Jul 25 2023 11:49:26 GMT+0800 (China Standard Time)

No. My A records are all on my box.

Kiru Mondictwtz · Answer 5 · Tue Jul 25 2023 11:51:11 GMT+0800 (China Standard Time)

This appears to be a very common issue with microsoft. So much so I'm certain the devs have heard about this before. Can I get some guidance please?

See:

https://answers.microsoft.com/en-us/outlook_com/forum/all/mailprotectionoutlookcom-is-not-allowing-my-email/18da30c1-8a75-4195-a35e-61a788b854c4

https://learn.microsoft.com/en-us/answers/questions/713045/certain-mail-protection-outlook-com-mail-servers-w

https://support.cpanel.net/hc/en-us/articles/4414386253591-Emails-sent-using-mail-protection-outlook-com-are-rejected-as-Access-Denied-what-can-you-do-

https://serverfault.com/questions/627479/mails-sent-to-mail-protection-outlook-com-are-not-being-received

Kiru Mondictwtz · Answer 6 · Tue Jul 25 2023 11:55:15 GMT+0800 (China Standard Time)

@JoshData Please believe me I very rarely tag the dev. There's a lot riding on me solving this issue.

babywhale321 · Answer 7 · Tue Jul 25 2023 20:36:24 GMT+0800 (China Standard Time)

on the vps try to do a nslookup on microsoft's domain names to see if that resolves, and if you got a temp fix but it does not keep persistent you could make a service with systemd to have it rewrite the resolv.conf file on reboots.

Joshua Tauberer · Answer 8 · Tue Jul 25 2023 20:49:19 GMT+0800 (China Standard Time)

So just to summaries the problem: There seems to be a DNS issue ("Host not found") when postfix tries to resolve certain outlook.com domains, and switching DNS servers fixes it (which supports the diagnosis that this is a DNS issue). The links you posted are various other problems with delivering mail to Microsoft but they aren't DNS issues so I don't think they are of much help here.

I've never heard of DNS-based blocking (although it's possible I guess), so I think the most likely culprit is something going wrong locally.

Similar to @babywhale321's suggestion, I'd be curious about the output of

drill -DT microsoft-com.mail.protection.outlook.com

(You may have to apt install drill first.)

which will give the most complete picture of how your box is resolving the domain name.

Kiru Mondictwtz · Answer 9 · Wed Jul 26 2023 00:00:46 GMT+0800 (China Standard Time)

Here is the requested output for 'drill -DT microsoft-com.mail.protection.outlook.com'

entdev@box:~$ drill -DT microsoft-com.mail.protection.outlook.com
Warning: No trusted keys were given. Will not be able to verify authenticity!
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record
[S] . 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id = 11019 (zsk), size = 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAcEtWatIO3exfN3A+WnZl7AVEBA3crRrrwKTfnmcdLt79C3DCOF1JX5zb4s84v0OxwlOVg+TR8VpkuYynMp3PQXLomLxe7j7PlxqEBo1LQaWfqyymCuF7rKebTLB5yZcr8/QUPwk/weLyguX6iVNDjIZOmeMqPkGJtDFp+EUfKgOa8AulKPLtsUL1W+1FT8sqroSxKXVXnhkEZN1O1zBxTG/z9xjwiPcd3//LSPUpEC9+rU2XIuCJq8nwAwJ7W6Rc49RxUT0Svc57HKqHjNuapvG0PCYh3bXCQzb7mb2pNwuerMFTzP5iEzXWZD7izLg9j3wEJ2Ia/WIEts/Tp9GIQM= ;{id = 11019 (zsk), size = 2048b}
[S] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
;; Domain: com.
;; Signature ok but no chain to a trusted key or ds record
[S] com. 86400 IN DNSKEY 256 3 8 ;{id = 4459 (zsk), size = 1280b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[S] Existence denied: outlook.com. DS
;; No ds record for delegation
;; Domain: outlook.com.
;; No DNSKEY record found for outlook.com.
;; No DS for protection.outlook.com.;; No ds record for delegation
;; Domain: protection.outlook.com.
;; No DNSKEY record found for protection.outlook.com.
;; No DS for mail.protection.outlook.com.;; No ds record for delegation
;; Domain: mail.protection.outlook.com.
Error sending query: No (valid) nameservers defined in the resolver

I often get temporary name resolution errors. So I'm on the same page as you I think. I was looking into DNSSEC. It appears Microsoft is still in the process implementing

Oddly enough, I can ping smtp-mail.outlook.com- no DANE or DNSSEC

Could it be that Microsoft is rejecting my box from even getting an IP-? I know they block "namespace mining"

Kiru Mondictwtz · Answer 10 · Wed Jul 26 2023 00:02:23 GMT+0800 (China Standard Time)

on the vps try to do a nslookup on microsoft's domain names to see if that resolves, and if you got a temp fix but it does not keep persistent you could make a service with systemd to have it rewrite the resolv.conf file on reboots.

entdev@box:~$ nslookup

entworksit-com.mail.protection.outlook.com
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find entworksit-com.mail.protection.outlook.com: SERVFAIL

microsoft-com.mail.protection.outlook.com
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find microsoft-com.mail.protection.outlook.com: SERVFAIL

Kiru Mondictwtz · Answer 11 · Thu Jul 27 2023 22:57:56 GMT+0800 (China Standard Time)

Added new nameservers to /etc/resolv.conf

This appears to be a more permanent solution. I'm under the understanding that this file will be overwritten. Is that the case?

babywhale321 · Answer 12 · Fri Jul 28 2023 08:55:10 GMT+0800 (China Standard Time)

@Kirutian I found this guide online and i hope it helps with keeping dns settings permanent.

https://itsfoss.com/resolvconf-permanent-ubuntu/

Kiru Mondictwtz · Answer 13 · Wed Sep 06 2023 10:35:25 GMT+0800 (China Standard Time)

@babywhale321 Your solution works but it still has to be redone at every MIAB update.