Firewall isn’t blocking. We have pfSense firewalls upstream with HA and all the services and machines resolve everything correctly.
On the mailcow machine, even tho we are in 2021 I even disabled firewalld so its all up to iptables as recommended.
After disabling firewalld instead of the timeout error I get a new one:
0: php_network_getaddresses: getaddrinfo failed: Name does not resolve
I’m not sure what you meant by “for the other records maybe the DNS are not actually changed globally”
mxtoolbox resolves correctly.
Querying via WAN to the Authoritative name server:
% dig @100.110.10.1 _25._tcp.mx0.domain.io TLSA
; <<>> DiG 9.10.6 <<>> @100.110.10.1 _25._tcp.mx0.domain.io TLSA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11308
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mx0.domain.io. IN TLSA
;; ANSWER SECTION:
_25._tcp.mx0.domain.io. 86400 IN TLSA 3 1 1 24F25E13B468D8F579BC9A594B5603D03E92EA14A9EEB2DF0715129D 140D5E8E
;; AUTHORITY SECTION:
domain.io. 86400 IN NS ns01.domain.io.
domain.io. 86400 IN NS ns13.domain.io.
;; ADDITIONAL SECTION:
ns01.domain.io. 1200 IN A x.x.x.x
ns13.domain.io. 1200 IN A x.x.x.x
;; Query time: 51 msec
;; SERVER: 100.110.10.1#53(100.110.10.1)
;; WHEN: Fri Jan 22 14:16:57 WET 2021
;; MSG SIZE rcvd: 166
Query to Cloudflare 1.1.1.1:
% dig @1.1.1.1 _25._tcp.mx0.domain.io TLSA
; <<>> DiG 9.10.6 <<>> @1.1.1.1 _25._tcp.mx0.domain.io TLSA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49485
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_25._tcp.mx0.domain.io. IN TLSA
;; ANSWER SECTION:
_25._tcp.mx0.domain.io. 86400 IN TLSA 3 1 1 24F25E13B468D8F579BC9A594B5603D03E92EA14A9EEB2DF0715129D 140D5E8E
;; Query time: 960 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Jan 22 14:17:17 WET 2021
;; MSG SIZE rcvd: 96
Query to Google
% dig @8.8.4.4 _25._tcp.mx0.domain.io TLSA
; <<>> DiG 9.10.6 <<>> @8.8.4.4 _25._tcp.mx0.domain.io TLSA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14988
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_25._tcp.mx0.domain.io. IN TLSA
;; ANSWER SECTION:
_25._tcp.mx0.domain.io. 21599 IN TLSA 3 1 1 24F25E13B468D8F579BC9A594B5603D03E92EA14A9EEB2DF0715129D 140D5E8E
;; Query time: 83 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Fri Jan 22 14:22:57 WET 2021
;; MSG SIZE rcvd: 96
Query to the router address in /etc/resolv.conf
:
% dig @10.0.1.254 _25._tcp.mx0.domain.io TLSA
; <<>> DiG 9.10.6 <<>> @10.49.1.254 _25._tcp.mx0.domain.io TLSA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19565
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_25._tcp.mx0.domain.io. IN TLSA
;; ANSWER SECTION:
_25._tcp.mx0.domain.io. 86395 IN TLSA 3 1 1 24F25E13B468D8F579BC9A594B5603D03E92EA14A9EEB2DF0715129D 140D5E8E
;; Query time: 50 msec
;; SERVER: 10.0.1.254#53(10.0.1.254)
;; WHEN: Fri Jan 22 14:24:03 WET 2021
;; MSG SIZE rcvd: 96
To me it seems that the DNS servers around are working fine and give the correct answers.
Any machine connected to the same subnet resolves and makes queries without issues.