South African Technology and IT companies seem to have some of the worst “qualified” DNS (domain name system) technicians in the world.  Every day I come across some of the worst DNS configurations you could imagine, I notify the companies of these problems, never get a reply or a thank you and when I check a few weeks later the problems still exist and these “technicians” are paid whopping salaries to run these DNS servers yet they seem to have very little understanding of how DNS actually works.

I can not tell you how many large companies in South Africa, and by large I mean the largest (Top 500 companies), who cannot even seem to correctly configure DNS for their outbound mail servers.

It is an RFC requirement that any outbound mail server have a reverse FQDN (Reverse Lookup Fully qualified domain name), this means that the IP address of the sending mail server must convert back to a readable name, a DNS name. for instance an IP address eg. 10.10.10.10 when queried by a receiving mail server should receive a reply of eg. mail.company.com. Furthermore mail.company.com needs to be actively configured in that company’s DNS zone file and the domain used must be a valid domain that can be seen globally ie. .com, .net, .org, .biz, .info, .us, .mobi, .co.za

What happens when a mail server does NOT have a proper FQDN? Well quite simply the receiving mail server queries the sending IP address, sees that the IP address either (a) has no reverse FQDN (b) has a misconfigured FQDN or (c) has an FQDN that says something other than what the mail server is claiming it is and if these conditions are not met the receiving mail server will reject the mail regarding the sending server as a possible source of spam ie. fraudulent. Some of the biggest ISP’s around the world (Google mail / Gmail included) will reject incoming mail from mail servers that do not have a properly configured reverse FQDN.

For example lets say your mail servers IP address is 196.100.200.100 and your mail server is configured to announce itself to other mail servers (EHLO) as mail.mycompany.com yet in your DNS zone file 196.100.200.100 is configured as smtp.mycompany.com, the following is how the conversation between the mail servers will look (in laymens terms for the dumbass technicians around South Africa who cannot seem to grasp this simple concept)

Receiving mail server: HELLO who are you 196.100.200.100?
Sending mail server: HELLO, I am mail.mycompany.com
Receiving mail server: OK let me check that you are not lying to me.
Receiving mail server: WHO IS 196.100.200.100
Response to Receiving mail server: 196.100.200.100 is smtp.mycompany.com
Receiving mail server > Sending mail server:  SORRY 196.100.200.100 is actually smtp.mycompany.com not mail.mycompany.com
Receiving mail server: Mail rejected / Transaction closed

This is only part of the issue of the types of misconfigurations that cross my path in my mail server logs on a daily basis. The next BIG problem is the use of non-valid domain names, ie. Domain names that do not exist globally or cannot be seen globally by others on the Internet. This by far is the biggest problem and for the most part it occurs due to lazy technicians who suck server names out of their thumbs during the installation of a server and during it’s testing phase yet they never change the name of the server when they place the server live onto the internet.

For instance technician will create a mail server with an FQDN of ourserver.local …. .local is NOT a legitimate nor valid domain name and no server on the internet can understand .local yet technicians will configure a live server with such a name and expect their mails to miraculously arrive at their destination. In the past the mails would arrive at their destination but not anymore as checking the validity of an FQDN is now a requirement to cut down on fraudulent / spam servers and more and more ISP’s are now implementing this check and rejecting mail outright if the FQDN says something other than what should be expected.

Sadly many of the companies I have notified of such misconfigurations seem to take it as a joke and seldom ever pay heed to the warnings nor do they fix anything thinking (in all their wisdom) that they can simply conjure domain names and everyone else in the world must fall into place rather than vice versa. It’s no wonder the rest of the world considers us to be a Banana Republic, they simply have to look at the poorly implemented DNS servers all over South Africa and all the clarity they need is right there.

For those South African techies who think they know it all, come on dudes WISE UP and start playing the same game of football that everyone else has agreed to play, stop redesigning the ball, stop changing the rules and perhaps one day you may be able to actually be taken seriously.

For the directors of the large IT, tech and ISP companies in South Africa, have your DNS externally examined by professionals and do NOT take the word of your local (highly paid and qualified) technicians at face value, they will lie in your face to protect their jobs and in the interim your company looks like the fool.