Symantec Messaging Gateway (SMG) is experiencing mail acceptance or delivery issues and is using a public DNS server.

Examples might be

• 8.8.8.8 (provided by Google)
• 4.2.2.2 (provided by Level 3)
• 208.67.222.222 or .220 (provided by Cisco/OpenDNS).

The messages log on Messaging Gateway may show errors similar to the following:

2023 Sep  4 19:21:40 (info) named: [16269]  REFUSED unexpected RCODE resolving 'example.com/MX/IN': 8.8.8.8#53
2023 Sep  4 19:41:40 (info) named: [16269]  REFUSED unexpected RCODE resolving 'example.com/A/IN': 8.8.8.8#53

Issues with public DNS servers

Free public DNS hosts are not recommended. Issues with these hosts include:

• No guarantee of availability for enterprise service
• Throttling/timeouts (see Introduction to Google Public DNS from the Google Developer site for an example)
• Inability to resolve for internal host names
• Public DNS traffic may not be encrypted or secured, and can provide information to bad actors.

Broadcom does not recommend that public, rate limited DNS servers be used by production Messaging Gateway systems. 

To remove a public DNS server from the SMG configuration:

1. Log into the SMG Control Center as an administrator
2. Go to Administration > Configuration > host > DNS / Time
3. Remove the public DNS server IP from the list of DNS servers
4. If you have multiple SMG scanners you want to apply the change to, select the Apply to all scanners checkbox
5. Click "Save"

Note: The list of DNS servers is not an ordered list and the server with the lowest query response time will be selected for use. This means that if an external, rate limited DNS service with a lower query response time (the response that service limits have been exceeded is still a response for this calculation) has been configured, SMG will use the rate limited server to the exclusion of other internal servers.