Hi,
we see sporadic DNS resolver errors for A records of *.mail.protection.outlook.com
Only a few per day vs many successful lookups.
Anybody else seeing these?
Kind regards
Ralf
Ralf Zenklusen Dipl. El. Ing. HTL Leiter Internet
BAR Informatik AG Weidenweg 235 3902 Brig-Glis Tel +41 27 922 48 48
www.barinformatik.ch www.rhone.ch r.zenklusen@barinformatik.ch
Hi,
we see sporadic DNS resolver errors for A records of *.mail.protection.outlook.com
Only a few per day vs many successful lookups.
Anybody else seeing these?
Kind regards
Ralf
Ralf Zenklusen Dipl. El. Ing. HTL Leiter Internet
BAR Informatik AG Weidenweg 235 3902 Brig-Glis Tel +41 27 922 48 48
www.barinformatik.ch www.rhone.ch r.zenklusen@barinformatik.ch
Hi Ralf
We see these problems too.
best regards, Felix
Am 22.05.2018 um 11:09 schrieb Ralf Zenklusen, BAR Informatik AG:
Hi,
we see sporadic DNS resolver errors for A records of *.mail.protection.outlook.com
Only a few per day vs many successful lookups.
Anybody else seeing these?
Kind regards
Ralf
*Ralf Zenklusen * Dipl. El. Ing. HTL Leiter Internet
*BAR *Informatik AG Weidenweg 235 3902 Brig-Glis Tel +41 27 922 48 48
www.barinformatik.ch www.rhone.ch r.zenklusen@barinformatik.ch
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
we see sporadic DNS resolver errors for A records of *.mail.protection.outlook.com
Only a few per day vs many successful lookups.
I haven't noticed this, but we found out last week that Microsoft apparently has enabled a new cluster of servers for europe in networks 40.92.7[345].*. All of these currently completely lack PTR data, and the corresponding SOA suggests a last modification date of February 5, 2018:
92.40.in-addr.arpa. 3600 IN SOA ns1.msft.net. msnhst.microsoft.com. 2018020502 7200 900 2419200 3600
they pop up in logs such as this:
[40.92.75.99] claimed to be EUR04-VI1-obe.outbound.protection.outlook.com
and rejected connections seem to carry only freemail services (hotmail, windowslivemail).
We informed SOA and whois contacts last Wednesday, but haven't heard back from them.
Cheers, Markus
looks like the authoritative nameservers cannot handle EDNS(0) queries (standardized in 1999, rfc2671). While this is not a problem per see, the FORMERR response is not according RFC. For more details see: https://ednscomp.isc.org/ednscomp/17c95198e4#edns
Name resolution therefore relies on retries by the resolver until it figured out how to talk to this authoritative nameserver.
I guess this could be the source of your problem as such retries are error prone or can lead to timeouts.
If you are using BIND you can avoid this retries all together by using:
// avoid using EDNS(0) for the following nameservers server 157.55.234.42 { edns false; }; server 157.56.112.42 { edns false; }; server 23.103.145.81 { edns false; }; server 157.56.112.42 { edns false; };
See BIND ARM manual for more information: https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html#server_state...
Note, EDNS workarounds are going to disappear. See: https://ripe76.ripe.net/presentations/159-edns.pdf
Daniel, SWITCH
On 22.05.18 11:09, Ralf Zenklusen, BAR Informatik AG wrote:
Hi,
we see sporadic DNS resolver errors for A records of *.mail.protection.outlook.com
Only a few per day vs many successful lookups.
Anybody else seeing these?
Kind regards
Ralf
*Ralf Zenklusen * Dipl. El. Ing. HTL Leiter Internet
*BAR *Informatik AG Weidenweg 235 3902 Brig-Glis Tel +41 27 922 48 48
www.barinformatik.ch www.rhone.ch r.zenklusen@barinformatik.ch
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-
Daniel Stirnimann -
Felix Meier -
Markus Wild -
Ralf Zenklusen, BAR Informatik AG -
rz@bar.ch