> On 23. 9. 2025, at 22:21, Petr Špaček <[email protected]> wrote: > > TL;DR their setup is so complicated that resolution from an empty cache is > hitting limits designed to prevent misuse/stop attackers from exploiting > resolvers.
It's kind of random whether you hit the limits or not though... $ delv -i +ns mcr.trafficmanager.net -d99 | grep excee $ delv -i +ns mcr.trafficmanager.net -d99 | grep exce ;; exceeded max queries resolving 'ns4-09.azure-dns.info/AAAA' (max-recursion-queries, querycount=50) ;; exceeded max queries resolving 'ns4-09.azure-dns.info/A' (max-recursion-queries, querycount=51) ;; exceeded max queries resolving 'ns3-09.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50) ;; exceeded max queries resolving 'ns3-09.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50) ;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50) ;; exceeded max queries resolving 'ns3-04.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50) $ delv -i +ns mcr.trafficmanager.net -d99 | grep exce $ delv -i +ns mcr.trafficmanager.net -d99 | grep exce $ delv -i +ns mcr.trafficmanager.net -d99 | grep exce ;; exceeded max queries resolving 'ns3-04.azure-dns.org/A' (max-recursion-queries, querycount=50) ;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA' (max-recursion-queries, querycount=51) $ delv -i +ns mcr.trafficmanager.net -d99 | grep exce ;; exceeded max queries resolving 'ns2-04.azure-dns.net/A' (max-recursion-queries, querycount=50) ;; exceeded max queries resolving 'ns1-04.azure-dns.com/AAAA' (max-recursion-queries, querycount=51) ;; exceeded max queries resolving 'ns3-09.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50) ;; exceeded max queries resolving 'ns3-09.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50) ;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50) ;; exceeded max queries resolving 'ns3-04.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50) $ FTR distributing the DNS among multiple TLDs does not increase resiliency. In fact, I believe using direct in-domain nameservers is the best option instead of this madness. I have an old blogpost on this I might revive and put somewhere again. Ondrej -- Ondřej Surý (He/Him) [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
