Re: [dns-operations] mail.protection.outlook.com has EDNS issues
--- Begin Message --- Matthew Richardson wrote on 2022-07-06 07:52: ... Alternatively, is this the sort of issue in which DNS-OARC could become involved by way of outreach to MS about the problems? The lack of EDNS0 will probably become an increasing problem over time. This DNS setup is used for ALL email to Office365 business users, which is not a small quantity. https://github.com/dns-violations/dns-violations https://ednscomp.isc.org/ -- P Vixie --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] mail.protection.outlook.com has EDNS issues
Aside from today's outage, the DNS for mail.protetion.office.com seems to have been very poor for a long time. As an example from 2020, Brian Somers lamented its state:- https://lists.dns-oarc.net/pipermail/dns-operations/2020-April/020124.html The scale of the general problem (after this fault has been fixed) can be seen at:- https://www.zonemaster.fr/result/e46bf2d6d1d70989 As MS is a Silver member of DNS-OARC, are there any MS folks on here who might be involved with the authoratitive side of mail.protection.office.com, or who might be able to get the issue raised internally at MS? Alternatively, is this the sort of issue in which DNS-OARC could become involved by way of outreach to MS about the problems? The lack of EDNS0 will probably become an increasing problem over time. This DNS setup is used for ALL email to Office365 business users, which is not a small quantity. -- Best wishes, Matthew ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] ns1-proddns.glbdns.o365filtering.com unreachable?
On Wed, Jul 06, 2022 at 11:42:14AM +0200, Daniel Baumann wrote:
> ns{1,2}-proddns.glbdns.o365filtering.com resolv to the same IP, do
> not support EDNS and don't answer on TCP queries.
Well, FWIW, the same two IPs.
On Wed, Jul 06, 2022 at 11:37:38AM +0200, Stephane Bortzmeyer wrote:
> The authoritative name servers for mail.protection.outlook.com
> apparently don't reply if you use EDNS. And it seems many resolvers
> don't fallback on old-DNS (and rightly so). Seen from the RIPE Atlas
> probes, many resolvers cannot resolve names under
> mail.protection.outlook.com (here, the MX of cybercampus.fr):
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> @ns1-proddns.glbdns.o365filtering.com. NS
> mail.protection.outlook.com
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 64702
> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
Their lack of support for EDNS, and more critically (for DANE) the fact
that they return NOTIMP instead of NXDOMAIN for TLSA queries, has been
known to me since May 2013, when I began work on RFC7672.
The nameservers are the reason for the recommendation to not issue TLSA
queries for the TLSA records of MX hosts (and assume they don't exist or
are also unsigned) when the address (A or , whichever exist) records
of those MX hosts are unsigned.
Without that work-around, DANE-enabled MTAs would not be able to send
email to e.g. nist.gov whose MX RRset is signed, but the corresponding
TLSA queries are difficult to distinguish from a downgrade attack if one
does not already know the zone is unsigned (hence the prior A/
status check):
nist-gov.mail.protection.outlook.com. IN TLSA ? ; ServFail
The load balancers in question have an exceedingly "minimal" DNS
implementation. For example, when asked for the zone's SOA, they return
it in the authority section (so both NODATA and the actual record).
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52424
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.protection.outlook.com. IN SOA
;; AUTHORITY SECTION:
mail.protection.outlook.com. 3600 IN SOA
ns1-proddns.glbdns.o365filtering.com. hostmaster.o365filtering.com. 2013010801
3600 600 86400 3600
;; MSG SIZE rcvd: 172
They've been working (in this minimal form) for 9+ years, so I do
understand (be it without much sympathy) some reluctance to fix the
various issues, b/c they've been managing to return the requisite A
records, which is however sadly all they've been expected to do.
Ideally, something better will be deployed eventually.
--
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] ns1-proddns.glbdns.o365filtering.com unreachable?
Hi,
> Anyone else with trouble to reach the *.o365filtering.com DNS Servers?
yes.
this started ~mid last week only sporadically (one fail every ~12 to 24h).
since today, we cannot resolve
${tenant}-mail-onmicrosoft-com.mail.protection.outlook.com. anymore (for
which ns1-proddns.glbdns.o365filtering.com and
ns2-proddns.glbdns.o365filtering.com are authoritative).
we tried locations in Switzerland and Germany with the same result.
8.8.8.8 fails the exact same way too.
1.1.1.1 seems to be able to resolv them, so for the time being we're
stub-resolving mail.protection.outlook.com to 1.1.1.1 in order to be
able to send mails out.
also: ns{1,2}-proddns.glbdns.o365filtering.com resolv to the same IP, do
not support EDNS and don't answer on TCP queries.
Regards,
Daniel
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] ns1-proddns.glbdns.o365filtering.com unreachable?
Yes, there seems to be a global outage: July 6, 2022 11:03 AM Title: Some users may experience delays when sending or receiving email messages in Exchange Online User Impact: Users may experience delays when sending or receiving email messages in Exchange Online. More info: Users may see the message status being stuck on 'Pending' or 'Getting Status'. Current status: We're analyzing service telemetry information to determine the next troubleshooting steps. Scope of impact: Impact is specific to some users who are served through the affected infrastructure in Europe, Middle East, and Africa. Next update by: Wednesday, July 6, 2022, 1:30 PM (11:30 AM UTC) -- Cas de Reuver http://reuver.co On Wed, Jul 6, 2022 at 11:03 AM Thomas Mieslinger wrote: > > Anyone else with trouble to reach the *.o365filtering.com DNS Servers? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] ns1-proddns.glbdns.o365filtering.com unreachable?
--- Begin Message --- On 06/07/2022 11.01, Thomas Mieslinger wrote: Anyone else with trouble to reach the *.o365filtering.com DNS Servers? I believe that's discussed here: https://chat.dns-oarc.net/community/pl/m864xf3xrf8adqm8kx6sdku6bo --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] mail.protection.outlook.com has EDNS issues
The authoritative name servers for mail.protection.outlook.com apparently don't reply if you use EDNS. And it seems many resolvers don't fallback on old-DNS (and rightly so). Seen from the RIPE Atlas probes, many resolvers cannot resolve names under mail.protection.outlook.com (here, the MX of cybercampus.fr): % blaeu-resolve --type A -r 500 campuscyber-fr.mail.protection.outlook.com [104.47.24.36 104.47.25.36] : 298 occurrences [ERROR: SERVFAIL] : 138 occurrences [] : 2 occurrences Test #4162 done at 2022-07-06T09:25:50Z % dig @ns1-proddns.glbdns.o365filtering.com. NS mail.protection.outlook.com ; <<>> DiG 9.16.1-Ubuntu <<>> @ns1-proddns.glbdns.o365filtering.com. NS mail.protection.outlook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 64702 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns' ;; Query time: 43 msec ;; SERVER: 104.47.16.17#53(104.47.16.17) ;; WHEN: mer. juil. 06 11:22:28 CEST 2022 ;; MSG SIZE rcvd: 12 ~ % dig +nodnssec +noedns +bufsize=0 +nocookie @ns1-proddns.glbdns.o365filtering.com. NS mail.protection.outlook.com ; <<>> DiG 9.16.1-Ubuntu <<>> +nodnssec +noedns +bufsize +nocookie @ns1-proddns.glbdns.o365filtering.com. NS mail.protection.outlook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52148 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mail.protection.outlook.com. INNS ;; ANSWER SECTION: mail.protection.outlook.com. 10 IN NS ns1-proddns.glbdns.o365filtering.com. mail.protection.outlook.com. 10 IN NS ns2-proddns.glbdns.o365filtering.com. ;; Query time: 47 msec ;; SERVER: 104.47.16.17#53(104.47.16.17) ;; WHEN: mer. juil. 06 11:22:50 CEST 2022 ;; MSG SIZE rcvd: 199 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] ns1-proddns.glbdns.o365filtering.com unreachable?
Anyone else with trouble to reach the *.o365filtering.com DNS Servers? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
