On 23. 09. 25 19:45, Florian Lohoff wrote:
I got reports that some gitlab/runner/docker stuff sporadically failed
and it turned out its caused by trafficmanager.net which has been
reported here in the past already to misbehave.
So the host in question is mcr.microsoft.com which hosts docker images for
dotnet which fails sporadically to resolve with bind 9.18.33 on Debian/
Bookworm
aswell as Debian/Trixie with 9.20.11-4.
Indeed.
$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA'
(max-recursion-queries, querycount=50)
;; exceeded max queries resolving 'ns3-04.azure-dns.org/A'
(max-recursion-queries, querycount=51)
TL;DR their setup is so complicated that resolution from an empty cache
is hitting limits designed to prevent misuse/stop attackers from
exploiting resolvers.
We can either:
A. raise limit and get another vulnerability report in couple months, or
B. keep current limits and suffer occasional failure.
I can't tell what's worse.
--
Petr Špaček
Internet Systems Consortium
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
