Re: [mailop] onmicrosoft DNS gone awry

2018-03-08 Thread t...@pelican.org 
On Thursday, 8 March, 2018 16:28, "Ken O'Driscoll via mailop" 
 said:
 

> That looks like a problem with your local resolver. My guess is that you
> are doing some sort of query forwarding or maybe querying the root servers
> in an improper manner.


It looks pretty odd from here too.
 
If you query any of ns{1,2,3,4}.bdm.microsoftonline.com for an A record for 
something.onmicrosoft.com, you get an empty answer, but the AA flag set and an 
SOA record in the Authority section indicating that the server believes it's 
authoritative:
 
tim@fluffkin:~$ dig @ns2.bdm.microsoftonline.com. www.onmicrosoft.com.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns2.bdm.microsoftonline.com. 
www.onmicrosoft.com.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9954
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.onmicrosoft.com.   IN  A

;; AUTHORITY SECTION:
www.onmicrosoft.com.1   IN  SOA ns1.bdm.microsoftonline.com. 
msnhst.microsoft.com. 2007070100 10800 1800 691200 3600

;; Query time: 118 msec
;; SERVER: 2a01:111:f406:3403::41#53(2a01:111:f406:3403::41)
;; WHEN: Thu Mar 08 16:52:38 GMT 2018
;; MSG SIZE  rcvd: 128



Similarly if you ask for another record type for the naked onmicrosoft.com, 
e.g. MX, you get an answer, still with an AA flag but no Authority:

tim@fluffkin:~$ dig mx @ns2.bdm.microsoftonline.com. onmicrosoft.com.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> mx @ns2.bdm.microsoftonline.com. 
onmicrosoft.com.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28820
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;onmicrosoft.com.   IN  MX

;; ANSWER SECTION:
onmicrosoft.com.86400   IN  MX  0 ns1.bdm.microsoftonline.com.
onmicrosoft.com.86400   IN  MX  0 ns3.bdm.microsoftonline.com.

;; ADDITIONAL SECTION:
ns1.bdm.microsoftonline.com. 86400 IN   A   207.46.15.59
ns1.bdm.microsoftonline.com. 86400 IN   2a01:111:f406:1804::59
ns3.bdm.microsoftonline.com. 86400 IN   A   191.232.83.138
ns3.bdm.microsoftonline.com. 86400 IN   2a01:111:f406:b400::22

;; Query time: 117 msec
;; SERVER: 2a01:111:f406:3403::41#53(2a01:111:f406:3403::41)
;; WHEN: Thu Mar 08 16:54:51 GMT 2018
;; MSG SIZE  rcvd: 195


But if you ask for an A record for onmicrosoft.com, you get an empty answer, 
but no AA flag and an Authority section filled with NS records.  The absence of 
AA flag says that the server doesn't think it's authoritative, and you should 
try the servers suggested in the Authority section instead - but those point 
back to exactly the same place, forming a loop:

tim@fluffkin:~$ dig @ns2.bdm.microsoftonline.com. onmicrosoft.com.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns2.bdm.microsoftonline.com. onmicrosoft.com.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43173
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;onmicrosoft.com.   IN  A

;; AUTHORITY SECTION:
onmicrosoft.com.86400   IN  NS  ns2.bdm.microsoftonline.com.
onmicrosoft.com.86400   IN  NS  ns3.bdm.microsoftonline.com.
onmicrosoft.com.86400   IN  NS  ns4.bdm.microsoftonline.com.
onmicrosoft.com.86400   IN  NS  ns1.bdm.microsoftonline.com.

;; ADDITIONAL SECTION:
ns2.bdm.microsoftonline.com. 86400 IN   A   157.56.81.41
ns2.bdm.microsoftonline.com. 86400 IN   2a01:111:f406:3403::41
ns3.bdm.microsoftonline.com. 86400 IN   A   191.232.83.138
ns3.bdm.microsoftonline.com. 86400 IN   2a01:111:f406:b400::22
ns4.bdm.microsoftonline.com. 86400 IN   A   157.55.45.9
ns4.bdm.microsoftonline.com. 86400 IN   2a01:111:f406:8003::22
ns1.bdm.microsoftonline.com. 86400 IN   A   207.46.15.59
ns1.bdm.microsoftonline.com. 86400 IN   2a01:111:f406:1804::59

;; Query time: 117 msec
;; SERVER: 2a01:111:f406:3403::41#53(2a01:111:f406:3403::41)
;; WHEN: Thu Mar 08 17:03:53 GMT 2018
;; MSG SIZE  rcvd: 315


Maybe my DNS-fu is rusty, but that doesn't look correct to me.

Regards,
Tim.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] onmicrosoft DNS gone awry

2018-03-08 Thread Andrew C Aitchison 

On Thu, 8 Mar 2018, Lyle Giese wrote:

I am unable to get to onmicrosoft.com(hosted exchange), doing a dig 
+trace onmicrosoft.com ends up:


onmicrosoft.com.    86400   IN  NS ns4.bdm.microsoftonline.com.
onmicrosoft.com.    86400   IN  NS ns1.bdm.microsoftonline.com.
onmicrosoft.com.    86400   IN  NS ns2.bdm.microsoftonline.com.
onmicrosoft.com.    86400   IN  NS ns3.bdm.microsoftonline.com.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups

Lyle Giese

LCR Computer Services, Inc.


I'm getting the same from a UK home ISP.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] onmicrosoft DNS gone awry

2018-03-08 Thread Ken O'Driscoll via mailop 
On Thu, 2018-03-08 at 09:51 -0600, Lyle Giese wrote:
> I am unable to get to onmicrosoft.com(hosted exchange), doing a dig 
> +trace onmicrosoft.com ends up:
[...snip...]
> ;; BAD (HORIZONTAL) REFERRAL
> dig: too many lookups

That looks like a problem with your local resolver. My guess is that you
are doing some sort of query forwarding or maybe querying the root servers
in an improper manner. 

Ken.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop