[swinog] Re: DNS lookup failed from Bluewin client with bluewin DNS

[Gasoo via swinog]

Hello

The network where our resolvers are located was blocked on the DNS 
servers which are authoritative for the domain.
Only one location was affected, so it was working for customers, which 
landed on different locations via anycast.
The operators of the authoritative DNS servers have removed our network 
from the blacklist, thus the problem should be solved.


Kind regards
Stephan

On 18/04/2023 14.38, Rémy Duchet via swinog wrote:

Hello,
We have a complaint from a customer, with unreachable website (stepcom.ch 
hosted on cloudflare).
No DNS answer for domain for multiple DNS server of Bluewin (195.186.4.107 - 
109 and 195.186.1.110 - 111 )
All working fine with an open DNS server. (Quad, Google etc).

Could someone at Bluewin could check that ?

Thanks.
Rémy
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch


___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

Re: [swinog] Missing DNS A records for several domains hosted by swisscom.com

[Gasoo]

Hi Tobi

The records were deleted around 10.01.2020.
If you could tell me which domains are still pointing to this records, 
that would be helpful.

I'll contact you offlist as soon as I have more information.

Kind Regards
Stephan

On 07/02/2020 10.45, Tobi wrote:

Hi

hope someone from Swisscom reads here. We're currently seeing that DNS A
records for MX hosts of several domains disappeared. They all using


mtainXX.mailsecurity.swisscom.com

as MX record. But there are no A records for those MX


; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>>
mtain01.mailsecurity.swisscom.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47048
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mtain01.mailsecurity.swisscom.com. IN  A

;; AUTHORITY SECTION:
swisscom.com.   574 IN  SOA dns3.swisscom.com. 
admin\.dns.swisscom.com.
42532 21600 3600 604800 600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fr Feb 07 10:42:03 CET 2020
;; MSG SIZE  rcvd: 113


; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>>
mtain02.mailsecurity.swisscom.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56271
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mtain02.mailsecurity.swisscom.com. IN  A

;; AUTHORITY SECTION:
swisscom.com.   574 IN  SOA dns3.swisscom.com. 
admin\.dns.swisscom.com.
42532 21600 3600 604800 600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fr Feb 07 10:42:03 CET 2020
;; MSG SIZE  rcvd: 113


According to our passive DNS data there are at least 63 domains using
one of these hosts as their MX.

--

Cheers

tobi


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog




___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] Mail to CNAME a thing?

[Gasoo]

Hi

I might be wrong but according to RFC 2821 it is ok to use a CNAME if 
the target is resolvable to A or MX.


3.6 Domains

   Only resolvable, fully-qualified, domain names (FQDNs) are permitted
   when domain names are used in SMTP.  In other words, names that can
   be resolved to MX RRs or A RRs (as discussed in section 5) are
   permitted, as are CNAME RRs whose targets can be resolved, in turn,
   to MX or A RRs.  Local nicknames or unqualified names MUST NOT be
   used.


However, the target domain in this case is not working correctly.

Short:
The nameserver konfiguration at the .com level is wrong.
OR
The configuration of the nameservers at the domain level is wrong

See https://zonemaster.net/test/60c7bac42eb6e304


Long:
The Domain resolves to a CNAME:
;; QUESTION SECTION:
;accountprotection.microsoft.com. IN    A

;; ANSWER SECTION:
accountprotection.microsoft.com. 2877 IN CNAME mail.msa.msidentity.com.

;; AUTHORITY SECTION:
msa.msidentity.com.    7200    IN    SOA    usw1.akam.net. 
hostmaster.akamai.com. 1518736843 43200 7200 604800 7200



The domain msa.msidentity.com has the follwoing NS records at the TLD 
servers:

;; QUESTION SECTION:
;msa.msidentity.com.        IN    NS

;; AUTHORITY SECTION:
msidentity.com.        172800    IN    NS    usw1.akam.net.
msidentity.com.        172800    IN    NS    eur2.akam.net.
msidentity.com.        172800    IN    NS    use2.akam.net.
msidentity.com.        172800    IN    NS    ns1-169.akam.net.
msidentity.com.        172800    IN    NS    ns1.p09.dynect.net.
msidentity.com.        172800    IN    NS    ns3.p09.dynect.net.
msidentity.com.        172800    IN    NS    ns2.p09.dynect.net.
msidentity.com.        172800    IN    NS    ns4.p09.dynect.net.


On the *.akam.net servers it has only the *.akam.net servers as NS:
; <<>> DiG 9.11.2 <<>> @usw1.akam.net. msa.msidentity.com. ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44395
;; flags: qr aa; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 12

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;msa.msidentity.com.        IN    NS

;; ANSWER SECTION:
msa.msidentity.com.    172800    IN    NS    use2.akam.net.
msa.msidentity.com.    172800    IN    NS    eur2.akam.net.
msa.msidentity.com.    172800    IN    NS    usc3.akam.net.
msa.msidentity.com.    172800    IN    NS    ns1-169.akam.net.
msa.msidentity.com.    172800    IN    NS    use5.akam.net.
msa.msidentity.com.    172800    IN    NS    usw1.akam.net.
msa.msidentity.com.    172800    IN    NS    ns1-68.akam.net.
msa.msidentity.com.    172800    IN    NS    eur4.akam.net.


On the *.dynect.net servers the zone is different:
; <<>> DiG 9.11.2 <<>> @ns1.p09.dynect.net. msa.msidentity.com. ns +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44314
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;msa.msidentity.com.        IN    NS

;; AUTHORITY SECTION:
msidentity.com.        1800    IN    SOA    ns1.p09.dynect.net. 
aadnetsre.microsoft.com. 23844 3600 600 604800 1800



It seems that not all of those NS have the same zone data.


The *.akam.net servers answer to MX queries:

; <<>> DiG 9.11.2 <<>> @usw1.akam.net. mail.msa.msidentity.com. MX +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4484
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.msa.msidentity.com.    IN    MX

;; ANSWER SECTION:
mail.msa.msidentity.com. 7200    IN    MX    5 mx1.hotmail.com.
mail.msa.msidentity.com. 7200    IN    MX    10 
accountprotection-microsoft-com.mail.protection.outlook.com.

mail.msa.msidentity.com. 7200    IN    MX    5 mx3.hotmail.com.
mail.msa.msidentity.com. 7200    IN    MX    5 mx4.hotmail.com.
mail.msa.msidentity.com. 7200    IN    MX    5 mx2.hotmail.com.

;; Query time: 9 msec
;; SERVER: 23.61.199.66#53(23.61.199.66)
;; WHEN: Mon Feb 19 15:46:49 CET 2018
;; MSG SIZE  rcvd: 212


But the *.dynect.net. servers dont:

; <<>> DiG 9.11.2 <<>> @ns2.p09.dynect.net. mail.msa.msidentity.com. MX 
+norec

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45448
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.msa.msidentity.com.    IN    MX

;; AUTHORITY SECTION:
msidentity.com.        1800    IN    SOA    ns1.p09.dynect.net. 
aadnetsre.microsoft.com. 23844 3600 600 604800 1800


;; Query time: 17 msec
;; SERVER: 204.13.250.9#53(204.13.250.9)
;; WHEN: Mon Feb 19 15:48:00 CET 2018
;; MSG SIZE  rcvd: 126



So depending on which server the query goes to, it