What has recently changed related to Office 365's ".mail.eo.outlook.com" domain?
I removed the following line from my named.conf file and the request is now working.
query-source address * port 53;
the following was forwarded to me from someone I reached out to...
As you know, DNS queries from DNS servers could come from a source port of 53. A while back, because of some security issues, BIND started allowing the randomization of course ports. However, often DNS servers are configured to use the traditional behavior of using source port 53.
eg.. query-source address * port 53 directive
This was often done because port randomization behind masqueraded connections, or some firewalls ended up using all the size of caching and translation tables..
Both methods worked equally well.. until recently.
We have noticed that ATT and Microsoft Live hosted domains are having a problem, in that if the source port of the DNS query is below port 1024, you cannot do a DNS MX record lookup (No servers could be reached)
Needless to say, that can cause email delivery interruptions..
Related videos on Youtube
Tobi
Updated on September 18, 2022Comments
-
Tobi almost 2 years
DNS resolution worked fine in late March, but now, some resolvers (my resolver on my LAN behind NAT, and my ISP RCN's resolver) have problems with hostnames it this zone, while other (eg, Google's 8.8.8.8) do not.
These DNS queries are NOT whitewashed. You can query any hostname in the ".mail.eo.outlook.com" zone.
GOOGLE CAN RESOLVE IT . . .
$ dig anything.mail.eo.outlook.com @8.8.8.8 ; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26750 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;anything.mail.eo.outlook.com. IN A ;; ANSWER SECTION: anything.mail.eo.outlook.com. 10 IN A 213.199.154.87 anything.mail.eo.outlook.com. 10 IN A 213.199.154.23 ;; Query time: 45 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Apr 4 12:32:01 2013 ;; MSG SIZE rcvd: 78
While my resolver, and RCN's cannot:
$ dig anything.mail.eo.outlook.com @192.168.42.108 ; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @192.168.42.108 ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig anything.mail.eo.outlook.com @97.107.142.193 ; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @97.107.142.193 ;; global options: +cmd ;; connection timed out; no servers could be reached
The resolvers do function correctly on other zones:
$ dig +short www.google.com @192.168.42.108 74.125.131.105 74.125.131.106 74.125.131.147 74.125.131.99 74.125.131.103 74.125.131.104 $ dig +short www.amizon.com @192.168.42.108 rewrite.amazon.com. 72.21.210.29 $ dig +short www.google.com @97.107.142.193 74.125.228.49 74.125.228.50 74.125.228.51 74.125.228.52 74.125.228.48 $ dig +short www.amizon.com @97.107.142.193 rewrite.amazon.com. 207.171.166.22
IF I DIG STEP BY STEP . . .
Who is auth for outlook.com? Let's ask 192.35.51.30 (that's f.gtld-servers.net ).
$ dig ns outlook.com @192.35.51.30 ; <<>> DiG 9.8.3-P1 <<>> ns outlook.com @192.35.51.30 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11775 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 10 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;outlook.com. IN NS ;; AUTHORITY SECTION: outlook.com. 172800 IN NS nse1.msft.net. outlook.com. 172800 IN NS nse5.msft.net. outlook.com. 172800 IN NS nse2.msft.net. outlook.com. 172800 IN NS nse3.msft.net. outlook.com. 172800 IN NS nse4.msft.net. ;; ADDITIONAL SECTION: nse1.msft.net. 172800 IN AAAA 2a01:111:2005::1:1 nse1.msft.net. 172800 IN A 65.55.37.62 nse5.msft.net. 172800 IN AAAA 2a01:111:200f:1::1:1 nse5.msft.net. 172800 IN A 65.55.226.140 nse2.msft.net. 172800 IN AAAA 2a01:111:2006:6::1:1 nse2.msft.net. 172800 IN A 64.4.59.173 nse3.msft.net. 172800 IN A 213.199.180.53 nse3.msft.net. 172800 IN AAAA 2a01:111:2020::1:1 nse4.msft.net. 172800 IN A 207.46.75.254 nse4.msft.net. 172800 IN AAAA 2404:f800:2003::1:1 ;; Query time: 97 msec ;; SERVER: 192.35.51.30#53(192.35.51.30) ;; WHEN: Thu Apr 4 13:57:45 2013 ;; MSG SIZE rcvd: 352
Ask one of those nameservers for an answer...
$ dig soa anything.mail.eo.outlook.com @65.55.37.62 ; <<>> DiG 9.8.3-P1 <<>> soa anything.mail.eo.outlook.com @65.55.37.62 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19950 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;anything.mail.eo.outlook.com. IN SOA ;; AUTHORITY SECTION: mail.eo.outlook.com. 7200 IN NS ns2-prodeodns.glbdns.o365filtering.com. mail.eo.outlook.com. 7200 IN NS ns1-prodeodns.glbdns.o365filtering.com. ;; Query time: 95 msec ;; SERVER: 65.55.37.62#53(65.55.37.62) ;; WHEN: Thu Apr 4 14:36:33 2013 ;; MSG SIZE rcvd: 142
So the zone is delegated, let's lookup IP of delegated NS...
$ dig +short ns1-prodeodns.glbdns.o365filtering.com 65.55.169.42 207.46.100.42
And then ask them both...
$ dig anything.mail.eo.outlook.com @65.55.169.42 ; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @65.55.169.42 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33481 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;anything.mail.eo.outlook.com. IN A ;; ANSWER SECTION: anything.mail.eo.outlook.com. 10 IN A 213.199.154.87 anything.mail.eo.outlook.com. 10 IN A 213.199.154.23 ;; Query time: 55 msec ;; SERVER: 65.55.169.42#53(65.55.169.42) ;; WHEN: Thu Apr 4 14:38:21 2013 ;; MSG SIZE rcvd: 134 $ dig anything.mail.eo.outlook.com @207.46.100.42 ; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @207.46.100.42 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36656 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;anything.mail.eo.outlook.com. IN A ;; ANSWER SECTION: anything.mail.eo.outlook.com. 10 IN A 213.199.154.87 anything.mail.eo.outlook.com. 10 IN A 213.199.154.23 ;; Query time: 91 msec ;; SERVER: 207.46.100.42#53(207.46.100.42) ;; WHEN: Thu Apr 4 14:38:31 2013 ;; MSG SIZE rcvd: 134
-
Tobi about 11 yearsI just found this mail-archive.com/[email protected]/msg13952.html
-
-
Tobi about 11 yearsTHIS is most definitely an answer! It makes perfect sense, I'll see if it fixes my problem too...
-
Mark Ormston about 11 yearsI had the same problem with *.mail.protection.outlook.com and this solved it. Thank you isaac!