What has recently changed related to Office 365's ".mail.eo.outlook.com" domain?

domain-name-system microsoft-office-365
7,002

I removed the following line from my named.conf file and the request is now working.

query-source address * port 53;

the following was forwarded to me from someone I reached out to...

As you know, DNS queries from DNS servers could come from a source port of 53. A while back, because of some security issues, BIND started allowing the randomization of course ports. However, often DNS servers are configured to use the traditional behavior of using source port 53.

eg.. query-source address * port 53 directive

This was often done because port randomization behind masqueraded connections, or some firewalls ended up using all the size of caching and translation tables..

Both methods worked equally well.. until recently.

We have noticed that ATT and Microsoft Live hosted domains are having a problem, in that if the source port of the DNS query is below port 1024, you cannot do a DNS MX record lookup (No servers could be reached)

Needless to say, that can cause email delivery interruptions..

Share:
7,002

Related videos on Youtube

Tobi
Author by

Tobi

Updated on September 18, 2022

Comments

  • Tobi
    Tobi almost 2 years

    DNS resolution worked fine in late March, but now, some resolvers (my resolver on my LAN behind NAT, and my ISP RCN's resolver) have problems with hostnames it this zone, while other (eg, Google's 8.8.8.8) do not.

    These DNS queries are NOT whitewashed. You can query any hostname in the ".mail.eo.outlook.com" zone.

    GOOGLE CAN RESOLVE IT . . .

    $ dig anything.mail.eo.outlook.com @8.8.8.8

; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26750
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;anything.mail.eo.outlook.com.  IN  A

;; ANSWER SECTION:
anything.mail.eo.outlook.com. 10 IN A   213.199.154.87
anything.mail.eo.outlook.com. 10 IN A   213.199.154.23

;; Query time: 45 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr  4 12:32:01 2013
;; MSG SIZE  rcvd: 78

    While my resolver, and RCN's cannot:

    $ dig anything.mail.eo.outlook.com @192.168.42.108

; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @192.168.42.108
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig anything.mail.eo.outlook.com @97.107.142.193

; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @97.107.142.193
;; global options: +cmd
;; connection timed out; no servers could be reached

    The resolvers do function correctly on other zones:

    $ dig +short www.google.com @192.168.42.108
74.125.131.105
74.125.131.106
74.125.131.147
74.125.131.99
74.125.131.103
74.125.131.104
$ dig +short www.amizon.com @192.168.42.108
rewrite.amazon.com.
72.21.210.29
$ dig +short www.google.com @97.107.142.193
74.125.228.49
74.125.228.50
74.125.228.51
74.125.228.52
74.125.228.48
$ dig +short www.amizon.com @97.107.142.193
rewrite.amazon.com.
207.171.166.22

    IF I DIG STEP BY STEP . . .

    Who is auth for outlook.com? Let's ask 192.35.51.30 (that's f.gtld-servers.net ).

    $ dig ns outlook.com @192.35.51.30

; <<>> DiG 9.8.3-P1 <<>> ns outlook.com @192.35.51.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11775
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 10
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;outlook.com.           IN  NS

;; AUTHORITY SECTION:
outlook.com.        172800  IN  NS  nse1.msft.net.
outlook.com.        172800  IN  NS  nse5.msft.net.
outlook.com.        172800  IN  NS  nse2.msft.net.
outlook.com.        172800  IN  NS  nse3.msft.net.
outlook.com.        172800  IN  NS  nse4.msft.net.

;; ADDITIONAL SECTION:
nse1.msft.net.      172800  IN  AAAA    2a01:111:2005::1:1
nse1.msft.net.      172800  IN  A   65.55.37.62
nse5.msft.net.      172800  IN  AAAA    2a01:111:200f:1::1:1
nse5.msft.net.      172800  IN  A   65.55.226.140
nse2.msft.net.      172800  IN  AAAA    2a01:111:2006:6::1:1
nse2.msft.net.      172800  IN  A   64.4.59.173
nse3.msft.net.      172800  IN  A   213.199.180.53
nse3.msft.net.      172800  IN  AAAA    2a01:111:2020::1:1
nse4.msft.net.      172800  IN  A   207.46.75.254
nse4.msft.net.      172800  IN  AAAA    2404:f800:2003::1:1

;; Query time: 97 msec
;; SERVER: 192.35.51.30#53(192.35.51.30)
;; WHEN: Thu Apr  4 13:57:45 2013
;; MSG SIZE  rcvd: 352

    Ask one of those nameservers for an answer...

    $ dig soa anything.mail.eo.outlook.com @65.55.37.62

; <<>> DiG 9.8.3-P1 <<>> soa anything.mail.eo.outlook.com @65.55.37.62
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19950
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;anything.mail.eo.outlook.com.  IN  SOA

;; AUTHORITY SECTION:
mail.eo.outlook.com.    7200    IN  NS  ns2-prodeodns.glbdns.o365filtering.com.
mail.eo.outlook.com.    7200    IN  NS  ns1-prodeodns.glbdns.o365filtering.com.

;; Query time: 95 msec
;; SERVER: 65.55.37.62#53(65.55.37.62)
;; WHEN: Thu Apr  4 14:36:33 2013
;; MSG SIZE  rcvd: 142

    So the zone is delegated, let's lookup IP of delegated NS...

    $ dig +short ns1-prodeodns.glbdns.o365filtering.com
65.55.169.42
207.46.100.42

    And then ask them both...

    $ dig anything.mail.eo.outlook.com @65.55.169.42

; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @65.55.169.42
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33481
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;anything.mail.eo.outlook.com.  IN  A

;; ANSWER SECTION:
anything.mail.eo.outlook.com. 10 IN A   213.199.154.87
anything.mail.eo.outlook.com. 10 IN A   213.199.154.23

;; Query time: 55 msec
;; SERVER: 65.55.169.42#53(65.55.169.42)
;; WHEN: Thu Apr  4 14:38:21 2013
;; MSG SIZE  rcvd: 134

$ dig anything.mail.eo.outlook.com @207.46.100.42

; <<>> DiG 9.8.3-P1 <<>> anything.mail.eo.outlook.com @207.46.100.42
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36656
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;anything.mail.eo.outlook.com.  IN  A

;; ANSWER SECTION:
anything.mail.eo.outlook.com. 10 IN A   213.199.154.87
anything.mail.eo.outlook.com. 10 IN A   213.199.154.23

;; Query time: 91 msec
;; SERVER: 207.46.100.42#53(207.46.100.42)
;; WHEN: Thu Apr  4 14:38:31 2013
;; MSG SIZE  rcvd: 134
  • Tobi
    Tobi about 11 years
    THIS is most definitely an answer! It makes perfect sense, I'll see if it fixes my problem too...
  • Mark Ormston
    Mark Ormston about 11 years
    I had the same problem with *.mail.protection.outlook.com and this solved it. Thank you isaac!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Transfer DNS with nameserver pointed to Office 365
Multiple SPF domains in SPF DNS record. To MX or not MX?
Multiple SPF records for multiple domains
Sender address rejected (mx record not found)
DNS settings for domain controller with dual nics one facing internet directly and one to router
Office 365 password change does not require iPhone settings update
OpenVPN Client connects, but DNS setting are not correct (cannot resolve domain names)
Can't add DNS CNAME record
Domain Computers cannot access internet
Possible DNS issue when using yum: "Could not resolve host: (every mirror); Unknown error" Centos 7