[dns-operations] is there anyone from microsoft on the list?

Sebastian Castro sebastian at nzrs.net.nz
Wed Mar 17 02:04:18 UTC 2010


Tomas L. Byrnes wrote:
> Or perhaps your firewall or router is blocking TCP DNS, which is,
> unfortunately, a very common misconfiguration, done in the name of
> "security" (when it in face breaks many forms of security that use DNS).
> 

I confirm ns1.msft.net is refusing TCP DNS and my firewall is allowing
such traffic.

If you try the same query with the +ignore flag you get

dig +norec @ns1.msft.net -x 207.46.197.32 +ignore

; <<>> DiG 9.6.1-P2 <<>> +norec @ns1.msft.net -x 207.46.197.32 +ignore
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15216
;; flags: qr aa tc; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;32.197.46.207.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
32.197.46.207.in-addr.arpa. 3600 IN	PTR	400plusdifferences.ca.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	5iantlavalamp.com.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	academiczone.ch.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	activeviews.com.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	activeviews.net.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	adatum.com.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	adatum.net.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	adatum.org.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	adventure-works.com.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	adventure-works.net.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	adventure-works.org.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	ageofmythology.com.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	alacris.com.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	allsorted.co.nz.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	alpineskihouse.com.
32.197.46.207.in-addr.arpa. 3600 IN	PTR	alpineskihouse.net.

;; Query time: 188 msec
;; SERVER: 65.55.37.62#53(65.55.37.62)
;; WHEN: Wed Mar 17 14:58:03 2010
;; MSG SIZE  rcvd: 488


If you try to use EDNS to signal a larger buffer, you get

+norec @ns1.msft.net -x 207.46.197.32 +ignore +bufsize=1024

; <<>> DiG 9.6.1-P2 <<>> +norec @ns1.msft.net -x 207.46.197.32 +ignore
+bufsize=1024
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 12842
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;32.197.46.207.in-addr.arpa.	IN	PTR

;; Query time: 167 msec
;; SERVER: 65.55.37.62#53(65.55.37.62)
;; WHEN: Wed Mar 17 14:58:23 2010
;; MSG SIZE  rcvd: 55


If you go directly to use TCP

dig +norec @ns1.msft.net -x 207.46.197.32 +tcp

; <<>> DiG 9.6.1-P2 <<>> +norec @ns1.msft.net -x 207.46.197.32 +tcp
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


and I'm sure the TCP DNS traffic is allowed in the firewall, because I
can do

dig any se @a.ns.se +tcp +dnssec

and get a

[Rest of the response deleted]
;; Query time: 701 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Wed Mar 17 15:02:47 2010
;; MSG SIZE  rcvd: 4549


Cheers!

> 
> 
>> -----Original Message-----
>> From: dns-operations-bounces at lists.dns-oarc.net
> [mailto:dns-operations-
>> bounces at lists.dns-oarc.net] On Behalf Of Robert Edmonds
>> Sent: Tuesday, March 16, 2010 4:13 PM
>> To: dns-operations at lists.dns-oarc.net
>> Subject: [dns-operations] is there anyone from microsoft on the list?
>>
>> ns[1-5].msft.net are broken; they set the TC bit on certain UDP
>> responses but do not respond to TCP queries.
>>
>>     microsoft.com has address 207.46.197.32
>>     microsoft.com has address 207.46.232.182
>>     microsoft.com mail is handled by 10 mail.messaging.microsoft.com.
>>
>>     46.207.in-addr.arpa.    86400   IN  NS  ns1.msft.net.
>>     46.207.in-addr.arpa.    86400   IN  NS  ns2.msft.net.
>>     46.207.in-addr.arpa.    86400   IN  NS  ns5.msft.net.
>>     46.207.in-addr.arpa.    86400   IN  NS  ns4.msft.net.
>>     46.207.in-addr.arpa.    86400   IN  NS  ns3.msft.net.
>>     ;; Received 142 bytes from 2001:500:31::63#53(x.arin.net) in 105
> ms
>>     $ dig +norec @ns1.msft.net -x 207.46.197.32
>>     ;; Truncated, retrying in TCP mode.
>>
>>     ; <<>> DiG 9.7.0 <<>> +norec @ns1.msft.net -x 207.46.197.32
>>     ; (1 server found)
>>     ;; global options: +cmd
>>     ;; connection timed out; no servers could be reached
>>
>> packet capture is attached.
>>
>> --
>> Robert Edmonds
>> edmonds at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535



More information about the dns-operations mailing list