[dns-operations] is there anyone from microsoft on the list?
Sebastian Castro
sebastian at nzrs.net.nz
Wed Mar 17 02:04:18 UTC 2010
Tomas L. Byrnes wrote:
> Or perhaps your firewall or router is blocking TCP DNS, which is,
> unfortunately, a very common misconfiguration, done in the name of
> "security" (when it in face breaks many forms of security that use DNS).
>
I confirm ns1.msft.net is refusing TCP DNS and my firewall is allowing
such traffic.
If you try the same query with the +ignore flag you get
dig +norec @ns1.msft.net -x 207.46.197.32 +ignore
; <<>> DiG 9.6.1-P2 <<>> +norec @ns1.msft.net -x 207.46.197.32 +ignore
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15216
;; flags: qr aa tc; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;32.197.46.207.in-addr.arpa. IN PTR
;; ANSWER SECTION:
32.197.46.207.in-addr.arpa. 3600 IN PTR 400plusdifferences.ca.
32.197.46.207.in-addr.arpa. 3600 IN PTR 5iantlavalamp.com.
32.197.46.207.in-addr.arpa. 3600 IN PTR academiczone.ch.
32.197.46.207.in-addr.arpa. 3600 IN PTR activeviews.com.
32.197.46.207.in-addr.arpa. 3600 IN PTR activeviews.net.
32.197.46.207.in-addr.arpa. 3600 IN PTR adatum.com.
32.197.46.207.in-addr.arpa. 3600 IN PTR adatum.net.
32.197.46.207.in-addr.arpa. 3600 IN PTR adatum.org.
32.197.46.207.in-addr.arpa. 3600 IN PTR adventure-works.com.
32.197.46.207.in-addr.arpa. 3600 IN PTR adventure-works.net.
32.197.46.207.in-addr.arpa. 3600 IN PTR adventure-works.org.
32.197.46.207.in-addr.arpa. 3600 IN PTR ageofmythology.com.
32.197.46.207.in-addr.arpa. 3600 IN PTR alacris.com.
32.197.46.207.in-addr.arpa. 3600 IN PTR allsorted.co.nz.
32.197.46.207.in-addr.arpa. 3600 IN PTR alpineskihouse.com.
32.197.46.207.in-addr.arpa. 3600 IN PTR alpineskihouse.net.
;; Query time: 188 msec
;; SERVER: 65.55.37.62#53(65.55.37.62)
;; WHEN: Wed Mar 17 14:58:03 2010
;; MSG SIZE rcvd: 488
If you try to use EDNS to signal a larger buffer, you get
+norec @ns1.msft.net -x 207.46.197.32 +ignore +bufsize=1024
; <<>> DiG 9.6.1-P2 <<>> +norec @ns1.msft.net -x 207.46.197.32 +ignore
+bufsize=1024
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 12842
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;32.197.46.207.in-addr.arpa. IN PTR
;; Query time: 167 msec
;; SERVER: 65.55.37.62#53(65.55.37.62)
;; WHEN: Wed Mar 17 14:58:23 2010
;; MSG SIZE rcvd: 55
If you go directly to use TCP
dig +norec @ns1.msft.net -x 207.46.197.32 +tcp
; <<>> DiG 9.6.1-P2 <<>> +norec @ns1.msft.net -x 207.46.197.32 +tcp
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
and I'm sure the TCP DNS traffic is allowed in the firewall, because I
can do
dig any se @a.ns.se +tcp +dnssec
and get a
[Rest of the response deleted]
;; Query time: 701 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Wed Mar 17 15:02:47 2010
;; MSG SIZE rcvd: 4549
Cheers!
>
>
>> -----Original Message-----
>> From: dns-operations-bounces at lists.dns-oarc.net
> [mailto:dns-operations-
>> bounces at lists.dns-oarc.net] On Behalf Of Robert Edmonds
>> Sent: Tuesday, March 16, 2010 4:13 PM
>> To: dns-operations at lists.dns-oarc.net
>> Subject: [dns-operations] is there anyone from microsoft on the list?
>>
>> ns[1-5].msft.net are broken; they set the TC bit on certain UDP
>> responses but do not respond to TCP queries.
>>
>> microsoft.com has address 207.46.197.32
>> microsoft.com has address 207.46.232.182
>> microsoft.com mail is handled by 10 mail.messaging.microsoft.com.
>>
>> 46.207.in-addr.arpa. 86400 IN NS ns1.msft.net.
>> 46.207.in-addr.arpa. 86400 IN NS ns2.msft.net.
>> 46.207.in-addr.arpa. 86400 IN NS ns5.msft.net.
>> 46.207.in-addr.arpa. 86400 IN NS ns4.msft.net.
>> 46.207.in-addr.arpa. 86400 IN NS ns3.msft.net.
>> ;; Received 142 bytes from 2001:500:31::63#53(x.arin.net) in 105
> ms
>> $ dig +norec @ns1.msft.net -x 207.46.197.32
>> ;; Truncated, retrying in TCP mode.
>>
>> ; <<>> DiG 9.7.0 <<>> +norec @ns1.msft.net -x 207.46.197.32
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>>
>> packet capture is attached.
>>
>> --
>> Robert Edmonds
>> edmonds at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the dns-operations
mailing list