mcr.microsoft.com / trafficmanager.net again

Florian Lohoff f at zz.de
Tue Sep 23 17:45:40 UTC 2025 

I got reports that some gitlab/runner/docker stuff sporadically failed 
and it turned out its caused by trafficmanager.net which has been 
reported here in the past already to misbehave.

So the host in question is mcr.microsoft.com which hosts docker images for
dotnet which fails sporadically to resolve with bind 9.18.33 on Debian/Bookworm
aswell as Debian/Trixie with 9.20.11-4.

;; ANSWER SECTION:
mcr.microsoft.com.	40	IN	CNAME	mcr.trafficmanager.net.
mcr.trafficmanager.net.	40	IN	CNAME	mcr-0001.mcr-msedge.net.
mcr-0001.mcr-msedge.net. 40	IN	A	150.171.69.10
mcr-0001.mcr-msedge.net. 40	IN	A	150.171.70.10

After debugging i found that i can reliably trigger it when flushing
the cache. Previous reports had v4/v6 indifferences. In this case its
v4 only with "dnssec-validation no;"

Once the host successfully resolved it only fails sporadically, i guess
caused by the low ttls and some cache expiry.

root at dnstest-trixie:/tmp# dpkg -l bind9 | grep ^ii
ii  bind9          1:9.20.11-4  amd64        Internet Domain Name Server
root at dnstest-trixie:/tmp# rndc flush; for i in 1 2 3 4 5  6 7 8 9 0; do dig  -t cname mcr.trafficmanager.net @localhost | grep status ; sleep 2; done
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29555
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35650
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51146
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61121
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24384
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65086
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50226
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63898
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28750
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25243
root at dnstest-trixie:/tmp# rndc flush; for i in 1 2 3 4 5  6 7 8 9 0; do dig  -t cname mcr.trafficmanager.net @localhost | grep status ; sleep 2; done
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56049
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48192
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35103
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47369
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8478
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4581
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17626
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58256
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62685
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11774
root at dnstest-trixie:/tmp# rndc flush; for i in 1 2 3 4 5  6 7 8 9 0; do dig  -t cname mcr.trafficmanager.net @localhost | grep status ; sleep 2; done
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24885
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16846
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34394
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25253
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60834
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35364
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10299
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37346
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64553
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30751

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250923/b5d667f2/attachment.sig>

More information about the dns-operations mailing list