[dns-operations] mcr.microsoft.com / trafficmanager.net again
Petr Špaček
pspacek at isc.org
Tue Sep 23 20:21:07 UTC 2025
On 23. 09. 25 19:45, Florian Lohoff wrote:
>
> I got reports that some gitlab/runner/docker stuff sporadically failed
> and it turned out its caused by trafficmanager.net which has been
> reported here in the past already to misbehave.
>
> So the host in question is mcr.microsoft.com which hosts docker images for
> dotnet which fails sporadically to resolve with bind 9.18.33 on Debian/
> Bookworm
> aswell as Debian/Trixie with 9.20.11-4.
Indeed.
$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA'
(max-recursion-queries, querycount=50)
;; exceeded max queries resolving 'ns3-04.azure-dns.org/A'
(max-recursion-queries, querycount=51)
TL;DR their setup is so complicated that resolution from an empty cache
is hitting limits designed to prevent misuse/stop attackers from
exploiting resolvers.
We can either:
A. raise limit and get another vulnerability report in couple months, or
B. keep current limits and suffer occasional failure.
I can't tell what's worse.
--
Petr Špaček
Internet Systems Consortium
More information about the dns-operations
mailing list