[dns-operations] mcr.microsoft.com / trafficmanager.net again
Peter Hessler
phessler at theapt.org
Tue Sep 23 20:48:52 UTC 2025
On 2025 Sep 23 (Tue) at 22:21:07 +0200 (+0200), Petr Špaček wrote:
:On 23. 09. 25 19:45, Florian Lohoff wrote:
:>
:> I got reports that some gitlab/runner/docker stuff sporadically failed
:> and it turned out its caused by trafficmanager.net which has been
:> reported here in the past already to misbehave.
:>
:> So the host in question is mcr.microsoft.com which hosts docker images for
:> dotnet which fails sporadically to resolve with bind 9.18.33 on Debian/
:> Bookworm
:> aswell as Debian/Trixie with 9.20.11-4.
:Indeed.
:
:$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
:;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA'
:(max-recursion-queries, querycount=50)
:;; exceeded max queries resolving 'ns3-04.azure-dns.org/A'
:(max-recursion-queries, querycount=51)
:
:TL;DR their setup is so complicated that resolution from an empty cache is
:hitting limits designed to prevent misuse/stop attackers from exploiting
:resolvers.
:
:We can either:
:A. raise limit and get another vulnerability report in couple months, or
:B. keep current limits and suffer occasional failure.
:
:I can't tell what's worse.
:
:--
:Petr Špaček
:Internet Systems Consortium
IMHO, leave it as is and yell at Microsoft to fix their broken stuff.
They break too much of the internet (web, email, etc) as it is.
--
I have yet to see any problem, however complicated, which, when looked
at in the right way, did not become still more complicated.
-- Poul Anderson
More information about the dns-operations
mailing list