[dns-operations] mcr.microsoft.com / trafficmanager.net again
Ondřej Surý
ondrej at sury.org
Tue Sep 23 22:00:32 UTC 2025
> On 23. 9. 2025, at 22:21, Petr Špaček <pspacek at isc.org> wrote:
>
> TL;DR their setup is so complicated that resolution from an empty cache is hitting limits designed to prevent misuse/stop attackers from exploiting resolvers.
It's kind of random whether you hit the limits or not though...
$ delv -i +ns mcr.trafficmanager.net -d99 | grep excee
$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
;; exceeded max queries resolving 'ns4-09.azure-dns.info/AAAA' (max-recursion-queries, querycount=50)
;; exceeded max queries resolving 'ns4-09.azure-dns.info/A' (max-recursion-queries, querycount=51)
;; exceeded max queries resolving 'ns3-09.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'ns3-09.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'ns3-04.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50)
$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
;; exceeded max queries resolving 'ns3-04.azure-dns.org/A' (max-recursion-queries, querycount=50)
;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA' (max-recursion-queries, querycount=51)
$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
;; exceeded max queries resolving 'ns2-04.azure-dns.net/A' (max-recursion-queries, querycount=50)
;; exceeded max queries resolving 'ns1-04.azure-dns.com/AAAA' (max-recursion-queries, querycount=51)
;; exceeded max queries resolving 'ns3-09.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'ns3-09.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA' (max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'ns3-04.azure-dns.org/A' (max-recursion-queries, querycount=51, maxqueries=50)
$
FTR distributing the DNS among multiple TLDs does not increase resiliency. In fact, I believe
using direct in-domain nameservers is the best option instead of this madness. I have an old
blogpost on this I might revive and put somewhere again.
Ondrej
--
Ondřej Surý (He/Him)
ondrej at sury.org
More information about the dns-operations
mailing list