mcr.microsoft.com / trafficmanager.net again

[Florian Lohoff]

On Tue, Sep 23, 2025 at 10:21:07PM +0200, Petr Špaček wrote:
>On 23. 09. 25 19:45, Florian Lohoff wrote:
>>
>>I got reports that some gitlab/runner/docker stuff sporadically 
>>failed and it turned out its caused by trafficmanager.net which has 
>>been reported here in the past already to misbehave.
>>
>>So the host in question is mcr.microsoft.com which hosts docker images for
>>dotnet which fails sporadically to resolve with bind 9.18.33 on 
>>Debian/ Bookworm
>>aswell as Debian/Trixie with 9.20.11-4.
>Indeed.
>
>$ delv -i +ns mcr.trafficmanager.net -d99 | grep exce
>;; exceeded max queries resolving 'ns3-04.azure-dns.org/AAAA' 
>(max-recursion-queries, querycount=50)
>;; exceeded max queries resolving 'ns3-04.azure-dns.org/A' 
>(max-recursion-queries, querycount=51)
>
>TL;DR their setup is so complicated that resolution from an empty 
>cache is hitting limits designed to prevent misuse/stop attackers from 
>exploiting resolvers.

The cache-cold setup can be fixed with max-recursion-queries 100; but
i still see sporadic SERVFAIL although frequency/probability dropped.

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250924/96688f57/attachment-0001.sig>