<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Symbol";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hiya all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m investigating an issue that is affecting a client of ours, they are seeing a high number of SERVFAILs for queries send to various children zones of .mail.protection.outlook.com. I’ve noticed that when querying for mail.protection.outlook.com,
and any child zones, directly against the authoritative nameservers listed in the nameserver records for that zone, I see a FORMERR response code and a warning that requests the disabling of EDNS when querying.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To provide an example, I query the internet for the nameserver records of mail.protection.outlook.com, I’ve used Cloudflare to ensure that our corporate resolvers had no impact on the result.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI Symbol",sans-serif">❯</span> dig mail.protection.outlook.com NS @1.1.1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; <<>> DiG 9.17.9 <<>> mail.protection.outlook.com NS @1.1.1.1<o:p></o:p></p>
<p class="MsoNormal">;; global options: +cmd<o:p></o:p></p>
<p class="MsoNormal">;; Got answer:<o:p></o:p></p>
<p class="MsoNormal">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25269<o:p></o:p></p>
<p class="MsoNormal">;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; OPT PSEUDOSECTION:<o:p></o:p></p>
<p class="MsoNormal">; EDNS: version: 0, flags:; udp: 1232<o:p></o:p></p>
<p class="MsoNormal">;; QUESTION SECTION:<o:p></o:p></p>
<p class="MsoNormal">;mail.protection.outlook.com. IN NS<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; ANSWER SECTION:<o:p></o:p></p>
<p class="MsoNormal">mail.protection.outlook.com. 10 IN NS ns1-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal">mail.protection.outlook.com. 10 IN NS ns2-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; Query time: 56 msec<o:p></o:p></p>
<p class="MsoNormal">;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)<o:p></o:p></p>
<p class="MsoNormal">;; WHEN: Wed Oct 06 11:39:15 BST 2021<o:p></o:p></p>
<p class="MsoNormal">;; MSG SIZE rcvd: 129<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Then querying mail.protection.outlook.com against ns1-proddns.glbdns.o365filtering.com, I expect to see an SOA, but instead I see a FORMERR<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI Symbol",sans-serif">❯</span> dig mail.protection.outlook.com soa @ns1-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; <<>> DiG 9.17.9 <<>> mail.protection.outlook.com soa @ns1-proddns.glbdns.o365filtering.com.<o:p></o:p></p>
<p class="MsoNormal">;; global options: +cmd<o:p></o:p></p>
<p class="MsoNormal">;; Got answer:<o:p></o:p></p>
<p class="MsoNormal">;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 10885<o:p></o:p></p>
<p class="MsoNormal">;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0<o:p></o:p></p>
<p class="MsoNormal">;; WARNING: recursion requested but not available<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; WARNING: EDNS query returned status FORMERR - retry with '+noedns'<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">;; Query time: 26 msec<o:p></o:p></p>
<p class="MsoNormal">;; SERVER: 104.47.72.81#53(104.47.72.81) (UDP)<o:p></o:p></p>
<p class="MsoNormal">;; WHEN: Wed Oct 06 11:41:06 BST 2021<o:p></o:p></p>
<p class="MsoNormal">;; MSG SIZE rcvd: 12<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I was wondering if anyone else has noticed this behaviour previously, and could provide any reasoning behind it? Is anyone else seeing failures with queries for mail.protection.outlook.com and any child zones of the aforementioned?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Many thanks! <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">--<br>
Martin George<br>
DNS Engineer<br>
Nominet UK<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>