looks like the authoritative nameservers cannot handle EDNS(0) queries (standardized in 1999, rfc2671). While this is not a problem per see, the FORMERR response is not according RFC. For more details see: https://ednscomp.isc.org/ednscomp/17c95198e4#edns
Name resolution therefore relies on retries by the resolver until it figured out how to talk to this authoritative nameserver.
I guess this could be the source of your problem as such retries are error prone or can lead to timeouts.
If you are using BIND you can avoid this retries all together by using:
// avoid using EDNS(0) for the following nameservers server 157.55.234.42 { edns false; }; server 157.56.112.42 { edns false; }; server 23.103.145.81 { edns false; }; server 157.56.112.42 { edns false; };
See BIND ARM manual for more information: https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html#server_state...
Note, EDNS workarounds are going to disappear. See: https://ripe76.ripe.net/presentations/159-edns.pdf
Daniel, SWITCH
On 22.05.18 11:09, Ralf Zenklusen, BAR Informatik AG wrote:
Hi,
we see sporadic DNS resolver errors for A records of *.mail.protection.outlook.com
Only a few per day vs many successful lookups.
Anybody else seeing these?
Kind regards
Ralf
*Ralf Zenklusen * Dipl. El. Ing. HTL Leiter Internet
*BAR *Informatik AG Weidenweg 235 3902 Brig-Glis Tel +41 27 922 48 48
www.barinformatik.ch www.rhone.ch r.zenklusen@barinformatik.ch
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog