DNS answers are empty after ttl expired.

Grorkef · December 26, 2022, 10:00pm

Hello,

I encountered a strange DNS problem at one of my sites. As far as I resolve “login.microsoftonline.com” it works a few minutes and then I received an empty DNS response.

After a little bit of research, I found out that the problem is related to the DNS Cache and the different TTLs of the recursive resolution of “login.microsoftonline.com”.

login.microsoftonline.com has a TTL of approx. 3,5h and all following resolved entries have a TTL of 5min.

If I resolve login.microsoftonline.com the first time the DNS Server caches all entrys.

 1   login.microsoftonline.com                       CNAME  login.mso.msidentity.com.                        11m57s
 2   login.mso.msidentity.com                        CNAME  ak.privatelink.msidentity.com.                   1m8s
 3   ak.privatelink.msidentity.com                   CNAME  www.tm.ak.prd.aadg.trafficmanager.net.           1m8s
 4   www.tm.ak.prd.aadg.trafficmanager.net           A      20.190.154.16                                    1m8s
 5   www.tm.ak.prd.aadg.trafficmanager.net           A      40.126.26.135                                    1m8s
 6   www.tm.ak.prd.aadg.trafficmanager.net           A      20.190.154.136                                   1m8s
 7   www.tm.ak.prd.aadg.trafficmanager.net           A      20.190.154.18                                    1m8s
 8   www.tm.ak.prd.aadg.trafficmanager.net           A      20.190.154.139                                   1m8s
 9   www.tm.ak.prd.aadg.trafficmanager.net           A      20.190.154.137                                   1m8s
10   www.tm.ak.prd.aadg.trafficmanager.net           A      40.126.26.132                                    1m8s
11   www.tm.ak.prd.aadg.trafficmanager.net           A      20.190.154.17                                    1m8s

After the TTL expired the entries will be deleted, except the entry of login.microsoftonline.com.

 1   login.microsoftonline.com             CNAME  login.mso.msidentity.com.                     10m7s

From this point, login.microsoftonline.com will get an empty response. As long as the TTL of login.microsoftonline.com is not expired.

My current DNS Configuration is

/ip dns
set allow-remote-requests=yes cache-max-ttl=15m cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=768 query-server-timeout=2s query-total-timeout=10s servers=1.1.1.1 use-doh-server="" verify-doh-cert=no

Is this a configuration issue or a bug?

BartoszP · December 27, 2022, 9:13am

What version of ROS do you use?

Grorkef · December 27, 2022, 9:51am

Currently v7.6beta10, but I used v.7.6 stable before. To check if the ROS Version is the problem I updated to a newer beta version

mkx · December 27, 2022, 10:24am

Newest ROS is 7.7rc3 … way newer than 7.6beta you’re using.

BTW, 7.6beta10 is preceding 7.6 stable, any reason for downgrading?

Grorkef · December 27, 2022, 11:21am

I had already tested this before Christmas and there was not yet the 7.7rc3. I’ll install it right now and see if the error still occurs

pe1chl · December 27, 2022, 3:29pm

There are major DNS problems in the 7.6beta and 7.7rc releases… what you describe is the result of that.
These versions are unusable until they fix those issues, unless you can bypass the MikroTik DNS resolver, e.g. by setting 8.8.8.8 as the DNS in your DHCP network.