Unspecified error DNS query

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Fri Oct 7 16:20:11 UTC 2016 

There's nothing particularly unusual about the "retrying in TCP mode" message - as Mark explained, that happens whenever the packet size is big and EDNS0 is not being used.

I looked up this name from an internal Windows 7 box through a BIND-based forwarder (in North America), and it resolves fine:

Non-authoritative answer:
Name:    live-namnorth.office365.com
Addresses:  40.97.169.162
          132.245.46.34
          132.245.22.146
          132.245.37.130
          40.96.7.114
          132.245.250.130
          132.245.71.178
          132.245.75.18
          132.245.59.114
          40.97.144.50
Aliases:  outlook.live.com
          edge-live.outlook.office.com
          outlook-live-com.a-0010.a-msedge.net
          ipv4.outlook.com
          outlook.live.com.glbdns2.microsoft.com


C:\Windows\System32>

Like your response, there are 5 CNAMEs and 10 A records.

So, I would say either something is wrong with your client build, or there's a middlebox somewhere that's messing with the packets, possibly because it doesn't how the TCP flavor of DNS works. Time to take a packet capture and see what's really going on.

                                                                                                                                                                                                                                                                                - Kevin


From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Daniel Dawalibi
Sent: Friday, October 07, 2016 8:01 AM
To: bind-users at lists.isc.org
Subject: Unspecified error DNS query

Hello


We are getting "Unspecified error" when querying our DNS server (Query: outlook.live.com)  from  a PC communication with our DNS
We tried to perform the same query from the DNS itself (local host) and we found that the Dig output is showing with the following message "Truncated, retrying in TCP mode".
We also observed that the message size of the requested query "outlook.live.com" increased recently from MSG SIZE 221 to 770
Can you please help why we are getting this error (client side) and why the TCP mode is shown in the dig output since other queries do not show TCP mode in their output?

[root at DNS1 dan]# dig outlook.live.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> outlook.live.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45725
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 7, ADDITIONAL: 11

;; QUESTION SECTION:
;outlook.live.com.              IN      A

;; ANSWER SECTION:
outlook.live.com.       881     IN      CNAME   edge-live.outlook.office.com.
edge-live.outlook.office.com. 280 IN    CNAME   outlook-live-com.a-0010.a-msedge.net.
outlook-live-com.a-0010.a-msedge.net. 160 IN CNAME ipv4.outlook.com.
ipv4.outlook.com.       126     IN      CNAME   outlook.live.com.glbdns2.microsoft.com.
outlook.live.com.glbdns2.microsoft.com. 280 IN CNAME live-emeaeast3.office365.com.
live-emeaeast3.office365.com. 294 IN    A       40.101.44.178
live-emeaeast3.office365.com. 294 IN    A       134.170.68.82
live-emeaeast3.office365.com. 294 IN    A       40.101.28.178
live-emeaeast3.office365.com. 294 IN    A       40.101.1.82
live-emeaeast3.office365.com. 294 IN    A       132.245.79.242
live-emeaeast3.office365.com. 294 IN    A       40.96.21.34
live-emeaeast3.office365.com. 294 IN    A       40.101.9.2
live-emeaeast3.office365.com. 294 IN    A       40.101.60.2
live-emeaeast3.office365.com. 294 IN    A       40.96.21.50
live-emeaeast3.office365.com. 294 IN    A       132.245.194.242

;; AUTHORITY SECTION:
office365.com.          170080  IN      NS      ns2.msft.net.
office365.com.          170080  IN      NS      ns1a.o365filtering.com.
office365.com.          170080  IN      NS      ns3.msft.net.
office365.com.          170080  IN      NS      ns1.msft.net.
office365.com.          170080  IN      NS      ns4a.o365filtering.com.
office365.com.          170080  IN      NS      ns4.msft.net.
office365.com.          170080  IN      NS      ns2a.o365filtering.com.

;; ADDITIONAL SECTION:
ns1.msft.net.           289     IN      A       208.84.0.53
ns2.msft.net.           170080  IN      A       208.84.2.53
ns3.msft.net.           289     IN      A       193.221.113.53
ns4.msft.net.           170080  IN      A       208.76.45.53
ns1a.o365filtering.com. 311     IN      A       157.56.110.11
ns2a.o365filtering.com. 311     IN      A       157.56.116.52
ns4a.o365filtering.com. 311     IN      A       157.55.133.11
ns1.msft.net.           289     IN      AAAA    2620:0:30::53
ns2.msft.net.           170080  IN      AAAA    2620:0:32::53
ns3.msft.net.           289     IN      AAAA    2620:0:34::53
ns4.msft.net.           170080  IN      AAAA    2620:0:37::53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct  7 07:57:41 2016
;; MSG SIZE  rcvd: 770


Regards
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161007/0dec61c1/attachment.html>

More information about the bind-users mailing list