Hi!
I first posted this quetion at https://answers.microsoft.com/en-us/outlook_com/forum/outlk_web-outtop_com-outsub_account/dns-problems-on-m365-email-dns-servers/355c66a9-f0b4-44cf-8154-c8f30893d1b9 but was then suggested to post this here, instead. So here goes.
I am having some troubles with sending emails to several Microsoft 365 customers. Let's see if anyone here can verify the issue and perhaps help.
Tl;dr: two DNS servers serving O365 are not responding to queries.
Let me use our local city and their MX setup as an example. This problem The domain of the city is tampere.fi and as they are in Microsoft 365 service, their MX has been set to tampere-fi.mail.protection.outlook.com and this is the server my MTA would like to connect to for SMTP session. My DNS resolvers are querying the DNS tree to find IP address for the MX. Let's now trace the whole DNS chain:
*.root-servers.net --> *.gtld-servers.net (for .com) --> nse21.o365filtering.com. (for .outlook.com) --> ns1-gtm.glbdns.o365filtering.com. (for protection.outlook.com) --> ns1-proddns.glbdns.o365filtering.com. (for mail.protection.outlook.com).
Or directly looking for SOA of mail.protection.outlook.com which is again ns1-proddns.glbdns.o365filtering.com.
Let's stop here for now. DNS resolver needs the IP address of ns1-proddns.glbdns.o365filtering.com to query it. On every query I get a different set of two addresses. Nothing special there. At the time of writing this I got addresses:
104.47.15.17 104.47.16.17
104.47.34.17 104.47.34.49 104.47.72.81 The final step to find MX IP address would be to query any of these for A record of tampere-fi.mail.protection.outlook.com. But here comes the problem:
Out of these the first two DNS servers, 104.47.15.17 and 104.47.16.17, are neither responding to DNS queries. The rest three are working just fine, but the two bad guys, completely silent to any requests on udp/53.
Microsoft DNS servers have very short TTL which means that basically on every sent email a new query for ns1-proddns.glbdns.o365filtering.com is also made. Occassionally the response has both non-working addresses in the response and this causes MX lookup ultimately to fail.
I reported this as an issue to Microsoft through M365 portal, but it was quickly closed as "No issue found". Regular support ticket to M365 customer service doesn't seem any more promising as they are asking e.g. how many users are affected and how our local Active Directory has been set up. I fail to see how any of those and other questions they made are of any relevance in this case.
Any thoughts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 75%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 43%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)