Encrypted Emails hang severely when using internal DNS!

Chau Le 96 Reputation points
2021-03-02T23:36:44.243+00:00

Going to try to keep this short and sweet. We use Office 365 and encrypted email. When we want to send encrypted email we put ABC-Secure in the subject. 3 weeks ago opening encrypted emails (to and from users in office 365) become extremely slow and makes Outlook unresponsive . Not happening for everyone. Did so much troubleshooting but here is the main high light.

When we change the client machines DNS server to use a public DNS server like 8.8.8.8 then opening encrypted messages are lightning fast
With Internal DNS, is very slow. Here is the DNS flow before you ask:

Client -> AD DNS -> Blue Cat DNS -> Internet

The message we see when it hangs is "contacting RMS server for templates" or similar.

We have already done this Client -> AD DNS -> Internet (still slow). The only scenario when opening the encrypted emails is fast is when the client is configured with public DNS server directly.

Packet captures show alot of communication with different RMS SRV records ... never a time when we saw an actual failure in DNS, just hangs to the point where we have to kill Outlook.

Any suggestions?

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
515 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-03-09T09:23:00.007+00:00

    @Chau Le Apologies for delay on this.

    The local DNS might have been going through some bandwidth issue, which will cause the mail server to take more time for finding the correct SMTP server address for the receiving end.
    Public DNS are normally faster which are backed by huge Infra setup and load balance the request quite well than the local DNS servers.

    Normally a RMS protected mail, when received the client will try to fetch the RMS SRV records under DNS to find the RMS servers, the lookup frequency in case of Google public DNS is also better due to their Edge nodes which local DNS/infra will lack.

    If you want to investigate more, you can open a support case with us to dig further.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments