Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

NIOS DNS DHCP IPAM

Reply

DNS CNAME disparity for MS Sharepoint service
marcelv
Techie
Posts: 10

Friday

93     0

Greetings all.

 

I am experiencing a DNS issue whereby I find that when I resolve a specific CNAME record against an external DNS resolver (1.1.1.1 in this case) I get a certain number of records returned. The original record queried is a CNAME that resolves to multiple other CNAMEs and then eventually to two A records.

 

When I do the exact same query to my internal Infoblox DNS server I get all the same CNAME records but with an additional two CNAME records added. I would not normally worry but I'm finding that users inside my network (using my DNS server) are having issues connecting to this MS Sharepoint service but if they use the external resolver (1.1.1.1) everthing works fine.

 

If I query the CNAME against the external resolver one CNAME at a time I get all the same records. It's only when doing a single query that the external resolver has two less CNAMEs.

 

So I get that the external resolver may be returning fewer results to save traffic via query optimisation/consolidation etc but I don't understand why the two extra CNAMEs from my internal DNS is breaking things so badly.

 

Here are the various outputs slightly redacted:

 

dig @1.1.1.1 aaabbbccc.sharepoint.com +short
6710-ipv4v6e.clump.dprodmgd104.aa-rt.sharepoint.com.
190434-ipv4v6e.farm.dprodmgd104.aa-rt.sharepoint.com.
190434-ipv4v6w.farm.dprodmgd104.sharepointonline.com.akadns.net.
190434-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.spo-msedge.net.
dual-spo-0005.spo-msedge.net.
13.107.a.b
13.107.b.c

 

$ dig @internal_DNS aaabbbccc.sharepoint.com +short
6710-ipv4v6e.clump.dprodmgd104.aa-rt.sharepoint.com.
190434-ipv4v6e.farm.dprodmgd104.aa-rt.sharepoint.com.
190434-ipv4v6w.farm.dprodmgd104.sharepointonline.com.akadns.net.
190434-ipv4v6e.farm.dprodmgd104.sharepointonline.com.akadns.net.
190434-ipv4v6g.farm.dprodmgd104.sharepointonline.com.akadns.net.
190434-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.spo-msedge.net.
dual-spo-0005.spo-msedge.net.
13.107.a.b
13.107.b.c

 

Both my internal and the external DNS servers are not authorative for this particular domain.

My Infoblox is set to return "minimal results". I'm running Trinzic appliances of various models in a grid running NIOS 9.0. Packet captures between the two DNS servers and my test client confirm that the queries are replied to as reported by dig. I've tried clearing all my DNS caches but it always learns the same CNAMEs again.

 

Any and all advice is appreciated.

Kind regards

 

 

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements