Nslookup returns "Query refused" for all microsoft.com lookups

All Windows nslookups and Pi Hole lookups are getting “Query refused” replies from 1.1.1.1, 1.1.1.2, 1.1.1.3 for familiar sites like hotels.com and microsoft.com and all variations of those urls.

Example:

nslookup www.microsoft.com. 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1

*** one.one.one.one can’t find www.microsoft.com.: Query refused

nslookups and pi hole lookups using any other DNS provider are working fine/returning the correct results.

nslookup www.microsoft.com. 8.8.8.8
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: e13678.dscb.akamaiedge.net
Addresses: 2600:1408:9000:785::356e
2600:1408:9000:794::356e
23.210.1.184
Aliases: www.microsoft.com
www.microsoft.com-c-3.edgekey.net
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

What is wrong with CloudFront’s DNS resolvers?

NOTE: while I was researching and typing this message, hotels.com began to resolve correctly via CloudFronts DNS servers, but ALL microsoft.com are still failing

I can’t seem to reproduce this on either 1.1.1.1, 1.1.1.2, or 1.1.1.3.

Can you show us the output of https://1.1.1.1/help?

It sounds like you’re getting this from a number of computers, which makes me suspect it’s your ISP or country.

(post deleted by author)

https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJBVEwiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

This reproduces for me on 1.1.1.1 and 1.0.0.1

teams.microsoft.com gives:

Server: one.one.one.one
Address: 1.1.1.1

*** one.one.one.one can’t find teams.microsoft.com: Non-existent domain

It’s important to note that the same query does work fine with OpenDNS and DNS.WATCH.

Thanks!

https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJBVEwiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

Looks like we’re both on the ATL datacenter, so perhaps that is why we see it while others do not?

1 Like

Hi,

Thanks for the report.

We detected random prefix attack on microsoft.com domain and our automatic attack mitigation started refusing queries for random prefixes. We have temporarily disabled automatic attack mitigation for microsoft.com and will improve our detection of valid names while still blocking random prefix attacks.

Can you check again ?

Thanks

1 Like

Hi,

I’m now receiving proper responses from 1.1.1.1 and 1.1.1.3 (and all variations of Cloudflare DNS)

examples:

nslookup www.microsoft.com. 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    e13678.dscb.akamaiedge.net
Addresses:  2600:1402:b800:989::356e
          2600:1402:b800:98d::356e
          2600:1402:b800:980::356e
          2600:1402:b800:987::356e
          2600:1402:b800:98c::356e
          23.54.201.219
Aliases:  www.microsoft.com
          www.microsoft.com-c-3.edgekey.net
          www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

and

> nslookup www.microsoft.com. 1.1.1.3
> Server:  UnKnown
> Address:  1.1.1.3
> 
> Non-authoritative answer:
> Name:    e13678.dscb.akamaiedge.net
> Addresses:  2600:1402:f000:1098::356e
>           2600:1402:f000:109b::356e
>           2600:1402:f000:1086::356e
>           23.54.201.219
> Aliases:  www.microsoft.com
>           www.microsoft.com-c-3.edgekey.net
>           www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

I can also confirm that the issue is now resolved. Thanks for looking into this and sharing the status/cause with us!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.