Home
Join

4 Replies

  • What dns servers are the 20 clients using? are they all the same?

    Microsoft geo-loadbalances their services, so perhaps it is a dns issue. Are you located in the same country/region - what happens when you resolve  office.outlook.com ?

    Was this post helpful? thumb_up thumb_down
  • Current client DNS is the same. We are in N. America, and it resolves to mel-efz.ms-acdc.office.com [40.100.151.21]

    The DNS SHOULD be AD level. 

    Was this post helpful? thumb_up thumb_down
  • Same issue and it was for users resolving mail for O365.  Not all users, but some were being routed to Melbourne AUS from North America.

    I did note that destination AUS IP outbound request was alternating from normal O365 ops to one that looked like a high availability URL.

    DNS was initial suspect but noticed same internal resolvers looking for O365 would target the 40.100.x.y ip space in AUS occasionally vs the normal MS ranges in us 52.x.y.z.  ONLY clients resolving all or even a few 40.100.x.y were having issues.

    Microsoft's response to fix was to advise setting external resovlers to a different public resolver.

    Believe some (unknown if all) systems were originally pointed at Google 8.8.8.8 when issue occurred.

    Original concern was ZuoRAT MitM DNS redirects - but confirmed at least half of the users were behind corp controlled firewall (DNS backhauled and inspected so no tampering), so ruled that out.

    Requested Microsoft to NOT send traffic to foreign countries for regular mailbox access, but no direct control over that that I am aware of.

    Interesting to note the Australian Government passed the horrendous anti-encryption act - curious if any tie in there...data goes to Aus, 5 eyes, no encryption, no warrant pulling of data..

    Compromised?

    https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-kn...

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Resolution was to white list AUS and IRE, but that's not very secure. We rebuilt some profiles, and miscellaneous fixes, but nothing concrete. The issues have slowed down, but I am unaware if we should block AUS and IRE again. 

    Will be keeping an eye on this one. 

    Was this post helpful? thumb_up thumb_down

Read these next...