A customer recently asked me which networks or IP addresses Microsoft make DNS requests from. This may seem like an unusual question, but they were deploying geo load balancers for AD FS, and wanted to know where they should expect to see DNS traffic originating from.
Microsoft doesn’t (currently) publish a list of these networks / IP addresses, which makes sense, as DNS resolvers are normally entirely public or entirely private. However, this customer has a security requirement to restrict access wherever possible, so I duly investigated.
I created an Ubuntu virtual machine (using DigitalOcean), made sure port 53 was open, started a tcpdump and then made Microsoft connect. To do this, I created a subdomain of my domain, delegated DNS for it to my ‘DNS server’, and told Exchange Online this was a migration endpoint, thus prompting a DNS query from Microsoft.
The requests came pouring in…
In total, Microsoft made 233 DNS requests against my pretend DNS server, from 21 different IP addresses. I imagine the volume was because my DNS server wasn’t really a DNS server, and you can see this in the traffic patterns; the same servers made multiple requests because they didn’t get a response on their first attempt.
I looked at a few of the addresses the requests came from and found that they were registered to Microsoft (as one might expect), they didn’t have reverse DNS entries, and, as far as I could see, none were listed on the Office 365 URLs and IP address ranges page.
Personally, I don’t have a problem with this, and the customer in question is happy to open up port 53 to the world and lock down access to the endpoint itself rather than the DNS servers, but I think it’s still interesting to see some of the inner workings of the Microsoft cloud and the scale at which Microsoft does something as mundane as a DNS query.