IP Aliases not resolving properly

lifeboy · Jun 1, 2021, 10:39 AM

We need to allow email traffic to outlook.office365.com on port 993, which is pretty standard. However, in classic Microsoft style, they seem to be breaking the rules of DNS. Running 'dig' from various DNS servers, gives different answers:

# dig +short outlook.ms-acdc.office.com A
jnb-efz.ms-acdc.office.com.
52.98.20.146
52.98.20.178
52.98.20.130

however

# dig +short @8.8.8.8 outlook.ms-acdc.office.com A
LHR-efz.ms-acdc.office.com.
52.97.211.194
52.97.211.130
52.97.146.162
52.97.146.210

And a different answer from the tables in pfSense

Outlook_mail_servers Table
IP Address	
52.98.16.210	
52.98.16.226	
52.98.16.242	
2603:1006:1::2	
2603:1006:1:1::2	
2603:1006:1:b::2

I have cleared the table contents, but it populated with new different ip addresses again.

What is happening and how do I coerce aliases into working they way I expect it to work?

viragomann · Jun 1, 2021, 10:41 AM

@lifeboy
I created this alias for outlook.office365.com:

Got it from an MS page in the Web and works without issues.

JeGr · Jun 1, 2021, 10:45 AM

@lifeboy IMHO that's nothing to do with "MS style breaking rules" but simply with Anycast/Geolocated DNS resolvers that actually try to serve you IPs that are more geo-located near you and thus better suited then others. That's happening all over the place with Google, Youtube and nearly every other big company that uses a CDN in between.

You can't resolve such DNS fqdn with normal means of an Alias in pfSense as it can vary every few minutes depending on what DNS server is responding to you and what its answers are to you. So just creating an alias will change IPs every 15m.

Edit: @viragomann got in between ;) Yeah what virago says. Just have a look at MS Knowledgebase, they have a list of Names and IPs of all their services and which IP blocks they are using for what. You can simply use that hardcoded like @viragomann in an alias or put the JSON/text list from Microsoft in a tool like pfblockerNG and let it update it automatically.

Cheers

Edit: Here's the worldwide endpoints list -> https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
That's the list in JSON format: https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

lifeboy · Jun 1, 2021, 10:44 AM

@viragomann, thanks.

Thanks a pretty serious list of addresses, but then I suppose that's what happens when you have to serve as much mail at they do!

lifeboy · Jun 1, 2021, 10:47 AM

@jegr, I get it, yes, it's the CDN... (should have known that, clearly having a blonde moment there :-) )

JeGr · Jun 1, 2021, 10:49 AM

@lifeboy said in IP Aliases not resolving properly:

@jegr, I get it, yes, it's the CDN... (should have known that, clearly having a blonde moment there :-) )

As we all sometimes do :) No problem there. ;)

lifeboy · Jun 1, 2021, 4:15 PM

@viragomann, please share how you added these as an alias. When I add them they get expanded and it's more the 5000 items...

johnpoz · Jun 1, 2021, 4:26 PM

@lifeboy The link provided by @JeGr should have all the possible netblocks used for different aspects of outlook.com and office365.com

Which ones you specific need will depend on exactly what your doing.

If you use the network alias they will not expand.
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#network-aliases

lifeboy · Jun 1, 2021, 4:37 PM

"If you use the network alias they will not expand."

@johnpoz, thanks, that's what I was looking for.

viragomann · Jun 1, 2021, 4:51 PM

@lifeboy
I used alias type IP networks, @johnpoz already solved the mystery.