Things have changed. Best recommend now is CloudFlare’s. General:
1.1.1.1 1.0.0.1
CloudFlare’s, filtered for malware:
1.1.1.2 1.0.0.2
And CloudFlare’s, filtered for malware and “adult content”:
1.1.1.3 1.0.0.3
And one more provider, almost as good in this writer’s experience, Level 3. Unfiltered.
209.244.0.3 209.244.0.4
No other recommends at this writing.
Microsoft is heavily using something called GeoIP, to optimize Internet data routing for its services, including Skype, Office 365, and all of the others.
All of the code below is within ‘nslookup’, running in CMD on Windows.
The way this works, basically, is different IP sets are reported by DNS lookups, depending on the upstream DNS server being polled. So if, like many right now, you were using Google’s DNS (8.8.8.8 and 8.8.4.4) on your LAN, and did nslookup on the recommended test hostname, outlook.office365.com, you would see this:
> outlook.office365.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: outlook-namsouth2.office365.com
Addresses: 2603:1036:0:26::2
2603:1036:102:90::2
2603:1036:404:a4::2
2603:1036:102:107::2
2603:1036:102:b8::2
2603:1036:404:11b::2
2603:1036:404:3f::2
2603:1036:3:12e::2
2603:1036:102:3e::2
2603:1036:404:11c::2
40.97.170.162
40.97.30.130
40.97.170.178
40.97.142.18
40.97.41.98
40.97.162.130
40.97.154.66
40.97.166.178
40.97.117.242
40.97.119.178
Aliases: outlook.office365.com
outlook.ha.office365.com
outlook.office365.com.g.office365.com
>
But on the other hand, if you were using OpenDNS (208.67.220.220/222.222), you would see this:
> outlook.office365.com
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: outlook-namsouth4.office365.com
Addresses: 2603:1036:d01:2::2
2603:1036:101:2::2
2a01:111:f400:31ab::2
2603:1036:902:a3::2
2603:1036:906:4d::2
2603:1036:405:2::2
2603:1036:405:15::2
2603:1036:404:67::2
2603:1036:100::2
40.97.142.18
40.97.41.98
40.97.162.130
40.97.154.66
40.97.166.178
40.97.117.242
40.97.119.178
40.97.170.162
40.97.30.130
40.97.170.178
Aliases: outlook.office365.com
outlook.ha.office365.com
outlook.office365.com.g.office365.com
>
The most important thing to observe in the above, is that the IP set is different. And if you try pings from your test PC to each of the above IPs, you will notice major differences. In recent testing, most of Google’s results ping much slower (higher, in milliseconds) than OpenDNS’s. But we found OpenDNS’s pings noticeably slower than our current known best of breed, Level3 (209.244.0.3/4):
> outlook.office365.com
Server: resolver1.level3.net
Address: 209.244.0.3
Non-authoritative answer:
Name: outlook-namsouth.office365.com
Addresses: 2603:1036:404:16::2
2603:1036:404:b6::2
2603:1036:102:16::2
2603:1036:405:29::2
2603:1036:906:4f::2
2603:1036:d00::2
2603:1036:102:8f::2
2603:1036:405:4a::2
2603:1036:4:4c::2
40.97.133.130
40.97.132.194
40.97.125.114
40.97.132.226
40.97.126.50
40.97.31.50
40.97.164.146
40.97.136.194
40.97.166.34
Aliases: outlook.office365.com
outlook.ha.office365.com
outlook.office365.com.g.office365.com
>
We have also noticed that the lists of IPs do not correspond to names, i.e., outlook-namsouth3 does not return the same IP list each time. So there is a lot of highly complex geographically-centered IP routing by DNS, going on, by Microsoft, and Level3 seems to cooperate best.
The upshot is, if you see any Microsoft cloud-based services being slow, hesitating, freezing up, or losing connection regularly, switch your LAN’s DNS forwarders to Level 3, and you may well knock the problem out most easily. CloudFlare’s DNS works as well if not better.
This error often occurs when a longstanding Windows Server network is given a much newer domain controller. The WINS records embedded in DNS, don’t work anymore; when you try to delete them or change them, you get the error message in the title of this article.
The best thing to do, is PowerShell:
Remove-DNSServerResourceRecord -ZoneName dns_zone.local -Force -RRtype "WINS" -Name "@"
Try that (substituting dns_zone.local for your LAN DNS zone!), then right-click on the zone name, choose “All Tasks” and then “Reload”, then press F5 for refresh. The error-causing situation will go away, you can then reconfigure easily. If there are other zones, you’ll want to repeat for all of them. If there is a WINS record in a reverse lookup zone, the RRtype is WINSR instead of WINS, the result being something akin to this:
Remove-DNSServerResourceRecord -ZoneName 1.168.192.in-addr.arpa -Force -RRtype "WINSR" -Name "@"
Sometimes the actions above only take effect, and show up in the servers, if you reload and refresh (often both) the zones.
The following TXT record:
v=DMARC1; p=reject; pct=100; adkim=s; aspf=s
at least theoretically, should harden SPF and, if present, DKIM. “=s” means “strict”. According to DMARC documentation, DMARC can be used without DKIM, and experiences with a first setup of the above without DKIM are playing out well so far.
Some info is here:
A great place for general DNS lookup info:
The best WHOIS:
And one for info about IP addresses:
Awhile ago it came to light that the following needed to be added to SPF records for email-enabled domains using Constant Contact:
include:ccsend.com include:constantcontact.com include:confirmedcc.com
Things have gotten a lot better. The following now covers all of the above:
ip4:208.75.120.0/22
As of this writing, the current authoritative list, from here:
https://www.iana.org/domains/root/servers
is:
| a.root-servers.net | 198.41.0.4 | 2001:503:ba3e::2:30 | VeriSign, Inc. |
| b.root-servers.net | 192.228.79.201 | 2001:500:84::b | University of Southern California (ISI) |
| c.root-servers.net | 192.33.4.12 | 2001:500:2::c | Cogent Communications |
| d.root-servers.net | 199.7.91.13 | 2001:500:2d::d | University of Maryland |
| e.root-servers.net | 192.203.230.10 | 2001:500:a8::e | NASA (Ames Research Center) |
| f.root-servers.net | 192.5.5.241 | 2001:500:2f::f | Internet Systems Consortium, Inc. |
| g.root-servers.net | 192.112.36.4 | 2001:500:12::d0d | US Department of Defense (NIC) |
| h.root-servers.net | 198.97.190.53 | 2001:500:1::53 | US Army (Research Lab) |
| i.root-servers.net | 192.36.148.17 | 2001:7fe::53 | Netnod |
| j.root-servers.net | 192.58.128.30 | 2001:503:c27::2:30 | VeriSign, Inc. |
| k.root-servers.net | 193.0.14.129 | 2001:7fd::1 | RIPE NCC |
| l.root-servers.net | 199.7.83.42 | 2001:500:9f::42 | ICANN |
| m.root-servers.net | 202.12.27.33 | 2001:dc3::35 | WIDE Project |
Increasingly, nslookup is not installed by default in major Linux distros. On Arch-based and Debian-based distros, it’s in package dnsutils,