Outage in Whalebone
Central Europe Region: Occasional incorrect resolution of some domains
Resolved MinorIncident Report
## Incident Summary
Since **Friday, December 19th**, we have observed occasional incorrect resolution of a limited set of domains coming from **Microsoft Azure authoritative servers**. This incident occurs under the following conditions:
- **On-prem resolvers** located in **Central Europe** (CZ, SK, PL)
- Domains served by **Microsoft Azure authoritative servers** located in Central Europe
- Domains returning an **incorrect CNAME response**
## Affected domains
Selected domains served by Microsoft Azure authoritative servers; we have observed the following set so far:
> packeta.com, cz.linked.com, www.identita.gov.cz, nis.identita.gov.cz, ares.gov.cz, planeo.cz, login.eset.com, skoda-auto.sk, skoda-auto.cz
## Mitigation steps
#### Immediate Mitigation
Clear the resolver cache:
- Navigate to **Admin Portal → Resolvers → Three dots → Clear resolver cache**
#### Mid-Term Mitigation
Set the default maximum TTL to 3600 seconds (1 hour):
- Navigate to **Admin Portal → Configuration → DNS Resolution**
- Select the configuration associated with your resolvers
- Open **Advanced DNS configuration** and apply:
`cache.max_ttl(3600)`
-- For more details, see the [Knot Resolver documentation](https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#cache.max_ttl)
-- You may set the maximum TTL to lower values; however:
--- This may increase response latency for clients (fewer cached domains)
--- This may increase CPU load (higher frequency of contacting upstream servers)
--- Please monitor resolver performance closely if setting a lower TTL
#### Upcoming Fix
We are also preparing a **hotfix** for the resolvers to prevent this situation in the future. We will inform you once it is released.
## Analysis & Root cause
During the investigation, we identified the following root cause.
Microsoft Azure authoritative servers located in Central Europe (to which your on-prem resolver may or may not be routed) are sending a **non-standard (broken) response** to CNAME queries:
- **NOERROR** — the query is understood and handled correctly
- **NODATA** — no DNS record is associated with the domain (likely a bug on Microsoft authoritative servers)
- **Missing SOA** (Start of Authority) record
- **EDNS** (Extended DNS) is set
Because the SOA record is missing from the response, a default TTL value of **32768 seconds** (approximately 9 hours) is applied. As a result, incorrect records are cached for this duration until correct records are resolved.
***
As part of the mitigation process, your assistance in contacting **Microsoft Azure Support** with the [details of the issue](https://mailman.nic.cz/hyperkitty/list/knot-resolver-users@lists.nic.cz/thread/FI5P5I53N3YINR4D654QEAEXXFGVX7L7/) would be greatly appreciated.
Please accept our apologies for any inconvenience caused.
Since **Friday, December 19th**, we have observed occasional incorrect resolution of a limited set of domains coming from **Microsoft Azure authoritative servers**. This incident occurs under the following conditions:
- **On-prem resolvers** located in **Central Europe** (CZ, SK, PL)
- Domains served by **Microsoft Azure authoritative servers** located in Central Europe
- Domains returning an **incorrect CNAME response**
## Affected domains
Selected domains served by Microsoft Azure authoritative servers; we have observed the following set so far:
> packeta.com, cz.linked.com, www.identita.gov.cz, nis.identita.gov.cz, ares.gov.cz, planeo.cz, login.eset.com, skoda-auto.sk, skoda-auto.cz
## Mitigation steps
#### Immediate Mitigation
Clear the resolver cache:
- Navigate to **Admin Portal → Resolvers → Three dots → Clear resolver cache**
#### Mid-Term Mitigation
Set the default maximum TTL to 3600 seconds (1 hour):
- Navigate to **Admin Portal → Configuration → DNS Resolution**
- Select the configuration associated with your resolvers
- Open **Advanced DNS configuration** and apply:
`cache.max_ttl(3600)`
-- For more details, see the [Knot Resolver documentation](https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#cache.max_ttl)
-- You may set the maximum TTL to lower values; however:
--- This may increase response latency for clients (fewer cached domains)
--- This may increase CPU load (higher frequency of contacting upstream servers)
--- Please monitor resolver performance closely if setting a lower TTL
#### Upcoming Fix
We are also preparing a **hotfix** for the resolvers to prevent this situation in the future. We will inform you once it is released.
## Analysis & Root cause
During the investigation, we identified the following root cause.
Microsoft Azure authoritative servers located in Central Europe (to which your on-prem resolver may or may not be routed) are sending a **non-standard (broken) response** to CNAME queries:
- **NOERROR** — the query is understood and handled correctly
- **NODATA** — no DNS record is associated with the domain (likely a bug on Microsoft authoritative servers)
- **Missing SOA** (Start of Authority) record
- **EDNS** (Extended DNS) is set
Because the SOA record is missing from the response, a default TTL value of **32768 seconds** (approximately 9 hours) is applied. As a result, incorrect records are cached for this duration until correct records are resolved.
***
As part of the mitigation process, your assistance in contacting **Microsoft Azure Support** with the [details of the issue](https://mailman.nic.cz/hyperkitty/list/knot-resolver-users@lists.nic.cz/thread/FI5P5I53N3YINR4D654QEAEXXFGVX7L7/) would be greatly appreciated.
Please accept our apologies for any inconvenience caused.
Components affected
Whalebone Main region Whalebone On-Prem resolvers Whalebone EU-01 Whalebone On-Prem resolversNeed to monitor Whalebone outages?
- Monitor all your external dependencies in one place
- Get instant alerts when outages are detected
- Be the first to know if service is down
- Show real-time status on private or public status page
- Keep your team informed
Latest Updates ( sorted recent to last )
about 2 months ago - at 12/22/2025 03:44PM
## Incident Summary
Since **Friday, December 19th**, we have observed occasional incorrect resolution of a limited set of domains coming from **Microsoft Azure authoritative servers**. This incident occurs under the following conditions:
- **On-prem resolvers** located in **Central Europe** (CZ, SK, PL)
- Domains served by **Microsoft Azure authoritative servers** located in Central Europe
- Domains returning an **incorrect CNAME response**
## Affected domains
Selected domains served by Microsoft Azure authoritative servers; we have observed the following set so far:
> packeta.com, cz.linked.com, www.identita.gov.cz, nis.identita.gov.cz, ares.gov.cz, planeo.cz, login.eset.com, skoda-auto.sk, skoda-auto.cz
## Mitigation steps
#### Immediate Mitigation
Clear the resolver cache:
- Navigate to **Admin Portal → Resolvers → Three dots → Clear resolver cache**
#### Mid-Term Mitigation
Set the default maximum TTL to 3600 seconds (1 hour):
- Navigate to **Admin Portal → Configuration → DNS Resolution**
- Select the configuration associated with your resolvers
- Open **Advanced DNS configuration** and apply:
`cache.max_ttl(3600)`
-- For more details, see the [Knot Resolver documentation](https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#cache.max_ttl)
-- You may set the maximum TTL to lower values; however:
--- This may increase response latency for clients (fewer cached domains)
--- This may increase CPU load (higher frequency of contacting upstream servers)
--- Please monitor resolver performance closely if setting a lower TTL
#### Upcoming Fix
We are also preparing a **hotfix** for the resolvers to prevent this situation in the future. We will inform you once it is released.
## Analysis & Root cause
During the investigation, we identified the following root cause.
Microsoft Azure authoritative servers located in Central Europe (to which your on-prem resolver may or may not be routed) are sending a **non-standard (broken) response** to CNAME queries:
- **NOERROR** — the query is understood and handled correctly
- **NODATA** — no DNS record is associated with the domain (likely a bug on Microsoft authoritative servers)
- **Missing SOA** (Start of Authority) record
- **EDNS** (Extended DNS) is set
Because the SOA record is missing from the response, a default TTL value of **32768 seconds** (approximately 9 hours) is applied. As a result, incorrect records are cached for this duration until correct records are resolved.
***
As part of the mitigation process, your assistance in contacting **Microsoft Azure Support** with the [details of the issue](https://mailman.nic.cz/hyperkitty/list/knot-resolver-users@lists.nic.cz/thread/FI5P5I53N3YINR4D654QEAEXXFGVX7L7/) would be greatly appreciated.
Please accept our apologies for any inconvenience caused.
Latest Whalebone outages
Regulatory domains not being blocked in selected regions - 23 days ago
Degraded Management API performance (timeouts) - about 1 month ago
Degraded dashboard data freshness - about 1 month ago
Resolvers page loads slowly / fails to load - about 1 month ago
Management API outage - about 1 month ago
The Status Page Aggregator with Early Outage Detection
With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.
Start free trialNo credit card required · Cancel anytime · 5850 services available
Integrations with
