MicrosoftI can add a rule to our firewall to allow access to http://www.msftconnecttest.com, it will look up that hostname and use the resulting IP addresses for the security policy, it repeats this process every 20 minutes unless the TTL is shorter in which case it will re-look up the DNS entry when the TTL expires.
If I look up the DNS entry manually for http://www.msftconnecttest.com, I get this:
www.msftconnecttest.com is an alias for ncsi-geo.trafficmanager.net.
ncsi-geo.trafficmanager.net is an alias for www.msftncsi.com.edgesuite.net.
www.msftncsi.com.edgesuite.net is an alias for a1961.g2.akamai.net.
a1961.g2.akamai.net has address 104.86.182.51
a1961.g2.akamai.net has address 104.86.182.58If I immediately look that up again I get this:
www.msftconnecttest.com is an alias for ncsi-geo.trafficmanager.net.
ncsi-geo.trafficmanager.net is an alias for www.msftncsi.com.edgesuite.net.
www.msftncsi.com.edgesuite.net is an alias for a1961.g2.akamai.net.
a1961.g2.akamai.net has address 104.86.182.43
a1961.g2.akamai.net has address 104.86.182.82
If my firewall gets the the results from the first set and my clients get the result from the second set they will be blocked from reaching the msftconnect.com page. If I were running some esoteric firewall I could imagine you wouldn't care, but I don't think I'm the only one running a Juniper firewall.