Wandering Thoughts archives


How not to maintain your DNS (part 22)

Much as the previous installment, this example of bad DNS setup is sufficiently complicated that it's best illustrated in text instead of trying to show DNS output.

We start with the domain zshine.com. At the moment its WHOIS registration says that it has the DNS servers ns1.gofreeserve.com and ns2.gofreeserve.com. If you query the nameservers for .com, they will agree with this and give you an IP for each nameserver, and respectively.

According to WHOIS, gofreeserve.com's registered nameservers are (ns1 ns2 ns11 ns12).lampnetworks.com, and the .com nameservers agree with this. All of these nameservers report themselves as authoritative for gofreeserve.com. None of them know about either ns1.gofreeserve.com or ns2.gofreeserve.com; in fact they authoritatively claim that neither exist.

As the capstone, neither nor respond to DNS requests, so even if you accept the glue records from the .com nameservers you can't actually resolve anything about zshine.com. Nor do the lampnetworks.com nameservers have any information about zshine.com.

The results of this are somewhat interesting. Obviously, zshine.com essentially doesn't exist in DNS; you can't look up an A or MX record for it. Working out why can be a little bit tricky, though. With at least some resolving DNS servers, all you get is a timeout when you query for even just zshine.com's NS records. In order to hunt things down I had to go digging in WHOIS data and then looking at gofreeserve.com's own DNS data.

As far as I can guess, this is a version of glue record hell. Gofreeserve does appear to offer DNS handling as one of their services, and at some point clearly it was done through those ns1 and ns2 DNS names. However, things have changed since and not all domains that used them have had their WHOIS data updated. In fact, perhaps some domains have been dropped entirely by Gofreeserve but haven't changed anything. Without glue records in the DNS, we'd probably get a failure to resolve the listed nameservers. With glue records, well, clearly some of the time we get a timeout trying to query them.

(Some casual Internet searches suggest that there are any number of domains still using ns[12].gofreeserve.com as their DNS servers. I won't speculate why the people behind these domains don't seem to have noticed that they don't work any more, although this case may have a relatively sensible reason, namely that this is probably a secondary domain name for a firm with their primary domain name in .cn.)

PS: Since the occasion for me noticing this issue with zshine.com is something claiming to be it trying to send email to my spamtraps, I'm not too upset about its DNS issues.

sysadmin/HowNotToDoDNSXXII written at 00:34:15; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.