How not to set up your DNS (part 11)
Presented in the traditional illustrated form:
; dig +short ns hinet.net.tw. reg.hinet.net.tw. www.hinet.net.tw. hinet.net.tw.
This looks good, except for the fact that they all have the same IP address, 184.108.40.206. You would think that a large Taiwanese ISP would be able to afford more than one DNS server, but perhaps they're too busy beefing up their network infrastructure to cope with the amount of spam their customers send. (At the moment Hinet is #4 on Spamhaus.org's list of the 10 worst spam service ISPs, with 53 listings.)
But it gets worse.
; dig +short a ms4.hinet.net.tw @220.127.116.11 18.104.22.168
(Okay, perhaps they only have one IP for all their servers.)
; dig mx ms4.hinet.net.tw @22.214.171.124
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18296
The correct way for a DNS server to answer a query that it doesn't
have any data for is with a response that contains no data.
SERVFAIL causes other people to retry, instead of just going
away. In this case it caused us to not accept email from an alleged
'email@example.com', because every attempt to look up the
record for ms4.hinet.net.tw looked like a temporary failure to us.