How not to maintain your DNS (part 22)

June 26, 2016

Much as the previous installment, this example of bad DNS setup is sufficiently complicated that it's best illustrated in text instead of trying to show DNS output.

We start with the domain At the moment its WHOIS registration says that it has the DNS servers and If you query the nameservers for .com, they will agree with this and give you an IP for each nameserver, and respectively.

According to WHOIS,'s registered nameservers are (ns1 ns2 ns11 ns12), and the .com nameservers agree with this. All of these nameservers report themselves as authoritative for None of them know about either or; in fact they authoritatively claim that neither exist.

As the capstone, neither nor respond to DNS requests, so even if you accept the glue records from the .com nameservers you can't actually resolve anything about Nor do the nameservers have any information about

The results of this are somewhat interesting. Obviously, essentially doesn't exist in DNS; you can't look up an A or MX record for it. Working out why can be a little bit tricky, though. With at least some resolving DNS servers, all you get is a timeout when you query for even just's NS records. In order to hunt things down I had to go digging in WHOIS data and then looking at's own DNS data.

As far as I can guess, this is a version of glue record hell. Gofreeserve does appear to offer DNS handling as one of their services, and at some point clearly it was done through those ns1 and ns2 DNS names. However, things have changed since and not all domains that used them have had their WHOIS data updated. In fact, perhaps some domains have been dropped entirely by Gofreeserve but haven't changed anything. Without glue records in the DNS, we'd probably get a failure to resolve the listed nameservers. With glue records, well, clearly some of the time we get a timeout trying to query them.

(Some casual Internet searches suggest that there are any number of domains still using ns[12] as their DNS servers. I won't speculate why the people behind these domains don't seem to have noticed that they don't work any more, although this case may have a relatively sensible reason, namely that this is probably a secondary domain name for a firm with their primary domain name in .cn.)

PS: Since the occasion for me noticing this issue with is something claiming to be it trying to send email to my spamtraps, I'm not too upset about its DNS issues.

Written on 26 June 2016.
« What Python 3 versions Django supports, and when this changes
If you send email, don't expect people to help you with abuse handling »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jun 26 00:34:15 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.