Jump to content

Example of some DNS research


Recommended Posts

Stolen from the spamcop newsgroup;

Fernando wrote:

> Cannot resolve http://www.promovendas.org

I don't know if you have any interest in researching some of these issues, but I think they are educational; and one of the main reasons I started messing around with the hobby or sport of spamfighting was for its educational value.

First, there's the issue of 'watching' SC try to resolve that. If you put the naked url into the parser, you can see SC sit there and work on something for quite a number of seconds. That tells you something about what is going on in the background..

Then, if you want, you can resolve it yourself, and depending upon what kind of tool you are using, you get certain information.

For example, my simple tool tells me that it doesn't have a 'straight' A address, but instead it has a CNAME which has an A address.

05/14/05 15:34:14 dns www.promovendas.org

Mail for www.promovendas.org is handled by smtp.promovendas.org


Canonical name: promovendas.org

Aliases: www.promovendas.org


But then, things start getting much more informative when you use the better tools at DNS stuff. The two I like for this kinda stuff are the dns timing and the dns report -- because they show me all kinds of pieces and parts to the information.

<me> Here's the dns timing:


<me> I don't want to paste in everything that is available there, and the tables are a little trouble too

<EDIT by wazoo - screen shots at http://forum.spamcop.net/forums/index.php?showtopic=4176 >

Time to look up www.promovendas.org A record

<me> <skip the answers from the root servers down to the table of results>

Looking up at ns4.pontonews.net.... [Had to look up A record for

ns4.pontonews.net; assume +200ms]...Reports 2 A record(s). 445ms.

Looking up at ns3.pontonews.net.... [Had to look up A record for

ns3.pontonews.net; assume +200ms]...Reports 2 A record(s). 6060ms.

Average of all 2 nameservers: 3252ms (plus 297ms overhead).

Score: F

Took off 3 points for ".org" TLD (extra lookups may be required to find the parent servers).

Took off 8 points for having no glue at a parent server [adds 2 extra packets to lookup].

Took off 6 points for having no glue for ns4.pontonews.net [adds 2 extra packets to lookup].

Took off 2 points since ns4.pontonews.net allows recursive lookups (if lots of people are using the server, it can slow down).

Took off 6 points for having no glue for ns3.pontonews.net [adds 2 extra packets to lookup].

Took off 2 points since ns3.pontonews.net allows recursive lookups (if lots of people are using the server, it can slow down).

Took off 3 points for having a CNAME (www.promovendas.org is really promovendas.org., which could potentially cause extra lookups).

Took off 25 points for >700ms average response time.

<me> That timing is a 'reflection' or a different point of view of the kind of information you can get at the dnsreport which is similarly affected by the problems with the nameservice


DNS Report for promovendas.org

<me> Which is especially 'good' [ie interesting/bad] in the nameserver section

FAIL Missing (stealth) nameservers FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNS Report will not query these servers, so you need to be very careful that they are working roperly. -- ns2.dialserver.com.br. -- ns1.dialserver.com.br. -- This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).

<me> And there's some more about problems with the stealths

FAIL Stealth NS record leakage Your DNS servers leak stealth information in non-NS requests:

Stealth nameservers are leaked [ns1.dialserver.com.br.]!

Stealth nameservers are leaked [ns2.dialserver.com.br.]!

This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries.

<me> So, you can see that the nameservice for that url is a mess. Whether or not it intentionally blocks spamcop or if it is just too overall pokey can't be determined from our observations.


Mike Easter

kibitzer, not SC admin

R.A.D. says in a following post (edited/snipped a bit)

I suspect the "slow/broken" DNS is primarily intended to defeat SC and possibly other spamtools; either "reporting" or blocking by lookups on message body URLs.

That doesn't stop anyone with *other* tools (SSW; DNSSTUFF; et al) from finding the real stuff. They are hoping that the "average Joe" SpamCop user will take it as "just sh** that happens" and move on.


there's a balance point on slow DNS-- most folks won't wait 30 seconds for a page to "look like it's loading" and move on . They will think that the link is dead.

How many people *really* watch the lower "status" bar of their browser to see the steps in retrieving a webpage??

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...