On Thu, 2003-10-09 at 09:11, Vinny Abello wrote:
They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number.
Any other ideas or different angles/experiences?
Looks like there was a slight misinterpretation of the DNS records. The 2hr TTL is on the NS record from the registrar (NeuStar/*.GTLD.BIZ), which means it would take up to 2 hours to switch DNS servers (probably longer, due to red tape). However, the DNS servers aren't what's being rotated. It's the data that they are giving that's rotating, hence the 2 minute ttl. ALL of the nsX.uzc12.biz servers record changes will be seen w/in 2 minutes, not just one of them. Also, after doing some preliminary digging, it would seem that the GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact, 7200 seems high compared to some other ones I found. --Gar