Hi gang, I am looking into a dns problem. My resolvers are attempting to resolve various hosts under "axonplatform.net", but it's nameservers aren't responding, resulting in many many many repeated queries that end up going nowhere. I dug around a bit and the nameservers for the domain are "ns1.suspended-for.spam-and-abuse.com." and so forth. The domain registrar is godaddy and it doesn't make a whole lot of sense for them to point the nameservers for any domain at non-functioning hosts, and these have been dead for at least a few days now that I know about. Can anyone enlighten me as to what the deal might be here? Thank you. rslv1:~# dig -t ns axonplatform.net. ; <<>> DiG 9.2.4 <<>> -t ns axonplatform.net. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42266 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;axonplatform.net. IN NS ;; ANSWER SECTION: axonplatform.net. 114343 IN NS ns1.suspended-for.spam-and-abuse.com. axonplatform.net. 114343 IN NS ns2.suspended-for.spam-and-abuse.com. ;; Query time: 0 msec ;; SERVER: 65.127.32.36#53(65.127.32.36) ;; WHEN: Sun Nov 16 18:12:00 2008 ;; MSG SIZE rcvd: 102
Name has been suspended for "supposed" abuse by the godaddy abuse team. I believe the only recourse is to email abuse@godaddy.com (cc president@godaddy.com) asking what they want to release the domain to you. I believe the usual charge is like $75 or so. --Rohan On Sun, 16 Nov 2008 10:10:20 -0800 mike <mike-nanog@tiedyenetworks.com> wrote:
Hi gang,
I am looking into a dns problem. My resolvers are attempting to resolve various hosts under "axonplatform.net", but it's nameservers aren't responding, resulting in many many many repeated queries that end up going nowhere. I dug around a bit and the nameservers for the domain are "ns1.suspended-for.spam-and-abuse.com." and so forth. The domain registrar is godaddy and it doesn't make a whole lot of sense for them to point the nameservers for any domain at non-functioning hosts, and these have been dead for at least a few days now that I know about.
Can anyone enlighten me as to what the deal might be here?
Thank you.
rslv1:~# dig -t ns axonplatform.net.
; <<>> DiG 9.2.4 <<>> -t ns axonplatform.net. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42266 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;axonplatform.net. IN NS
;; ANSWER SECTION: axonplatform.net. 114343 IN NS ns1.suspended-for.spam-and-abuse.com. axonplatform.net. 114343 IN NS ns2.suspended-for.spam-and-abuse.com.
;; Query time: 0 msec ;; SERVER: 65.127.32.36#53(65.127.32.36) ;; WHEN: Sun Nov 16 18:12:00 2008 ;; MSG SIZE rcvd: 102
I don't think he wants the domain. The problem is Godaddy listing NS records for some domains (for any reason) to only DNS servers that were all down or didn't exist. The entry of only lame DNS servers is an inconclusive situation and doesn't let a message be permanently rejected as spam; it's indistinguishable from a temporary failure of all that domain's DNS servers. It also causes (hopefully non-fatal) problems for hosts looking up the contacting host's ip, like wasteful repeated queries. This is not good behavior on the registrar's part; Godaddy would almost be better seving the internet community by ignoring spam and doing nothing, or forwarding reports to ISPs rather than introducing lame DNS zones. Registrars aren't really in a place to be able to stop spam; the spammer can simply use any domain or have their reverse zone changed accordingly, if they have custom reverse. But for a registrar to do their best.. by pulling domains where they have proof the owner has performed or authorized spam, they should pull the domain from the TLD zone entirely and let the response be NXDOMAIN. A NXDOMAIN response allows the mail server to definitively reject the message and move on. -- -J On Sun, Nov 16, 2008 at 12:19 PM, Rohan Sheth <rohan@rs3net.net> wrote:
Name has been suspended for "supposed" abuse by the godaddy abuse team.
I believe the only recourse is to email abuse@godaddy.com (cc president@godaddy.com) asking what they want to release the domain to you. I believe the usual charge is like $75 or so.
--Rohan
Chances are if the domain has been sandboxed, it was because it was involved in some kind of phishing scheme, not spam. This is the typicaly way of mitigating fast flux botnets. So I don't agree with the assessment that this is bad behavior on the part of GoDaddy - to the contrary, they are acting quite responsibly. AF James Hess wrote:
I don't think he wants the domain. The problem is Godaddy listing NS records for some domains (for any reason) to only DNS servers that were all down or didn't exist. The entry of only lame DNS servers is an inconclusive situation and doesn't let a message be permanently rejected as spam; it's indistinguishable from a temporary failure of all that domain's DNS servers.
It also causes (hopefully non-fatal) problems for hosts looking up the contacting host's ip, like wasteful repeated queries.
This is not good behavior on the registrar's part; Godaddy would almost be better seving the internet community by ignoring spam and doing nothing, or forwarding reports to ISPs rather than introducing lame DNS zones.
Registrars aren't really in a place to be able to stop spam; the spammer can simply use any domain or have their reverse zone changed accordingly, if they have custom reverse.
But for a registrar to do their best.. by pulling domains where they have proof the owner has performed or authorized spam, they should pull the domain from the TLD zone entirely and let the response be NXDOMAIN.
A NXDOMAIN response allows the mail server to definitively reject the message and move on.
-- -J
On Sun, Nov 16, 2008 at 12:19 PM, Rohan Sheth <rohan@rs3net.net> wrote:
Name has been suspended for "supposed" abuse by the godaddy abuse team.
I believe the only recourse is to email abuse@godaddy.com (cc president@godaddy.com) asking what they want to release the domain to you. I believe the usual charge is like $75 or so.
--Rohan
-- Andrew Fried andrew.fried@gmail.com
It's also not effective in various situations. The bad behavior is not disabling abused domains, it's the method used to do it (by giving no answer instead of actively giving a negative answer). When a http client asks recursive resolver A for an A RR, and no response is received, the client will then go to recursive resolver B and make the very same query again, and possibly on to recursive resolver C. One of the secondary/tertiary recursive resolvers may hand the client a cached response that had been obtained before the registrar took any action. If instead recursive resolver A returned a NXDOMAIN, that would be the end of it, no new queries, the answer has returned name does not exist. The impact of the additional queries can be significant as well. -- -J On Sun, Nov 16, 2008 at 4:38 PM, Andrew Fried <andrew.fried@gmail.com> wrote:
Chances are if the domain has been sandboxed, it was because it was involved in some kind of phishing scheme, not spam. This is the typicaly way of mitigating fast flux botnets. So I don't agree with the assessment that this is bad behavior on the part of GoDaddy - to the contrary, they are acting quite responsibly.
AF
On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia@gmail.com> wrote:
One of the secondary/tertiary recursive resolvers may hand the client a cached response that had been obtained before the registrar took any action.
Yes, and that'd make a good case for the good old ops practice of dialing down the TTL for a while before any NS change is made. --srs
or how about using an NS that returns ICMP errors instead of NXDOMAIN, perhaps using anycast for reducing network load? Would that stop the timeout errors? server is still lame, you just know faster? On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia@gmail.com> wrote:
One of the secondary/tertiary recursive resolvers may hand the client a cached response that had been obtained before the registrar took any action.
Yes, and that'd make a good case for the good old ops practice of dialing down the TTL for a while before any NS change is made.
--srs
-- Jeremy Jackson Coplanar Networks (519)489-4903 http://www.coplanar.net jerj@coplanar.net
In message <1226880169.6912.321.camel@ragnarok>, Jeremy Jackson writes:
or how about using an NS that returns ICMP errors instead of NXDOMAIN, perhaps using anycast for reducing network load?
ICMP is not particularly useful unless the nameserver uses connected sockets. Now that randomised ports are used this well may be true but there are still lots of nameservers that don't see the ICMP message even it makes it past the firewalls.
Would that stop the timeout errors? server is still lame, you just know faster?
On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia@gmail.com> wrote:
One of the secondary/tertiary recursive resolvers may hand the client a cached response that had been obtained before the registrar took any action.
Yes, and that'd make a good case for the good old ops practice of dialing down the TTL for a while before any NS change is made.
--srs
-- Jeremy Jackson Coplanar Networks (519)489-4903 http://www.coplanar.net jerj@coplanar.net
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Why not just return NXDOMAIN if you are going to all of that trouble and be guaranteed that it'll work for standards-compliant caching resolvers? I don't see what would be available to gain by adding this extra complexity, and there's certainly a (much) lesser guarantee, or so I would tend to believe, that things will stop asking if they get an ICMP unreach as opposed to an NXDOMAIN. - S -----Original Message----- From: Jeremy Jackson [mailto:jerj@coplanar.net] Sent: Sunday, November 16, 2008 7:03 PM To: Suresh Ramasubramanian Cc: nanog@nanog.org Subject: Re: godaddy spam / abuse suspensions? or how about using an NS that returns ICMP errors instead of NXDOMAIN, perhaps using anycast for reducing network load? Would that stop the timeout errors? server is still lame, you just know faster? On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia@gmail.com> wrote:
One of the secondary/tertiary recursive resolvers may hand the client a cached response that had been obtained before the registrar took any action.
Yes, and that'd make a good case for the good old ops practice of dialing down the TTL for a while before any NS change is made.
--srs
-- Jeremy Jackson Coplanar Networks (519)489-4903 http://www.coplanar.net jerj@coplanar.net
On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia@gmail.com> wrote:
One of the secondary/tertiary recursive resolvers may hand the client a cached response that had been obtained before the registrar took any action.
Yes, and that'd make a good case for the good old ops practice of dialing down the TTL for a while before any NS change is made.
That would work only if Godaddy was considering suspending it for greater than TTL time before actually suspending them...it takes the same time to dial-down TTL (old TTL time) then change it, as it does to just change it outright. -- Jeremy Jackson Coplanar Networks (519)489-4903 http://www.coplanar.net jerj@coplanar.net
participants (8)
-
Andrew Fried
-
James Hess
-
Jeremy Jackson
-
Mark Andrews
-
mike
-
Rohan Sheth
-
Skywing
-
Suresh Ramasubramanian