HomeMy privacy DNS
DNS records look-up
How the dns look-up systems operates

While working on the Hijacked Domain T616: virginphoto.com it came to my attention that it had no NS records, yet it was resolving a fully legit A record.

drill -t ns virginphoto.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 44286
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; virginphoto.com.     IN      NS

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
drill -t a virginphoto.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 39115
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; virginphoto.com.     IN      A

;; ANSWER SECTION:
virginphoto.com.        21598   IN      A       47.74.9.12

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec

The reason is that a DNS server is actually set up to resolve in the following order: (By @funilrys )

Well @Spirillen, the world of DNS is not always as described in the RFCs ... And I coded this part:

If NS could not be found it tries A, if not found it tries AAAA, if not found it tries CNAME, if not found it tries DNAME

Because of missconfigured DNS server (even If I start to think that they did that on purpose .... maybe because of Py-Funceble which was only looking for NS 😂 ) ...

And yeah there was some case in the past ... Those special cases forced me to code some those extra steps as a safety!

As demonstrated in the above example, I did actually notice the A records and not the the NS while testing the Restricted Repository for active records and which no longer is interesting to keep. Even if you actually might have known this (by being in the business to long) and have forgotten this, this is useful informations to learn or re-learn 😃

Have fun finding bandits to block

Written by Spirillen on Apr 24 2020, 3:43 PM.
Admin
Projects
Subscribers
funilrys

Event Timeline

The reason for this is, the NS servers hosting this domain is setup to only response with a A records, and it holds no NS records in the domain zone

drill -T virginphoto.com
-- CUT --
com.    172800  IN      NS      d.gtld-servers.net.
virginphoto.com.        172800  IN      NS      dns5.expirenotification.com.
virginphoto.com.        172800  IN      NS      dns6.expirenotification.com.
virginphoto.com.        3600    IN      A       47.245.9.22
.       3600    IN      NS      dns6.expirenotification.com.
.       3600    IN      NS      dns5.expirenotification.com.