While working on the Hijacked Domain T616: virginphoto.com it came to my attention that it had no NS records, yet it was resolving a fully legit A record.
drill -t ns virginphoto.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 44286 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; virginphoto.com. IN NS ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec
drill -t a virginphoto.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 39115 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; virginphoto.com. IN A ;; ANSWER SECTION: virginphoto.com. 21598 IN A 18.104.22.168 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec
The reason is that a DNS server is actually set up to resolve in the following order: (By @funilrys )
Well @Spirillen, the world of DNS is not always as described in the RFCs ... And I coded this part:
If NS could not be found it tries A, if not found it tries AAAA, if not found it tries CNAME, if not found it tries DNAME
Because of missconfigured DNS server (even If I start to think that they did that on purpose .... maybe because of Py-Funceble which was only looking for NS 😂 ) ...
And yeah there was some case in the past ... Those special cases forced me to code some those extra steps as a safety!
As demonstrated in the above example, I did actually notice the A records and not the the NS while testing the Restricted Repository for active records and which no longer is interesting to keep. Even if you actually might have known this (by being in the business to long) and have forgotten this, this is useful informations to learn or re-learn 😃
Have fun finding bandits to block
The reason for this is, the NS servers hosting this domain is setup to only response with a A records, and it holds no NS records in the domain zone
drill -T virginphoto.com -- CUT -- com. 172800 IN NS d.gtld-servers.net. virginphoto.com. 172800 IN NS dns5.expirenotification.com. virginphoto.com. 172800 IN NS dns6.expirenotification.com. virginphoto.com. 3600 IN A 22.214.171.124 . 3600 IN NS dns6.expirenotification.com. . 3600 IN NS dns5.expirenotification.com.