DNS oddity

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Sat May 3 19:04:46 UTC 2008 

I check www.infonec.ca for deals every once in a while.  This week it 
hasn't been working reliably for me.  Sometimes I get a web page that lets 
me buy domains from Network Solutions or renew the infonec.ca domain.

I decided to track this down today.  The status might have been
different during the week.

- dig www.infonec.ca gives me:

    ;; ANSWER SECTION:
    www.infonec.ca.         3548    IN      CNAME   www.infonec.com.
    www.infonec.com.        7134    IN      A       209.62.72.173

    ;; AUTHORITY SECTION:
    infonec.com.            55267   IN      NS      ns2.pendingrenewaldeletion.com.
    infonec.com.            55267   IN      NS      ns1.pendingrenewaldeletion.com.

(This data comes from the look.ca name servers.  If you walk the tree,
the results are different and correct.)

pendingrenewaldeletion.com. is a network solutions nameserver.

209.62.72.173 is a network solutions web server that offers domains
(as described above).

It seems odd to me that an Answer Section would include information
about a domain name for which you didn't query (infonec.com).  I would
have thought that it belonged in the Additional Section.

The TTL for the main answers is an hour or two -- reasonable.  The
TTLs for the authority section is questionable considering the
authorities are wrong: over 15 hours.

infonec.ca seem to be properly registered.  It expires in 2018/02/19
so it is unlikely to have been recently renewed (any renewal would be
for an integral number of years).  The registrar is "Can Reg (Infinet
Communications Group)" (not network solutions).  Its name servers are
dns0[12].tor.axxent.ca.

dig @dns02.tor.pathcom.com. www.infonec.ca +tcp:
    ;; ANSWER SECTION:
    www.infonec.ca.		3600	IN	CNAME	www.infonec.com.
    www.infonec.com.	3600	IN	A	207.188.71.50

    ;; AUTHORITY SECTION:
    infonec.com.		3600	IN	NS	dns01.tor.axxent.ca.
    infonec.com.		3600	IN	NS	dns02.tor.axxent.ca.

The CNAME says use www.infonec.com.  Just like the one I get from
look.  But the rest is different.

infonec.com seems to be properly registered.  It expires in
25-apr-2017.  The last update date is 02-may-2008 so maybe they let it
expire and renewed it (with Network Solutions) yesterday.

dig @ns1.pendingrenewaldeletion.com. www.infonec.ca +tcp:
    ;; ANSWER SECTION:
    www.infonec.ca.		7200	IN	A	209.62.72.173

There was no Authority section.  I wonder what that means.

Apparently Network Solutions is still hijacking this AFTER they have
their money.

How is it that Network Solutions can take over a domain like this?  If
the domain had not expired, surely they would not have hijacked it.
If it had expired, how can they legitimately take it over like this?
If it is renewed, how can they ethically have a name server continue
to hijack it?

The offer to "renew this domain" is bogus since the web page was
"www.infonec.ca" and not "infonec.com" and the page says on it
"infonec.ca", a still-registered domain.

Maybe look.ca's DNS is caching improperly.  I really don't
know/remember all the DNS rules.


dig @ns1.pendingrenewaldeletion.com. madeupname73993.ca +tcp:
[long pause]
    ;; ANSWER SECTION:
    madeupname73993.ca.	7200	IN	A	209.62.72.173
(No authority section.)

Hmmm.  I guess that they hijack all names and give the same answer.
That should make for a very fast lookup since no lookup is required.
So why the long pause?  Perhaps to grab the name I queried about?

I guess that the resolver should ignore all answers where the authority
section says *.pendingrenewaldeletion.com.  Or perhaps where there is no
authority section.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list