Paul Vixie vixie at
Sun Apr 13 18:35:20 UTC 2008

Jon.Kibler at ("Jon R. Kibler") writes:

> Anyone have any info on either of these domains?
> I have seen several recent web sites that had an iframe
> that pointed to and "interesting" / hidden
> links to
> Haven't found much of use in a quick search of Google,
> except for a few claims of fraud against them. I suspect
> that they are some how related to affiliate programs?
> TIA for anything you may be able to tell me!

the nameservers who answered questions about in the last ~150
days were:

the A RR is stable, no flux at all.  the nameservers are stable, also no flux.

1198886670 an IN A 1800,
1197752951 ns IN NS 1800, \
        1800, \
        1800, \
        1800, \
        1800, \
        1800, \
        1800, \
        1800, \
        1800, \
        1800, \

note that there are no actual "" nameservers,
so i suspect that somebody somewhere forgot a trailing "." or had the wrong
$ORIGIN or something.  this is in the zone, or at least, it's in all answers
from the zone's servers, it's consistent enough that i expect it's in-zone
rather than some kind of dns load balancing error.

most traffic seen under is A RR responses, here are the top 10
out of ~4600 or so:

it's pretty damning stuff.  the nameservers who produce these are, in order
by frequency (downward):

(no overlap with the nameservers shown earlier.)  the A RR's
given by these * answers are always one of these three:

        900, 900,
        900, 900,
        900, 900,

that is, two A RRs in an RRset, TTL 900.  the first two are overwhelmingly
more frequent than the third one.  looks like some kind of load balancing.

there's a similar but less frequent pattern, *, whose A RRs
are always one of these two sets:

	900, 900,
	900, 900,

the MX RRs for are always

	900,10, 900,20,

except one recent sighting of the following:

	900,10, 900,10,

there are also A RRs for 3LDs hop, www, ssl, and zzz, plus a 2LD A RR.

i hope this helps.  it's all courtesy of ISC SIE and our generous sensors,
of whom i would welcome more.  if you run a recursive nameserver for some
population, and are willing to share your upstream server-to-server traffic
with ISC for use in security research and operations, plz send me e-mail.
Paul Vixie

More information about the NANOG mailing list