Results 1 to 2 of 2
  1. #1
    -Shay- is offline Public Member
    Join Date
    November 2012
    Posts
    3,062
    Thanks
    12,204
    Thanked 3,162 Times in 1,695 Posts

    Default Nameservers - how is this possible?

    Situation - Suppose I have my domain at godaddy and nameservers set to point to ns1.xxxxx.co.uk & ns2.xxxxx.co.uk - and have had such settings for well over a year. How is it that when doing a global check (whatsmydns.net), the nameservers appear as something different to what is selected at Godaddy?

  2. #2
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,199
    Thanks
    1,963
    Thanked 7,749 Times in 4,886 Posts

    Default

    Interesting and I would like to see examples of this (pm me an example if you feel comfortable)

    Have you checked if the result that shows a different dns server is the same ip?

    Looking at the site you mentioned, I do not see where they actually state what servers they are querying, and it could be they are returning responses from dns servers that do not return accurate responses to start with.

    I have seen examples of public recursive dns servers (especially those that use anycast) provide inaccurate results a portion of the time and your example might be one of those times. The case I had was using a specific .co.uk and the lookup would fail a portion of the time using a very well known public recursive dns provider, and the error stopped when I switched away from that dns server. I do not know if that server was requesting it's lookup from the wrong authoritative server or not but maybe so.

    Based partially on the ambiguous way they state what they are doing, my guess is that the site dns site you mentioned is querying public recursive dns servers (such as those run by isp's) with the lookup and that lookup should then query the root servers to get the authoritative name server name and then query the authoritative name server for the correct answer.

    If any of those recursive dns servers do not do a lookup to authoritative servers, then they might be providing an answer from their server's dns cache, which in theory should be correct also, but maybe the cache has been poisoned.

    The most important part of the equation is that the 13 root servers (hundreds of worldwide servers that answer to 13 root sever names) have the correct dns server answer that point at the correct authoritative dns server (in your case the correct godaddy answer)

    Any time there is a situation where some isp's point at the wrong dns server for any domain, it could be that anyone using those dns servers can not reach the desired domain., or it might end up just forcing another lookup to root which could in theory slow down the lookup slightly, depending on why the lookup was incorrect.

    I have seen some cases of dns poisoning attacks where attackers overload dns servers and try to poison the servers cache with incorrect answers to dns queries, but most of the larger isp's are aware of this and take steps to keep their caches poison free and clean.

    In the last year or two there has been a fairly severe increase in the number of dns attacks around the world, many are amplification type attacks, whether the ultimate goal is to take down dns, compromise the server itself or deflect traffic to other servers as in "man in the middle compromises" the fact that UDP dns packets are amplified for responses can be quite devastating to the isp.

    I would be interested to find out which servers provide the incorrect answers when you run those queries, but I am guessing it is not a flaw in the dns server provider you are using but possibly in the query itself, unless the dns server providing the wrong answer is under attack during the query or has had the cache poisoned.

    Another scenario is the possibility that the answer provided is a correct answer, it could be that a different host name is provided leading to the same ip address for the authoritative name server, in which case the the site would still be reached correctly and only the person performing this type of lookup and comparing it to the root servers would see that host name of the authoritative server is reported differently. (in this scenario as long as it gets to the correct ip of the name server it is fine)

    I have tried to respond in such a way as to make it easier to understand for those who may or may not fully understand how dns queries work, so I apologize if a few of my statement are slightly off in the way they are formed.

    There are quite a number of queries that anyone can perform directly from your machine to check to make sure dns is correct using nslookup from the command prompt, and there are a number of tools available on the net that can help determine if dns is setup correctly. Not all isp's and dns providers do everything the same, and most do NOT for the serial numbers in the SOA record correctly, and often you will find that TTL (time to live) figures vary from isp to isp, and some treat the alias to host name different but as long as the majority of the records are correctly formed, most site owners should be fine.

    Rick
    Universal4

  3. The Following User Says Thank You to universal4 For This Useful Post:

    -Shay- (21 February 2016)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •