[dns-operations] Strange goings on with two domains

Bill Owens owens at nysernet.org
Thu Oct 18 21:19:28 UTC 2012 

This is a case that I don't recall seeing before, and let me start by saying that I have only a tenuous relationship with these domain names; they're for an online store and magazine having to do with small boat building, and I've ordered a couple of things and read a bunch of articles but that's it, they aren't my domains or my websites.

The symptom is simple: neither domain, duckworksbbs.com and duckworksmagazine.com, will resolve, because the com servers have bogus NS records for them:

[cookiemonster:~] owens% dig duckworksmagazine.com @a.gtld-servers.net ns

; <<>> DiG 9.8.3-P2 <<>> duckworksmagazine.com @a.gtld-servers.net ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26991
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;duckworksmagazine.com.     IN  NS

;; AUTHORITY SECTION:
duckworksmagazine.com.  172800  IN  NS  doesnotexistwebterminator2.crystaltech.com.hu.
duckworksmagazine.com.  172800  IN  NS  doesnotexistwebterminator1.crystaltech.com.hu.

;; Query time: 18 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Thu Oct 18 17:09:28 2012
;; MSG SIZE  rcvd: 139

Not only do those hostnames not exist (as one would expect), that domain isn't registered in hu. 

Here's the odd part. These changes have taken place without the permission of the domain owner, who I've contacted by email (he has a Gmail account, thankfully!) They seem to have happened a few hours ago; he told me that he has "been watching the sites go up and down all day." I confirmed that the web servers themselves are fine; this seems to be strictly a DNS issue. And WHOIS still shows the correct servers for both domains:

Leinweber, Chuck
   Duckworks
   608 Gammenthaler
   Harper, TX 78631
   US

   Domain Name: DUCKWORKSMAGAZINE.COM

   ------------------------------------------------------------------------
   Promote your business to millions of viewers for only $1 a month
   Learn how you can get an Enhanced Business Listing here for your domain name.
   Learn more at http://www.NetworkSolutions.com/
   ------------------------------------------------------------------------

   Administrative Contact, Technical Contact:
      Leinweber, Chuck      chuck at duckworksmagazine.com
      Duckworks
      608 Gammenthaler
      Harper, TX 78631
      US
      830-864-4562 fax: 830-864-4197


   Record expires on 18-Nov-2019.
   Record created on 18-Nov-1999.
   Database last updated on 18-Oct-2012 16:42:26 EDT.

   Domain servers in listed order:

   WEBTERMINATOR1.CRYSTALTECH.COM
   WEBTERMINATOR2.CRYSTALTECH.COM

So the question is, how did someone manage to change the servers in the com zone, without changing the WHOIS records, and without permission from the admin/technical contact? 

Bill.

More information about the dns-operations mailing list