Hostile Nameserver Takeover? HELP!
Chris Buckley
hostile to my interests trying to block my nameservers. Hoping someone
could point me in the right direction.
To simplify the problem, I will deal with two separate domains in my
examples.
I have the server:
buckleytech.com (69.61.4.99)
which uses the nameservers ns7.nethostco.com and ns8.nethostco.com
This site always works, my mail goes through, etc. I am also running two
nameservers on the same machine (at different ip addresses) These are
ns1.buckleytech.com (69.61.4.99) and ns2.buckleytech.com (69.61.5.6)
Everything was running just fine, and then one night the mailflow just
halted, and I couldn't even ping the nameservers anymore. An nslookup
provided the following info:
ns1.buckleytech.com is 216.67.251.107, ns2.buckleytech.com is 216.67.251.108
and buckleytech.com is 69.61.4.99. The buckleytech.com website worked just
fine, but all of the client domains: for example chris-buckley.com -> Lookup
Failed, wouldn't work. The 216 addresses belong to hostdime, who refuses to
help because I'm not a customer. My current host states that as long as I'm
querying the nameserver at 69.61.4.99, chris-buckley.com resolves correctly,
so its not their problem.
I re-registered the nameserver zones, and everything was fine again in 48
hours. I get up the next morning, and I'm back to the same old problem.
Someone had overwritten my ns1.buckleytech.com and ns2.buckleytech.com
records, and all of the client domains were checking hostdime servers, where
there was no client domains registered.
Is there something I can do to resolve this? Everybody is telling me that
its not their problem, or I'm not their customer. Its as if hostdime is
operating a 'hostile' nameserver takeover somewhere. I imagine that there
has to be a way to prevent this, or yahoo's would be pointing all the
requests for popular websites over to their own sites to steal the traffic.
Dave Platt
Chris Buckley <cwbu...@earthlink.net> wrote:
>I'm having this most annoying problem lately, and believe it may be someone
>hostile to my interests trying to block my nameservers. Hoping someone
>could point me in the right direction.
>
>To simplify the problem, I will deal with two separate domains in my
>examples.
>
>I have the server:
>buckleytech.com (69.61.4.99)
>which uses the nameservers ns7.nethostco.com and ns8.nethostco.com
And, it looks to me from here as if something is rotten w/r/t
netcohost.com.
netcohost.com has some very-suspicious-looking domain registration
information. The whois database insists it's registered through
enom.com (a registrar who seems to have a poor reputation w/r/t
spamming by their customers). All of the domain registration
information at whois.enom.com is "NA", except for a line which says
that the domain is registered through GoDaddy. The domain
registration info at enom.com lists no nameservers.
A "dig netcohost.com ns" indicates that the domain is receiving all of
its nameservice through a batch of servers at "name-services.com".
However, querying those nameservers to try to get a truly
authoritative set of NS record entries for this domain seems to fail.
>Is there something I can do to resolve this? Everybody is telling me that
>its not their problem, or I'm not their customer. Its as if hostdime is
>operating a 'hostile' nameserver takeover somewhere. I imagine that there
>has to be a way to prevent this, or yahoo's would be pointing all the
>requests for popular websites over to their own sites to steal the traffic.
It looks to me as if there's something going on (a dispute, an attack,
a takeover, or just mondo technical problems) affecting netcohost.com,
and you are perhaps a "collateral damage" victim of this.
I suggest that you change your domain's registration info, so that the
root servers consider _only_ your own two nameservers to be
authoritative for it. Eliminate the "netcohost.com" servers from your
nameserver set entirely.
If you decide you do need additional off-site nameservers, you'd
probably want to consider looking elsewhere.
--
Dave Platt <dpl...@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!
Barry Margolin
Dave Platt <dpl...@radagast.org> wrote:
>In article <1UXTa.118216$Io.10...@newsread2.prod.itd.earthlink.net>,
>Chris Buckley <cwbu...@earthlink.net> wrote:
>
>>I'm having this most annoying problem lately, and believe it may be someone
>>hostile to my interests trying to block my nameservers. Hoping someone
>>could point me in the right direction.
>>
>>To simplify the problem, I will deal with two separate domains in my
>>examples.
>>
>>I have the server:
>>buckleytech.com (69.61.4.99)
>>which uses the nameservers ns7.nethostco.com and ns8.nethostco.com
>
>And, it looks to me from here as if something is rotten w/r/t
>netcohost.com.
It's nethostco.com, not netcohost.com, and its DNS looks fine to me (but
you were right about all the N/A's in its WHOIS entry).
The problem with ns1.buckleytech.com and ns2.buckleytech.com is that the
216.67.251.xxx addresses are coming from glue records on the .COM servers.
Someone has registered these hostnames as servers with those addresses, and
the glue records are shadowing the records from the authoritative servers.
Chris, are you sure these aren't just old addresses for your nameservers
when they were at a different location (the 216.67.251 addresses belong to
Pegasus Web Technologies -- did they ever host your servers)? If so, you
simply forgot to update the Host registrations when they moved. You need
to contact your domain registrar and correct them.
--
Barry Margolin, barry.m...@level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
Chris Buckley
fix it" and 48 hours later, same
problem exists.
I'm using aplus.net (names4ever.com) as my registrar currently. Can anybody
refer me to another registrar I can
transfer this to that would know what they are doing?
"Barry Margolin" <barry.m...@level3.com> wrote in message
news:JWZTa.383$0z4...@news.level3.com...
Jonathan de Boyne Pollard
CB> ns2.buckleytech.com records, [...]
That is most likely to be ENOM, your other registrar.
By the looks of things, you have conflicting "HOST" records by the same name
registered via two separate registrars, and the person attempting the hostile
takeover of your domains is you yourself.