On Thu, 2003-10-09 at 09:11, Vinny Abello wrote: > > They're using extremely low TTL's on most of their records. Typically 2 > minutes to accomplish this. The thing is I would imagine at least ONE of > those NS servers cannot change within a 2 hour window whereas the others > can change every 2 minutes. If you identify the server that only changes > every 2 hours and track what it's replaced with every 2 hours, you're > likely to find a rotating list of master servers... Another question is why > is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be > 2 hours and submitting those to the GTLD servers. Maybe it's just me, but > that's the first time I've seen a registrar set such a low TTL on an NS > record. If NeuLevel is any good they would likely have some sort of > information to identify the owner of the domain, even if the information is > invalid listed on their whois server. They might have a credit card > transaction although that too could always be a stolen credit card number. > > Any other ideas or different angles/experiences? >
Looks like there was a slight misinterpretation of the DNS records. The 2hr TTL is on the NS record from the registrar (NeuStar/*.GTLD.BIZ), which means it would take up to 2 hours to switch DNS servers (probably longer, due to red tape). However, the DNS servers aren't what's being rotated. It's the data that they are giving that's rotating, hence the 2 minute ttl. ALL of the nsX.uzc12.biz servers record changes will be seen w/in 2 minutes, not just one of them. Also, after doing some preliminary digging, it would seem that the GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact, 7200 seems high compared to some other ones I found. --Gar