[Dshield] Odd Hostname -> Address Behaviour

Brian Dessent brian at dessent.net
Wed Oct 19 10:44:56 GMT 2005


jayjwa wrote:

> It seems host ftp.pspt.fi no longer exists (an old entry in a manpage). Note
> what address it is showing as, 64.158.56.36
> 
> * About to connect() to ftp.pspt.fi port 21
> *   Trying 64.158.56.36... No route to host
> * couldn't connect to host
> * Closing connection #0

Whatever recursive resolver your system is using is adding the
64.158.56.36 address instead of returning NXDOMAIN.

$ host ftp.pspt.fi
Host ftp.pspt.fi not found: 3(NXDOMAIN)

or <http://www.dnsstuff.com/tools/lookup.ch?name=ftp.pspt.fi&type=A>

> host some.nonexistant.host
> some.nonexistant.host has address 64.158.56.36
> Host some.nonexistant.host not found: 3(NXDOMAIN)
> Host some.nonexistant.host not found: 3(NXDOMAIN)

$ host some.nonexistant.host
Host some.nonexistant.host not found: 3(NXDOMAIN)

> wanted to visit anyway. I don't like this behavior at all: if a host doesn't
> exist, it doesn't exist. Tell me that, but being sent to a "search" site (in
> the case above) is something I don't care for.

A properly setup resolver will in fact return NXDOMAIN as it should. 
The resolver that you are using seems to be broken.  If it's your ISP's,
then it appears that they are trying to make some extra money by
redirecting traffic to that wildcard site.  Or perhaps they're doing it
as a "service" to the clueless morons that type random words into the
address bar of their browser.  In any case, what you are seeing appears
to be local behavior.

Brian


More information about the list mailing list