At 16:52 22-08-2011, Adam Katz wrote:
You can't do whois en-masse (I'd love that, but ...), so this means an
NS host lookup. To determine if they are authoritative, that's another
lookup (which I don't believe is necessary). A blocklist would also be
another lookup (if using a BL, it could check the authoritativeness),
but I don't think that's completely necessary either.
You don't need to use Whois. You already have the data:
; ANSWER SECTION:
apache.org. 1800 IN A 140.211.11.131
;; AUTHORITY SECTION:
apache.org. 86398 IN NS ns2.no-ip.com.
apache.org. 86398 IN NS ns1.eu.bitnames.com.
apache.org. 86398 IN NS ns2.surfnet.nl.
apache.org. 86398 IN NS ns1.us.bitnames.com.
It's been a while since I tested this. If I recall correctly, it was
prone to false positives. You might be able to do some scoring
instead of blacklisting.
Regards,
-sm