On 4/10/2012 6:29 PM, RW wrote: > On Tue, 10 Apr 2012 17:58:51 -0400 > Rob McEwen wrote: >> Meanwhile, the snowshoe spammer's DNS server happens to be messed up, >> overloaded, and returns answers within about 4 seconds. > But unless I'm misunderstanding, the NS lookups would be done on the > TLDs nameservers, rather than the spammer's DNS server.
The sneakiest of spammy domains are the ones NOT seen before, and thus NOT is anyone's cache. Therefore, .../I WAS THINKING THAT... /the lookup on the domain's NS server would OFTEN have to propagate back to the authoritative DNS server for that domain.... that being the spammer's DNS server... at the time the message is evaluated. But you're right... maybe to get the DNS server assignment for that domain, it only has to go to the TLD's nameserver, grabbing information propagated to the TLD from the registrar for that domain. Good point! (still much slower than DNSBL lookups to an rbldnsd server... but probably not any slower than DNSBL lookups to a remote 3rd party DNS blacklist) -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
