Why do Network Solutions DNS servers answer an incorrect IP for google.com etc.

domain-name-system

Network Solutions DNS servers (ns1 – ns99.worldnic.com) answer the IP 141.8.225.31 for any A query to which they do not hold the answer. E.g.:

C:\>dig @ns11.worldnic.com www.google.com
www.google.com.         3600    IN      A       141.8.225.31

For the corresponding NS query, they claim to give an authoritative answer that their server holds the SOA for that TLD.

C:\>dig @ns11.worldnic.com www.google.com NS
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; AUTHORITY SECTION:
com.                    3600    IN      SOA     ns11.worldnic.com. dns.worldnic.com. 2016010801 3600 600 1209600 3600

The same results occur for any name for which they are not authoritative, e.g. previous customers like metacase.com, or non-existent names like xyxyxyxyxy.net. All return the same IP, which is for a spammy advertising site in Switzerland.

This seems incorrect. Although normally ISP DNS servers will not query Network Solutions for these names, when a domain is transferred away from their name servers many ISP DNS servers ("child sticky") continue to ask the previous name server as long as it claims to answer. Thus a domain transfer (or change of authoritative name server) results in a loss of connectivity for that host, even if the host's actual IP remains unchanged and was correct in both losing and gaining authoritative name server.

Full dig output for the above queries:

C:\>dig @ns11.worldnic.com www.google.com

; <<>> DiG 9.11.3 <<>> @ns11.worldnic.com www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44870
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         3600    IN      A       141.8.225.31

;; Query time: 154 msec
;; SERVER: 207.204.40.106#53(207.204.40.106)
;; WHEN: Mon Apr 09 13:22:19 FLE Summer Time 2018
;; MSG SIZE  rcvd: 59


C:\>dig @ns11.worldnic.com www.google.com NS

; <<>> DiG 9.11.3 <<>> @ns11.worldnic.com www.google.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50950
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;www.google.com.                        IN      NS

;; AUTHORITY SECTION:
com.                    3600    IN      SOA     ns11.worldnic.com. dns.worldnic.com. 2016010801 3600 600 1209600 3600

;; Query time: 151 msec
;; SERVER: 207.204.40.106#53(207.204.40.106)
;; WHEN: Mon Apr 09 13:22:32 FLE Summer Time 2018
;; MSG SIZE  rcvd: 97

Best Answer

It is not incorrect per se.

Everyone is free to install a nameserver on its network that is configured the way it likes. It does not matter as this server will not get queried until it appears in some parent zone as authoritative for some domain name.

Registrars typically have nameservers configured as "wildcards" in the sense they will reply exactly the same thing whatever you ask (typically giving an IP address pointing to a website showing a placeholder) so what they can be used for example for parked domain names, before their customers set "real" nameservers.

Doing so enables them to not have to configure the nameserver with some list of domain names beforehand, they just reply the same thing.

Now you claim that "ISP" still query them when they shouldn't but you not give specific examples. To note: a domain name transfer from one registrar to another does not change the nameservers of the domain name (it depends on the TLD but this is the major case); the new registrar, after the transfer completes, can of course change nameservers.

Other recursive nameservers will continue to query the old nameservers for some time, this is normal and per design of the DNS. It is controlled by the TTL (Time To Live) in the zone, rarely greater than 48 hours.

I am not understanding this at all:

Thus a domain transfer (or change of authoritative name server) results in a loss of connectivity for that host, even if the host's actual IP remains unchanged and was correct in both losing and gaining authoritative name server.

If the nameservers change but the zone content is the same on both ones, then the resolution will not change. If the nameservers do not change, and they do not per the registrar transfer just by itself, then the resolution do not change either. If the nameservers do change, after some delay, the old ones will not get queried anymore at all so the zone content at the new nameservers will dictate how the resolution happens.

Related Solutions

CNAME to another domain fails on some office networks, why

Looking at your log, it doesn't seem to be a problem with the Volusion nameservers, it's more likely to be a problems with the caching resolvers used by the misbehaving private office networks.

The first resolution intent is by appending what I suppose is their own domain name, so when you look up find.aspenfasteners.com the resolvers first asks for find.aspenfasteners.com.fastenerwholesale.com. Then the resolver asks for the actual domain without appending anything. It asks for the IP associated with the domain by specifying the resource record type A. The Volusion name server correctly sets the return code to NXDOMAIN (=non-existing domain), because it has no A record for the domain you asked for. However, it does return the CNAME resource record in the aswer section, so it is now the job of the resolver to look up the hostname specified in the CNAME resource record.

I would look for problems on the resolver side.

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

Best Answer

Related Solutions

CNAME to another domain fails on some office networks, why

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Related Topic