Odd question on DNS/domain name stuff...
Joseph Sinclair
plug-discussion at stcaz.net
Mon Jul 13 20:27:09 MST 2009
<<SNIP>
> ; <<>> DiG 9.4.3-P1 <<>> www.alchemistsrroom.us
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5651
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.alchemistsrroom.us. IN A
>
> ;; AUTHORITY SECTION:
> us. 900 IN SOA a.gtld.biz. hostmaster.neustar.biz. 2003659686 900
> 900 604800 86400
>
> ;; Query time: 147 msec
> ;; SERVER: 204.13.248.75#53(204.13.248.75)
> ;; WHEN: Mon Jul 13 18:48:38 2009
> ;; MSG SIZE rcvd: 105
>
> I do get a SOA section for neustar.biz - which would be probably where
> this traffic is originating. But it's A record is not resolving for
> some reason, probably never entered in the domain.
>
---
<<SNIP>
Neustar is a Root DNS provider (one of the largest actually). They're simply answering the query, negatively in this case.
If you check the flags, there is no answer for that domain, so it probably does not exist (at least officially, see below).
I've seen this kind of thing before with groups that want to fly under the radar a bit more than most.
They have their own DNS server(s) and add a few otherwise non-existent domains to their resolver. People "in the know" use those DNS
servers (usually in slot 2 or 3) so they can resolve to the site, but anyone else trying to find the site will fail, unless particularly motivated.
You cannot get the referrer site IP from website logs, since it doesn't actually participate in the connection.
You can get the IP for the client, but that's unlikely to provide much insight.
If you hunt hard enough you might, eventually, be able to track down where these are coming from, but that also is unlikely to
provide much value. I would really recommend you avoid putting too much effort into tracking this down.
I'd recommend your friend simply tack the referrer into the session any time it's not from his/her domain, and then ensure that value
is logged with any purchase request. At lease then there is some level of record for any sales that might show a pattern if such were needed...
Hopefully that helps.
==Joseph++
More information about the PLUG-discuss
mailing list