On 4/10/2012 6:29 PM, RW wrote:
> On Tue, 10 Apr 2012 17:58:51 -0400
> Rob McEwen wrote:
>> Meanwhile, the snowshoe spammer's DNS server happens to be messed up,
>> overloaded, and returns answers within about 4 seconds.
> But unless I'm misunderstanding, the NS lookups would be done on the
> TLDs nameservers, rather than the spammer's DNS server.
The sneakiest of spammy domains are the ones NOT seen before, and thus
NOT is anyone's cache. Therefore, .../I WAS THINKING THAT... /the lookup
on the domain's NS server would OFTEN have to propagate back to the
authoritative DNS server for that domain.... that being the spammer's
DNS server... at the time the message is evaluated.
But you're right... maybe to get the DNS server assignment for that
domain, it only has to go to the TLD's nameserver, grabbing information
propagated to the TLD from the registrar for that domain. Good point!
(still much slower than DNSBL lookups to an rbldnsd server... but
probably not any slower than DNSBL lookups to a remote 3rd party DNS