Friday, January 21, 2011

nslookup finds server name from ip, but whois claims the name has expired?

I noticed I was getting udp traffic on random ports from an unknown ip address that was definitely not on my domain today. When I looked up the ip using nslookup, it returned a name. But when I did a whois on both name whois complained that the name had expired and didn't give me back any information. So I tried the ip on whois, and whois couldn't find it at all.

How is this possible?

  • It is possible that the domain has expired very recently and the DNS servers are just returning the name they have cached. If this is the case, the behaviour shouldn't continue for long; 48hrs is usually the max.

  • Keep in mind that UDP traffic is not stateful, so these packets could be forged.

    From Zoredache

0 comments:

Post a Comment