Why Am I Seeing Different DNS Records for the Same Domain?

By
Dan
-
0
0
Asked By TechExplorer42 On

I recently came across a URL that leads to a suspicious "you're infected" page, and while investigating it, I ran into an odd situation with the DNS results. I noticed that different tools were reporting different DNS records every few seconds. This got me really curious, especially since I could even see variations in the SOA record, despite its TTL being set to 300 seconds. How is it possible for something like the SOA to change that frequently? Is this normal, perhaps due to load balancing, or is there something more unusual going on? Just to clarify, the site in question is forknershorthand.com, which seems to be tied to malware, so please proceed with caution.

4 Answers

Answered By SecurityGuru22 On

It's possible you're looking at fast-flux DNS, a technique often used by malicious sites to switch between many small web servers quickly. This could explain why the DNS records change so rapidly. It complicates efforts to take the hosting down, as the domain constantly shifts its records.

Answered By ServerSleuth99 On

There’s a chance that the domain is hosted on various servers, leading to discrepancies in the information returned. The WHOIS records for forknershorthand.com show updates happening frequently, which suggests it might be changing hands or settings often.

Answered By DataDynamo23 On

When using tools like nslookup, you’re querying the DNS resolver about its current cache. The TTL indicates how long records are supposed to stay in the cache, but if these resolvers aren't holding onto records or if they have unique rules, you might see different answers depending on when you query them. So it’s not necessarily your imagination; it’s the behavior of DNS resolvers.

Answered By CuriousCoder89 On

This could be a case of load balancing. If the domain has multiple A records or CNAME records, your queries might return different IP addresses each time. For instance, if there are two A records for the same domain (e.g., www.domain.com pointing to 10.10.10.10 and 10.10.10.11), you'll get one IP roughly half the time. This technique is known as DNS round robin load balancing, which can create the changing results you're seeing.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.