0

My domain is resolving incorrectly to the IP 91.195.240.117 instead of 216.194.170.145 this only happens in my network. I've already deleted the cache and flushed the DNS but it doesn't seem to have helped.

The domain is tacticz.net ...

nslookup tacticz.net
Servidor:  nsa.tigo.com.gt
Address:  190.106.193.240

Respuesta no autoritativa:
Nombre:  tacticz.net
Address:  91.195.240.117
Daniel Watson
  • 1
  • 3
  • Give us the domain, please, so we can take a look. – ceejayoz Jun 26 '18 at 15:29
  • Just edited the question sorry! The domain is tacticz.net – Daniel Watson Jun 26 '18 at 15:31
  • Also output from "nslookup tacticz.net" as it resolves fine for me – Phil Jun 26 '18 at 15:34
  • Resolved fine: A tacticz.net 216.194.170.145 – Sunny J Jun 26 '18 at 15:41
  • In some places resolves fine in others it doesnt thats the issue I am having :( – Daniel Watson Jun 26 '18 at 15:45
  • *What* places? How long ago did you put the DNS records in place? https://www.whatsmydns.net/#A/tacticz.net looks all good. – ceejayoz Jun 26 '18 at 15:47
  • Note that 91.195.240.117 has been reported as a Zeus botnet command and control server. I don't know if this is true or not (been looking for definitive information on it but haven't found much). But if your testing machine has been compromised there's a possibility that the malware is serving up this address to applications, to try and spy on your network traffic. – HiredMind Apr 02 '19 at 17:29

1 Answers1

1

The authoritative nameservers for tacticz.net are:

ns1.inmotionhosting.com.
ns2.inmotionhosting.com.

Let us query them for their authoritative reply on what the IP is:

$ for f in 1 2; do dig @ns${f}.inmotionhosting.com. tacticz.net. A +short +nodnssec ; done
216.194.170.145
216.194.170.145

So they agree. If you see any other result it is either a stale cache or a bad configuration of your recursive nameserver.

Let us try some popular open recursive nameservers:

$ for i in 1 8 9; do dig @$i.$i.$i.$i tacticz.net. A +short +nodnssec ; done
216.194.170.145
216.194.170.145
216.194.170.145

They do all agree too.

This is also what https://www.whatsmydns.net/#A/tacticz.net returns.

Now, let us have a look at the SOA for further insight:

$ dig SOA tacticz.net |grep serial
                2018062601 ; serial

Ah ah... this uses the popular YYYYMMDD format that hints at a change happening in this zone today, the 26th. So I guess you changed your IP address then.

So you just changed the content of the zone and you need now to wait. Current TTLs (we will assume the previous ones are the same) are:

$ dig @ns1.inmotionhosting.com. tacticz.net. A | grep 216.194.170.145
tacticz.net.        900 IN A 216.194.170.145

In theory, 15 minutes (900 seconds) after your changes, all caches should have picked up the new IP addresses. But:

  • some caches may apply another minimum TTL if they consider 900 being too low (this is kind of against the standard but it happens); also previous TTLs may have been higher
  • if there were no IP at all previously (not this case, but anyway), and some kind of negative caching, the TTL value (as present in the SOA) to be taken into account would be 86400 seconds that is 1 day. (this point may still be relevant as whois shows a creation on June 21 hence very close to now, and what could have happened in some case of late renewal is the domain being put on clientHold by registrar and hence not resolving anymore, creating NXDOMAIN that will be cached by recursive nameservers for the time of the negative TTL value, that is one day).

In summary: just wait a little, at least a day, before starting to think you have a problem. Because until then it is just normal DNS caching behaviour.

After that if your local DNS recursive nameserver still reply with an incorrect value you will need to contact its system administrator to enquire about possible misconfigurations there. And in the meantime just use another recursive nameserver.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42