Temporary resolving to bodis.com. (domain parking)

[neosys]

Hi Team,

On the 29/05/2024, I had deleted ~25 TXT records (old certbot recs) and updated the slave server IP list. (zone transfers)

After ~15mins three of our A records temporarily (1hr) resolved to bodis.com. (domain parking site)

nextcloud.hosts.neosys.com
monitor.hosts.neosys.com
ptcy.hosts.neosys.com

*our other domains were unaffected as far as I could tell.

I read somewhere that DNS providers use parking sites temporarily if there's some config problem. Is this the case for zoneedit?

Similar posts refer to domains going to voodoo.com.
https://forum.zoneedit.com/threads/why-redirecting-to-domain-parking-web-page.5671/#post-8046
https://forum.zoneedit.com/threads/...-a-voodoo-com-ip-for-my-domain.632/#post-1708

Thanks,
Greg

 

[sandy]

It turns out that there are hundreds, if not thousands of lame delegations to Zoneedit nameservers (domains that have their nameservers set to us, who have no account here or deleted it, etc)

To handle the barrage of queries we get for these domains, and since we have no control over the delegations of these external domains, we've wildcarded the most popular TLDs to just send that traffic to Bodis - where it is shamelessly monetized, because "fix your delegation"

IT HAS NO IMPACT on actual, live customer domains.

They see this because of the way they are querying the nameserver directly, with recursion, and the nameserver looks internally and says "the target of this CNAME is not here, so I'm giving it the wildcard response"

In an actual lookup, this will never happen because an actual resolver, when it gets back a CNAME, restarts the query from their side with the CNAME target - and will hit a completely different set of nameservers. Not ours.

The short answer is to redo their dig without recursion

dig +norecurse @ns1.zoneedit.com, because otherwise they are asking our nameservers for a response on a domain that they are no authoritative for

regards