godaddy spam / abuse suspensions?

Hi gang,

    I am looking into a dns problem. My resolvers are attempting to resolve various hosts under "", but it's nameservers aren't responding, resulting in many many many repeated queries that end up going nowhere. I dug around a bit and the nameservers for the domain are "" and so forth. The domain registrar is godaddy and it doesn't make a whole lot of sense for them to point the nameservers for any domain at non-functioning hosts, and these have been dead for at least a few days now that I know about.

Can anyone enlighten me as to what the deal might be here?

Thank you.

rslv1:~# dig -t ns

; <<>> DiG 9.2.4 <<>> -t ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42266
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0


;; ANSWER SECTION: 114343 IN NS 114343 IN NS

;; Query time: 0 msec
;; WHEN: Sun Nov 16 18:12:00 2008
;; MSG SIZE rcvd: 102

Name has been suspended for "supposed" abuse by the godaddy abuse team.

I believe the only recourse is to email (cc asking what they want to release the domain to
you. I believe the usual charge is like $75 or so.


I don't think he wants the domain. The problem is Godaddy listing NS
records for some domains (for any reason) to only DNS servers that
were all down or didn't exist. The entry of only lame DNS servers is
an inconclusive situation and doesn't let a message be permanently
rejected as spam; it's indistinguishable from a temporary failure of
all that domain's DNS servers.

It also causes (hopefully non-fatal) problems for hosts looking up the
contacting host's ip,
like wasteful repeated queries.

This is not good behavior on the registrar's part; Godaddy would
almost be better seving
the internet community by ignoring spam and doing nothing, or
forwarding reports to ISPs rather than introducing lame DNS zones.

Registrars aren't really in a place to be able to stop spam; the
spammer can simply use any domain or have their reverse zone changed
accordingly, if they have custom reverse.

But for a registrar to do their best.. by pulling domains where they
have proof the owner has performed or authorized spam, they should
pull the domain from the TLD zone entirely and let the response be

A NXDOMAIN response allows the mail server to definitively reject the message
and move on.

Chances are if the domain has been sandboxed, it was because it was
involved in some kind of phishing scheme, not spam. This is the
typicaly way of mitigating fast flux botnets. So I don't agree with the
assessment that this is bad behavior on the part of GoDaddy - to the
contrary, they are acting quite responsibly.


James Hess wrote:

It's also not effective in various situations.
The bad behavior is not disabling abused domains, it's the method used to do it
(by giving no answer instead of actively giving a negative answer).

When a http client asks recursive resolver A for an A RR, and no
response is received,
the client will then go to recursive resolver B and make the very
same query again,
and possibly on to recursive resolver C.

One of the secondary/tertiary recursive resolvers may hand the client
a cached response that had been obtained before the registrar took any
If instead recursive resolver A returned a NXDOMAIN, that would be
the end of it,
no new queries, the answer has returned name does not exist.

The impact of the additional queries can be significant as well.

Yes, and that'd make a good case for the good old ops practice of
dialing down the TTL for a while before any NS change is made.


or how about using an NS that returns ICMP errors instead of NXDOMAIN,
perhaps using anycast for reducing network load?

Would that stop the timeout errors? server is still lame, you just know

Why not just return NXDOMAIN if you are going to all of that trouble and be guaranteed that it'll work for standards-compliant caching resolvers? I don't see what would be available to gain by adding this extra complexity, and there's certainly a (much) lesser guarantee, or so I would tend to believe, that things will stop asking if they get an ICMP unreach as opposed to an NXDOMAIN.

- S

That would work only if Godaddy was considering suspending it for
greater than TTL time before actually suspending takes the
same time to dial-down TTL (old TTL time) then change it, as it does to
just change it outright.