On 7/1/19 3:13 PM, Grant Taylor wrote:
On 7/1/19 6:44 AM, micah anderson wrote:
This sounds like Fast Flux
How is this fast flux?
I thought fast flux was rapidly updating A records on the DNS server
(for a given qname) or updating NS records with the registrar for a
single given domain.
It sounds to me like Sean was talking about wanting to identify which of
many domains were had a common registrar. This doesn't sound like fast
flux—as I understand it—to me.
Having such a list would be very helpful for dealing with fast flux.
How is what the OP's talking about related to fast flux?
I think fast flux came up in reference to a speculation I'd made
regarding why the spammers were using their own nameservers rather than
Namecheap's. I don't think it's particularly off-base to refer to rapid
registration of new domains as fast flux. In fact, I'm pretty sure
support for this, and slowness in taking down domains (though they do
often take them down eventually at least), are why Namecheap is so popular.
As I mentioned, filtering using fresh.fmb.la catches about 1/3 of the
domains. Fortunately, since they're actually using their own servers and
not a botnet, blocking their netblock catches the rest, though it's not
my preference since it will cause collateral damage (even though
registering with dnswl.org is an easy way around that), it's manual, and
it only helps my 3 users. Incentivizing Namecheap to move faster on
these would benefit a lot more people.
