Hi Snouto,
It sounds like you're running into DNS round-robin aslo known as a fast-flux service network. This allows a single domain name to have thousands of IP addresses assigned to it. Generally the TTL of the RR is set to be very short and so a look up would return a new IP address nearly every time. This is legitimately used for load-balancing web-servers.
This technique has been adopted by bot herders to maintain their botnets and make it next to impossible to take them down. The storm/cme-11 botnet uses this and other techniques to stay up.
http://www.honeynet.org/papers/ff/fast-flux.htmlI'm not sure if the domain you are researching is a malicious one or not but here is a little script I wrote a while back to run continuous lookups of an domain name and show the geographic location of the IP. You will need to install the required perl modules for it to work.
#!/usr/bin/perl -w
#################################################
# Script to track fastflux dns network.
# Shows a very approximate geographical distibution
# Usage: perl lookup.pl -exec
#################################################
use strict;
use warnings;
use IO::Socket;
use Geo::IP;
my ($target, @ipaddr, $nullip, $lastip, $reverse, $geoip, $country, $hostname);
# List all domain names to be tracked here.
my @domains = qw(example1.com example2.com example3.com);
my $file = "data.txt";
my $j = 1;
if (! $ARGV[0] or $ARGV[0] ne "-exec") {
print "Usage: perl $0 -exec\n";
print "You need to explicitly tell the script to run with \'-exec\'\n";
exit;
}
print "Check of all domains is now running...Use CTRL-C to Quit.\n";
# Really bad way to make sure the initial check for dublicate IPs doesn't return an error.
$nullip = "0.0.0.0";
push(@ipaddr, $nullip); # Store in array.
while () {
foreach $hostname (@domains) { # Cycle through each domain.
open (FH, ">>$file") || die "error opening or creating file:$!\n";
$target = inet_ntoa(inet_aton($hostname) || 0.0.0.0);
$lastip = pop(@ipaddr); # Store in array.
# Perform reverse lookup. This is to see what the IP actually resolves to.
$reverse = gethostbyaddr(inet_aton($target), AF_INET) || "Unknown";
if ($target eq 0.0.0.0) {
print "No IP!!!";
}
elsif ($target eq $lastip) {
print "No change to A record.\nCurrent record is : $lastip\n\n";
push(@ipaddr, $target);
}
elsif($target ne $lastip) {
push(@ipaddr, $target);
$geoip = Geo::IP->new(GEOIP_STANDARD);
$country = $geoip->country_name_by_addr($target) || "Unknown"; # if country is undefined then print "Unkonwn!"
open (FH, ">>$file") || die "error opening or creating file:$!\n";
print FH "($hostname)$country | $target => $reverse\n";
close (FH);
}
sleep (2); # wait 2 sec. Change lookup frequency here.
}
}
exit;
cheers,
dean
Other : LZMA Decompression Help
Forensics : The Julie Amero Case: A Dangerous Farce
