Is it just me, or ... is there handsome poetic justice in the fact that at least one agency involved in the takedown was one of those that were specifically spoofed in the ransomware?

Individual nodes within the botnet are registered and then quickly de-registered as the host associated with a Domain Name Service A address record for a single DNS name The destination addresses for a DNS record often change as quickly as once every 5 minutes, and can cycle through hundreds or thousands of IP addresses.

How can you do this without the knowing collusion of a name server? Wouldn't--or shouldn't--someone notice if you're changing your record every 5 minutes?

No-one notices if they were running their own name servers. And with 221 servers they had the backbone to do it.

The figures are amazing. They burned 800.000 throw away domains in seven years. That is 0.24% of all the domain names currently registered over all TLDs. source: [name.com...]

does anyone thing there should a few more checks about domains that are sold? I got a junk mail the other day from a domain that was something like xygz-npts-xygz-xygz.net

And while on this subject, gmail need also to be far more proactive about accounts like qqqqqqqqq2315zzzzzzzzzz@gmail.com

In both these cases, you can get the weirdest email addresses or domains if you want, but there should be some level of manual checking once an "oddness" flag gets tripped.

800k domains in seven years is not a lot. Most people think of TLDs as being quite monolithic. They are not. Just in .COM alone in the past month approximately 3.15 million domains were deleted and just over 2.68 million new domains in the zone. The .NET and .ORG have hundreds of thousands of new and deleted domains each month.

Regards...jmcc

No-one notices if they were running their own name servers. And with 221 servers they had the backbone to do it.

But, but, but-- don't nameservers have to be accredited by somebody? If I tell my browser to find example.spam, it doesn't poll every IP in existence “Do you know where I can find these guys?” It's got a finite list of places to ask.

DNS traffic is cached heavily just to prevent the root servers from collapsing. The main record for a domain which indicates where the primary name servers for that domain can be found is often assigned a time to live of one to several days. So only once every day one of the intermediate caches has to ask a root server where the authoritative domain information is stored. But after that it is the spammers own DNS server which serves up the records directly to the intermediate caches. And that is such fragmented traffic that probably no cache will notice any abnormalities.

I am running such a configuration with a root TTL time of 86400 seconds and record TTL times of 300 seconds. Not for spamming of course :) but for quick automatic failover if one of my servers fails. Google does the same with 300 seconds, Yahoo has a TTL time of 760 seconds and Bing is also in the 700 seconds range.

And then I am not even talking about the NTP pool which distributes network time to millions of devices. The 3650 active IP addresses in the pool are added and removed to the pool in a round-robin fashion to create some rudimentary form of load balancing where DNS servers do the switching with TTL times of 150 seconds.

There is so much continuously switching DNS traffic on the internet that such a "small" spam operation is very difficult to notice.