NXDOMAIN Hijacking : Dnsmasq to the rescue!

I’ve been playing a lot with OpenWrt lately (an embedded Linux distribution targeted at routers), which uses Dnsmasq to provide DNS forwarding and DHCP. After reading about Dnsmasq in detail (should you want to do the same, “Alternative DNS Servers“ has an entire chapter on it), I discovered a really interesting option : bogus-nxdomain.

To illustrate how it works, we are going to configure Dnsmasq to use OpenDNS resolvers, which perform NXDOMAIN hijacking by default.

Let’s add this directive to dnsmasq.conf, specifying where to look for resolvers :


We then create the resolv.conf.dnsmasq file, and add the hosts we want Dnsmasq to forward queries to :


Now, let’s attempt to resolve a non existant domain :

dig domain.nxdomain +short

Sure enough, instead of getting a NXDOMAIN response, we are redirected to an IP address belonging to OpenDNS.

We can verifiy that it’s indeed the case by performing a reverse lookup :

dig -x +short

We now add the bogus-nxdomain directive to dnsmasq.conf :


And finally, after restarting Dnsmasq, querying a non existant domain returns NXDOMAIN as it should :

dig domain.nxdomain +noall +answer +comments

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> domain.nxdomain +noall +answer +comments
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 0="" 53036="" opcode:="" query,="" status:="" nxdomain,="" id:="" ;;="" flags:="" qr="" rd="" ra;="" query:="" 1,="" answer:="" 0,="" authority:="" additional:="" <="" pre="">