NXDOMAIN Hijacking: Dnsmasq to the rescue!

Frederic Cambus February 06, 2014 [DNS]

I've been playing a lot with OpenWrt lately (an embedded Linux distribution targeted at routers), which uses Dnsmasq to provide DNS forwarding and DHCP. After reading about Dnsmasq in detail (should you want to do the same, "Alternative DNS Servers" has an entire chapter on it), I discovered a really interesting option: bogus-nxdomain.

To illustrate how it works, we are going to configure Dnsmasq to use OpenDNS resolvers, which perform NXDOMAIN hijacking by default.

Let's add this directive to dnsmasq.conf, specifying where to look for resolvers:

resolv-file=/etc/resolv.conf.dnsmasq

We then create the resolv.conf.dnsmasq file, and add the hosts we want Dnsmasq to forward queries to:

nameserver 208.67.220.220
nameserver 208.67.222.222

Now, let's attempt to resolve a non existent domain:

dig domain.nxdomain +short
67.215.65.132

Sure enough, instead of getting a NXDOMAIN response, we are redirected to an IP address belonging to OpenDNS.

We can verify that it's indeed the case by performing a reverse lookup:

dig -x 67.215.65.132 +short
hit-nxdomain.opendns.com.

We now add the bogus-nxdomain directive to dnsmasq.conf:

bogus-nxdomain=67.215.65.132

And finally, after restarting Dnsmasq, querying a non existent domain returns NXDOMAIN as it should:

dig domain.nxdomain +noall +answer +comments

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> domain.nxdomain +noall +answer +comments
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53036
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0