NXDOMAIN Hijacking: Dnsmasq to the rescue!Frederic Cambus February 06, 2014 [DNS]
I've been playing a lot with OpenWrt lately (an embedded Linux distribution targeted at routers), which uses Dnsmasq to provide DNS forwarding and DHCP. After reading about Dnsmasq in detail (should you want to do the same, "Alternative DNS Servers" has an entire chapter on it), I discovered a really interesting option: bogus-nxdomain.
To illustrate how it works, we are going to configure Dnsmasq to use OpenDNS resolvers, which perform NXDOMAIN hijacking by default.
Let's add this directive to dnsmasq.conf, specifying where to look for resolvers:
We then create the resolv.conf.dnsmasq file, and add the hosts we want Dnsmasq to forward queries to:
nameserver 188.8.131.52 nameserver 184.108.40.206
Now, let's attempt to resolve a non existent domain:
dig domain.nxdomain +short 220.127.116.11
Sure enough, instead of getting a NXDOMAIN response, we are redirected to an IP address belonging to OpenDNS.
We can verify that it's indeed the case by performing a reverse lookup:
dig -x 18.104.22.168 +short hit-nxdomain.opendns.com.
We now add the bogus-nxdomain directive to dnsmasq.conf:
And finally, after restarting Dnsmasq, querying a non existent domain returns NXDOMAIN as it should:
dig domain.nxdomain +noall +answer +comments ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> domain.nxdomain +noall +answer +comments ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53036 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0