I've been playing a lot with OpenWrt lately (an embedded Linux distribution targeted at routers), which uses Dnsmasq to provide DNS forwarding and DHCP. After reading about Dnsmasq in detail (should you want to do the same, "Alternative DNS Servers" has an entire chapter on it), I discovered a really interesting option: bogus-nxdomain.
To illustrate how it works, we are going to configure Dnsmasq to use OpenDNS resolvers, which perform NXDOMAIN hijacking by default.
Let's add this directive to dnsmasq.conf, specifying where to look for resolvers:
We then create the resolv.conf.dnsmasq file, and add the hosts we want Dnsmasq to forward queries to:
nameserver 18.104.22.168 nameserver 22.214.171.124
Now, let's attempt to resolve a non existant domain:
dig domain.nxdomain +short 126.96.36.199
Sure enough, instead of getting a NXDOMAIN response, we are redirected to an IP address belonging to OpenDNS.
We can verifiy that it's indeed the case by performing a reverse lookup:
dig -x 188.8.131.52 +short hit-nxdomain.opendns.com.
We now add the bogus-nxdomain directive to dnsmasq.conf:
And finally, after restarting Dnsmasq, querying a non existant domain returns NXDOMAIN as it should:
dig domain.nxdomain +noall +answer +comments ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> domain.nxdomain +noall +answer +comments ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53036 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0