NXDOMAIN Hijacking: Dnsmasq to the rescue!

Frederic Cambus February 06, 2014 [DNS]

I've been playing a lot with OpenWrt lately (an embedded Linux distribution targeted at routers), which uses Dnsmasq to provide DNS forwarding and DHCP. After reading about Dnsmasq in detail (should you want to do the same, "Alternative DNS Servers" has an entire chapter on it), I discovered a really interesting option: bogus-nxdomain.

To illustrate how it works, we are going to configure Dnsmasq to use OpenDNS resolvers, which perform NXDOMAIN hijacking by default.

Let's add this directive to dnsmasq.conf, specifying where to look for resolvers:


We then create the resolv.conf.dnsmasq file, and add the hosts we want Dnsmasq to forward queries to:


Now, let's attempt to resolve a non existent domain:

dig domain.nxdomain +short

Sure enough, instead of getting a NXDOMAIN response, we are redirected to an IP address belonging to OpenDNS.

We can verify that it's indeed the case by performing a reverse lookup:

dig -x +short

We now add the bogus-nxdomain directive to dnsmasq.conf:


And finally, after restarting Dnsmasq, querying a non existent domain returns NXDOMAIN as it should:

dig domain.nxdomain +noall +answer +comments

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> domain.nxdomain +noall +answer +comments
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53036
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0