NXDOMAIN Hijacking – A huge problem caused solely for profit

7 01 2014

One of the contemporary issues that my area of IT is currently discussing is what DNS is being used for that it was not designed to do. Paul Vixie (2009) wrote an article entitled What DNS is not. This article summed up the key issues in the use of DNS to serve ads through NXDOMAIN responses. (pg.44)

NXDOMAIN, also known as RCODE=3 (Mockapetris, 1987, pg.27)where designed to show negative answers in DNS queries. Modern day DNS resolvers at times use these results in a way they were not intended.Instead of the typical “error page” that a web browser would usually report, results from OpenDNS name servers would return a NOERROR response and point the results to an advertising server. (Vixie, 2009, pg.44)

Let’s look at an example. Using a domain that I know that does not exist, I can do a query against the caching servers from Google at the IP address of and the ones at OpenDNS at These are shown below.

> typeitwrong.com




** server can’t find typeitwrong.com: NXDOMAIN

> server

Default server:


> typeitwrong.com




Non-authoritative answer:

Name: typeitwrong.com


While the caching servers at Google report the domain correctly as an NXDOMAIN, the nameservers at OpenDNS give the NOERROR response and send a non-authoritative answer to the IP address of Performing a DNS query on that IP address we see that OpenDNS has routed the NOERROR response to one of their own servers.





Non-authoritative answer: name = hit-nxdomain.opendns.com.


Authoritative answers can be found from:


Now, this happens on any DNS lookup that should report a NXDOMAIN when querying the OpenDNS servers. I guess the next question is, Why is this such a big deal? Well for Internet browsing traffic it really is not that bad, but for other programs that count on the correct information from a TCP/IP stream, the wrong informaiton can be cached locally causing grave errors in scripting.

This is just one of the many abuses that DNS is going through instead of using as it was originally designed.

Mockapetris, P. (1987, November). Domain names – Implementation and specification. Retrieved January 7, 2014, from tools.ietf.org/html/rfc1035

Vixie, P. (2009). What DNS is not. Communications of The ACM52(12), 43-47. doi:10.1145/1610252.1610269




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: