NXDOMAIN Resolvers

Antonia_Affinito · April 20, 2022, 9:07am

Good morning,
I am currently analysing the DNS resolvers (local and public ones) in terms of protection and performance (in particular their speed).
I noticed that, in case of a malicious domain name, some local resolvers send an NXDOMAIN and others a courtesy page address. Do you know if the resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in order to protect their clients?

Thanks a lot

William_Herrin · April 20, 2022, 3:39pm

Howdy,

From a network engineering perspective, any resolver that responds to an authoritative NXDOMAIN by generating an address for a courtesy page -is- the malicious actor. Doubly so if they lie about the DNSSEC status in the response.

Regards,
Bill Herrin

William_Herrin · April 20, 2022, 3:42pm

Nevermind; I misunderstood your question. The domain name exists but
the resolver has blocked it. How should the resolver alter its
response: NXDOMAIN or the IP address of a courtesy web page explaining
the block.

Regards,
Bill Herrin

matt3 · April 20, 2022, 3:51pm

Resolvers are capable of rewriting a response to anything they want. In the case of filtering out known bad networks, you can find examples of both rewriting to a courtesy web page and NXDOMAIN. There is a scheme known as Response Policy Zone1 that hasn’t been standardized (yet?) but is available in some recursive DNS software, such as BIND, which lets you do either.

As for which large operators respond in different ways, I’m afraid I can’t help you there. I’m not aware of any surveys done of how individual large operators implement their end user protection services.

Mailman · April 20, 2022, 5:06pm

Ciao Antonia,

If you are specifically looking for the Italian market try itnog. Itnog.it

This has been discussed a couple of times on our telegram group and more lengthy questions can go on the mailing list.

Both English and Italian are accepted.

Some providers here in Italy offer protection as a paid service , others include it and all are required to block the agcom,CNCPO etc requests.

Brian

Thomas_Mieslinger1 · April 21, 2022, 10:30am

There are public and commercial offerings for "DNS based protection".

e.g. 9.9.9.9 automatically generates NXDomains for suspected malicious
DNS Names even in their free service.

They have a page where you can check if you have been blacklisted (see
Tester für blockierte Domains | Quad9)