When a recursive BIND name server receives a query which cannot be satisfied (e.g. I search for
nop.mens.de) it will answer with an NXDOMAIN:
That is good. It is good for humans because they realize they’ve mistyped a name or the domain has gone away, and it is good for programs for similar reasons, particularly because, for automatic submission of data, I don’t want that data to be sent to the wrong server.
If I configure my BIND server with the new NXDOMAIN redirection (or worse: if your ISP configures the DNS servers you use with the new NXDOMAIN redirection!), the query is satisfied:
The way this works is a BIND administrator can configure a special zone of type redirect. The BIND ARM says:
Provides a source of answers when the normal resolution returns NXDOMAIN. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers. If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur.
This zone catches NXDOMAIN responses BIND would typically return to the client and replaces the NXDOMAIN code with an reply containing a record.
Consider the definition of the root zone (
.) in the following
The wildcard on the last line works. It will catch any NXDOMAIN for the
example.com zone and replace it with an answer of type
A containing the
specified address. It goes without saying, that your ISP can also put just an
* into the zone definition …
Say No to NXDOMAIN redirection.