BIND version 9.9.0a2 was released a few hours ago, and the first change noted in the release notes mentions NXDOMAIN
redirection. I groaned. I recall Site Finder, and ICANN was not amused either.
When a recursive BIND name server receives a query which cannot be satisfied (e.g. I search for nop.mens.de
) it will answer with an NXDOMAIN:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56608
That is good. It is good for humans because they realize they’ve mistyped a name or the domain has gone away, and it is good for programs for similar reasons, particularly because, for automatic submission of data, I don’t want that data to be sent to the wrong server.
If I configure my BIND server with the new NXDOMAIN redirection (or worse: if your ISP configures the DNS servers you use with the new NXDOMAIN redirection!), the query is satisfied:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50387
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
nop.mens.de. 60 IN A 2.1.1.1
The way this works is a BIND administrator can configure a special zone of type redirect. The BIND ARM says:
Provides a source of answers when the normal resolution returns NXDOMAIN. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers. If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur.
This zone catches NXDOMAIN responses BIND would typically return to the client and replaces the NXDOMAIN code with an reply containing a record.
Consider the definition of the root zone (.
) in the following named.conf
snippet:
zone "." IN {
type redirect;
file "root.redir";
};
The file root.redir
contains
@ IN SOA localhost. root.localhost. (
1 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
localhost. IN A 127.0.0.1
nop.mens.de. IN A 2.1.1.1
*.example.com. IN A 127.0.0.4
The wildcard on the last line works. It will catch any NXDOMAIN for the
example.com
zone and replace it with an answer of type A
containing the
specified address. It goes without saying, that your ISP can also put just an
*
into the zone definition …
This very unfortunate addition to the BIND code makes it even easier for BIND
to lie. And it breaks DNSSEC.
Say No to NXDOMAIN redirection.