Anyways, at some point I switched off of that onto OpenNIC (who are actually kind of weird, but once you get past the paper hats they're nice... although they're vulnerable to US-CERT-VU#800113...) because I found that when I would ask for a non-existent name (such as http://xyonss.net) I would get a valid A response back (you use AAAA? really? aren't you special), and if it was HTTP, it would redirect to something like http://guide.opendns.com/?url=xyonss.net. This annoyed me greatly, so I switched off because I couldn't find anything talking about HIT-NXDOMAIN.opendns.com and how to make it stop happening. It also upsets a lot of things; when I was looking for it again today I ran across complaints of things requesting hit-nxdomain.opendns.com:8080, :443, :441 and lots of other things that were upsetting people. It turns out that quite a lot of software is understanding of NXDOMAIN (no such domain) DNS responses , but not "it doesn't exist, talk to my server". All it knows is "yep, got an IP, nope, thing didn't work" and your firewall starts complaining that you're trying to do SMB/CIFS (yes, I am aware they are the same page on Wikipedia, and I am aware that page says maybe they shouldn't be) to somewhere outside of your local network.
So, anyways. It looks like you can create an account on OpenDNS and go through the following steps to have them behave like they SHOULD (to be a conforming DNS server per the xyon rules of conformance).
- Go to the network management page
- Create a new network (for me it was already populated with my current public IP so I just said Home, create
- Click the settings icon for that network
- In the navpane go to Advanced Settings
- Turn off everything
That's a little unfair, as I actually turned on "Block internal IP addresses", because, well, why not? And when it stops working for me and I find I should have done the work today to set up Dynamic DNS updating for it I'll wish I had done that, too.
But all I want my DNS server to do is tell me the right answer, where right means answer the question I asked, not the question you think I may have meant to ask.
Just think, had they not done that, I'd actually have been free from this vulnerability a lot earlier.