Xyon (xyon) wrote,
Xyon
xyon

guide.opendns.com redirect on unknown hostname

A while back I had been using OpenDNS for faster responses, and possibly one of Comcast or Verizon had been doing something wonky with DNS (or maybe they got poisoned, see US-CERT VU#800113 (and if you use OpenBSD, tekman now has the steps for How to mitigate CERT VU#800113 on OpenBSD)).

Anyways, at some point I switched off of that onto OpenNIC (who are actually kind of weird, but once you get past the paper hats they're nice... although they're vulnerable to US-CERT-VU#800113...) because I found that when I would ask for a non-existent name (such as http://xyonss.net) I would get a valid A response back (you use AAAA? really? aren't you special), and if it was HTTP, it would redirect to something like http://guide.opendns.com/?url=xyonss.net. This annoyed me greatly, so I switched off because I couldn't find anything talking about HIT-NXDOMAIN.opendns.com and how to make it stop happening. It also upsets a lot of things; when I was looking for it again today I ran across complaints of things requesting hit-nxdomain.opendns.com:8080, :443, :441 and lots of other things that were upsetting people. It turns out that quite a lot of software is understanding of NXDOMAIN (no such domain) DNS responses , but not "it doesn't exist, talk to my server". All it knows is "yep, got an IP, nope, thing didn't work" and your firewall starts complaining that you're trying to do SMB/CIFS (yes, I am aware they are the same page on Wikipedia, and I am aware that page says maybe they shouldn't be) to somewhere outside of your local network.

So, anyways. It looks like you can create an account on OpenDNS and go through the following steps to have them behave like they SHOULD (to be a conforming DNS server per the xyon rules of conformance).

  1. Go to the network management page

  2. Create a new network (for me it was already populated with my current public IP so I just said Home, create

  3. Click the settings icon for that network

  4. In the navpane go to Advanced Settings

  5. Turn off everything



That's a little unfair, as I actually turned on "Block internal IP addresses", because, well, why not? And when it stops working for me and I find I should have done the work today to set up Dynamic DNS updating for it I'll wish I had done that, too.

But all I want my DNS server to do is tell me the right answer, where right means answer the question I asked, not the question you think I may have meant to ask.

Just think, had they not done that, I'd actually have been free from this vulnerability a lot earlier.
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 3 comments