NXDOMAIN , Dns redirect,ISP blocking, in dnscrypt possible? #1725
-
|
Hi, I found in my dns [nx_log] queries, quite a few entries, and some PTR records from my configured dnscrypt servers, and some TXT from websites such as duckduckgo like so: _esni.external-content.duckduckgo.com TXT. I've read a little bit about the subject - NXDOMAIN - , and how ISPs can leverage it to redirect to ads or even block access to certain websites. My question is, as far as I can tell, my queries cant be hijacked since thats by design and the main purpose of using dnscrypt, but it may be possible to redirect it or block it, if it returns null (NXDOMAIN), if for instance, there is an intermediate router intercepting all my internet traffic. So nameservers where there isn't ESNI enabled, can be manipulated in my view, am i wrong? I also utilize an IPS, could this be the culprit, but as far as I can't tell, I haven't found anything relevant in the logs. If the culprit is my ISP or a supposedly intermediate router , how can I work around this issue? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Buggy apps and websites call nonexistent names all the time. Looks like you enabled the ESNI experiment. This requires an extra query every time you try to visit a new domain (such as the |
Beta Was this translation helpful? Give feedback.
-
|
Hi jedisct1, Thanks for clarifying. I just found weird that my configured dns servers also returned NXDOMAIN, I thought it may have something to do with anonymized queries or something that I set to skip sending a query directly to a dns server if it does not support anonymized dns. To be honest, it didn't actually call that many NXDOMAIN, only about 5 to 6 distinct, with about 15 mins of browsing. What actually got me thinking is my own dns servers returning NXDOMAIN, without browsing or anything, just by starting dnscrypt. The ESNI thing, I am ware of that at the moment only cloudflare is testing this, and actually thought it might have something to do with enabling ESNI, since duckduckgo for instance does't support it. Anyways, just wondering even if my own configured dns servers return NXDOMAIN is a normal thing. I don't have a problem with them, but if there could be any fishy attempt to exploit or anything of this sort. Thanks |
Beta Was this translation helpful? Give feedback.
NXDOMAINmeans that the name doesn't exist.Buggy apps and websites call nonexistent names all the time.
Looks like you enabled the ESNI experiment. This requires an extra query every time you try to visit a new domain (such as the
_esni.external-content.duckduckgo.comname you mentioned). This experiment is run by Mozilla and Cloudflare; unless you are trying to visit a Cloudflare customer, getting anNXDOMAINresponse is expected.