1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenDNS domain hijacking

Discussion in 'Tomato Firmware' started by PBandJ, Jun 21, 2013.

  1. PBandJ

    PBandJ Addicted to LI Member

    This isn't new, and probably also relevant for other (nasty) DNS providers.
    When they encounter a DNS they can't resolve - they redirect the request to some IP that ends up serving an advertisement or something similar, instead of returning a NXDOMAIN (non-existent domain) response to that DNS resolution request.

    This gets very annoying if you use the address bar in your browser (Firefox, in my case) as a search bar as well: if you search for two words or more, the browser knows for sure it's a search and performs the requested action. However, when you search for a single word, it tries first to resolve it as a DNS query and only when that fails (NXDOMAIN response) it performs the search. When you use OpenDNS you can't use the address bar for single-word searches.

    Now I can :)
    0. Goto Advanced -> DHCP/DNS
    1. Make sure Intercept DNS port is checked.
    2. In Custom configuration add the following:
    # Counter OpenDNS NXDOMAIN hijacking
    This is the IP returned from OpenDNS instead of the NXDOMAIN response. This tells dnsmasq to treat this response as if NXDOMAIN was returned.
    philess likes this.
  2. jerrm

    jerrm Network Guru Member

    NX Domain Redirection can be disabled in the OpenDNS Dashboard.
  3. PetervdM

    PetervdM Network Guru Member

    for enterprise customers only.
    ps. my bogus nx-domain ip = . maybe others too.
  4. gfunkdave

    gfunkdave LI Guru Member

    I have gotten both .132 and .131.
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    Nope. I have a personal account and have redirection disabled.

    You have to create an account, run some form of IP update widget (like DDNS in Tomato, which supports OpenDNS), and disable the setting.
  6. PBandJ

    PBandJ Addicted to LI Member

    I tried that, and it didn't work. Maybe I didn't wait long enough for the settings change to propagate their system, or something? Anyway - I (as well as others) are eating the cake and keeping it whole.
  7. philess

    philess Networkin' Nut Member

    Thanks for posting this hint PBandJ!

    I can turn off the NXDOMAIN redirection in the dashboard, and it works.
    But it is required to use the Webcontent filtering. So if someone wants
    to use the OpenDNS filtering, but without the redirection, your solution
    is perfect. Thanks.
  8. jerrm

    jerrm Network Guru Member


    Content filtering works fine for us with NX redir disabled - under several accounts.
  9. philess

    philess Networkin' Nut Member

    As soon as i remove the checkmark from the "NXDOMAIN redirection" option, a red text
    pops up below, saying that this option is required for webcontent filtering to work.
    Using a free, private account.
  10. jerrm

    jerrm Network Guru Member

    Not sure about a free accounts, but see why they would want to maintain the ability to serve ads up on the free accounts.
    philess likes this.
  11. Monk E. Boy

    Monk E. Boy Network Guru Member

    Yeah I don't care about web content filtering at home on my free account. The point stands though that you can disable redirection on free accounts.

    All I want is a DNS server without my ISP's god-awful domain redirects which cannot be switched off or worked around without avoiding their DNS servers completely. &*(@#$&(
    philess likes this.
  12. PBandJ

    PBandJ Addicted to LI Member

    Sorry to bump this thread.
    I just came across a better, more robust, way to work around this issue.
    Instead of using bogus-nxdomain=..., I use the option domain-needed, which does the following:

Share This Page