Automatically block upstream DNS hijacking / typosquatting with dnsmasq's bogus-nxdomain



Basically I’d like to see this become automated: Detect typosquatting redirect from ISP’s DNS and send out a proper NXDOMAIN

I use my ISP’s DNS servers for my upstream DNS, because they offer better performance, geolocation, etc.

However, they serve up bogus responses with the IP of an advertising server for any domain that should be a NXDOMAIN.

DNSmasq has a way to block this, by adding bogus-nxdomain=<ip> to the config file, and then when it sees responses with the given IP, it will automatically correct those to be a NXDOMAIN response.

I’d like to pi-hole to be able to automatically block this type of DNS hijacking by doing a query for <random string>.invalid and adding bogus-nxdomain entries for any IP addresses that are returned. (RFC 2606 reserves the .invalid TLD for domain names that are guaranteed to be invalid).

Randomizing the query should prevent it from showing up in any aggregate statistics. If ISP’s ever do “wise up” and start returning NXDOMAIN for .invalid while still hijacking potentially valid domain names, we could switch to something else.

It’s also worth mentioning that this could cause trouble if the pi-hole was behind a captive portal, but I don’t think that’s a very likely scenario. Perhaps the feature should be disabled by default.

Detect typosquatting redirect from ISP's DNS and send out a proper NXDOMAIN