Document toolboxDocument toolbox

About NXDOMAIN Redirection

Owned by Panna .
Last updated: Aug 02, 2022 by Shwetha S
9 min read

When a DNS member with recursion enabled receives a recursive query for data for which it is not authoritative, it locates the data through queries to other servers. If the query is for a non-existent domain name, the DNS member receives an NXDOMAIN response from the authoritative name server, which the member then forwards to the DNS client. An NXDOMAIN response contains a "Name Error" RCODE, signifying that the domain name referenced in the query does not exist. (For information, you can refer to RFC 1035, Domain Names — Implementation and Specification.)
You can install a Query Redirection license on a recursive DNS member to control its response to queries for A records of non-existent domain names and other domain names that you specify. After the license is installed, Grid Manager displays the NXDOMAIN Rulesets tab where you can create rules that specify how a DNS member responds to queries for A/AAAA records for certain domain names and non-existent domain names. Each rule contains a domain name specification, and the action of the DNS member when the domain name in the query matches that in the rule. After you create the rules, you then enable the NXDOMAIN redirection feature and list the IP addresses that are included in the synthesized responses.
Recursive DNS members can redirect responses to queries for A/AAAA records only. DNS members resolve queries for all other records as they normally would.
In addition, you can enable DNS members to log queries that match rules with an action of "Redirect" or "Modify". You can view the logs in the Syslog viewer. The logs include the queried domain name, source IP address, the pattern of the matched rule, and the name of the corresponding ruleset.
When DNSSEC is enabled on the Infoblox DNS server, it does not redirect DNS clients that request DNSSEC data for a non-existent domain name. Instead, it returns an authenticated negative response in the form of an NSEC or NSEC3 RR. (For information about DNSSEC, see Configuring DNSSEC.) If DNSSEC is not enabled, the appliance ignores the request for DNSSEC data and redirects the clients.
To apply the configured NXDOMAIN rules regardless of whether a DNS query requests DNSSEC data, configure the appliance accordingly. For more information about how to configure this, see Applying Policies and Rules to DNS Queries that Request DNSSEC Data.
You can enable NXDOMAIN redirection at the Grid, member, and DNS view levels. Only recursive DNS servers can redirect DNS clients. Non-recursive DNS members do not redirect DNS clients. For information on enabling recursion on a DNS member, see Enabling Recursive Queries.

Note that if both NXDOMAIN redirection and the blacklisting feature are enabled, the DNS member applies the blacklist rulesets before the NXDOMAIN rulesets. For information about blacklisting domain names, see Blacklists.

About NXDOMAIN Rulesets

An NXDOMAIN ruleset is a list of rules that a DNS member uses to determine its response to recursive queries for A records it does not have. Each rule consists of a domain name specification or pattern, and an associated action.
Domain names can contain any printable character. You can use certain metacharacters to create domain name patterns that are used to match the domain names in DNS queries. Pattern matching is case-insensitive. Patterns support the following metacharacters:

  • Use the caret character (^) to indicate the beginning of a pattern. For example, ^foo matches foo.com but not barfoo.com. The caret character has a special meaning only if it is specified at the beginning of a pattern.

  • Use the dollar sign character ($) to indicate the end of a pattern. The dollar sign character has a special meaning, only if it is specified at the end of the pattern. For example, .com$ matches corpxyz.com but not corpxyz.com.net.
    When the pattern contains a $ at the end, NIOS automatically adds a period (.) before the $. For example, if you enter .com$, NIOS saves it as .com.$. The period indicates that the pattern specifies a complete domain name that ends with the root label.

  • Use the asterisk character ({})* as a wildcard that can match zero or more characters in one or more labels of a domain name. For example, xf*oy matches xfooy.com, but not xfoobary.
    A pattern that contains a single asterisk ({} ) (or an equivalent expression, such as *"^$"{*}) matches any domain name.

  • Use the backslash character (\) with one of the metacharacters ($, ^, *** and {}) to remove their special meaning. If \ is followed by any other character, that character is taken as an ordinary character, as if \ is not present. For example, foo\\\.bar matches foo\.bar, and \* matches a literal asterisk in a domain name.

No other characters have any special meaning. Note in particular that the period character (".") only matches a period used as a separator in a domain name.
The action specifies how the DNS member responds when a domain name in a query matches a pattern. The action can be one of the following: Pass, Modify or Redirect.

  • Pass: The DNS member resolves the query and forwards the response to the DNS client, even if it is an NXDOMAIN response.

  • Modify: The DNS member resolves the query and forwards the response to the DNS client, only if it is not an NXDOMAIN response. But if the member receives an NXDOMAIN response, it sends the client a synthesized response that includes predefined IP addresses.

  • Redirect: The DNS member does not resolve the query. Instead, it sends the client a synthesized response that includes predefined IP addresses.

You can configure multiple rulesets. The DNS member applies the rulesets and their rules in the order in which they're specified in the configuration. If multiple rulesets contain rules with duplicate patterns, the DNS member applies the first rule it encounters and ignores the other rules.

Examples

The following example illustrates how the appliance applies NXDOMAIN rulesets. Ruleset 1:

Pattern

Action

Pattern

Action

a1.corpxyz.com

PASS

*.corpxyz.com

REDIRECT



  • If the DNS member receives a query for a1.corpxyz.com, it resolves the query and forwards the response, even if it is an NXDOMAIN response, to the client. Note that if the order of the rules was switched, the DNS client would have been redirected immediately, because the domain name a1.corpxyz.com matches the *.corpxyz.com pattern.

  • If the DNS member receives a query for b1.corpxyz.com, the member immediately redirects the DNS client to the specified IP address because the domain name in the query matches the second rule.

  • If the DNS member receives a query for b1.corp200.com, it resolves the query because the domain name does not match any rule. If the DNS member receives an A record from an authoritative server, the member forwards the response to the client. However, if the member receives an NXDOMAIN response, it redirects the DNS client to the specified IP address.

In the following example, the rules redirect queries for dotted domain names that do not have ".com" As shown in the example, an explicit PASS rule is required at the end.
Ruleset 2:

Pattern

Action

Pattern

Action

*.com

PASS

.*.$

MODIFY

*

PASS

 

  • If the DNS member receives a query for corpxyz.com which matches the pattern "*.com", the member resolves the query and forwards the response, even if it is an NXDOMAIN response, to the client.

  • If the DNS member receives a query for corpxyz.org, which matches the pattern ".*.$", the member resolves the query. If the member receives an NXDOMAIN response, it redirects the client to the specified IP address. If the member receives a non-NXDOMAIN response, it forwards the response to the client.

  • If the DNS member receives a query for corp200, the member resolves the query and forwards the response to the client.

NXDOMAIN Redirection Guidelines

The following summarizes how a DNS member responds to a query for an A record when the NXDOMAIN feature is enabled:

  • If there are no rulesets configured, the DNS member queries other name servers.

    • If the DNS member receives a non-NXDOMAIN response from an authoritative server, it forwards the response to the DNS client.

    • If the DNS member receives an NXDOMAIN response from an authoritative server, it redirect the DNS client.

  • If rulesets are configured, the DNS member tries to match the domain name in the query with a domain name in the rules.

    • If the DNS member finds a match, it perform the action specified in the rule.

      • If the action is "Redirect", the DNS member redirect the DNS client.

      • If the action is "Pass", the DNS member queries other name servers and forwards the response to the DNS client.

      • If the action is "Modify", the DNS member queries other name servers. If it receives a non-NXDOMAIN response, it forwards the response to the DNS client; if it receives and NXDOMAIN response, it redirects the DNS client.

    • If the DNS member does not find a match, the DNS member queries other name servers.

      • If the DNS member receives a non-NXDOMAIN response, it forwards the response to the DNS client.

      • If the DNS member receives an NXDOMAIN response from an authoritative server, it redirects the DNS client.

Note that if an A record with a dotted hostname is added to an authoritative zone through a dynamic DNS update, and that A record should actually belong in an existing delegation, the appliance may not redirect a query for that A record according to the Blacklist and NXDOMAIN guidelines.

Configuring NXDOMAIN Redirection

To enable NXDOMAIN redirection and configure its properties:

  1. Configure NXDOMAIN rulesets. You can create NXDOMAIN rulesets through Grid Manager, as described in Creating Rulesets below. You can also specify the rulesets in a CSV file and import the file to the Grid, as described in Importing and Exporting Data using CSV Import.

  2. Enable this feature and specify the redirection IP addresses, as described in Enabling NXDOMAIN Redirection below.

Creating Rulesets

To create a ruleset:

  1. From the Data Management tab -> DNS tab -> NXDOMAIN Rulesets tab, click the Add icon.

  2. In the NXDOMAIN Ruleset wizard, complete the following and click Next:

    • Name: Enter a name for the ruleset.

    • Comment: You can enter additional information.

    • Disable: You can disable this ruleset for use later on. The appliance ignores disabled rulesets.

  3. Click the Add icon to add a rule to the ruleset table.

    • In the Pattern column, enter a domain name or pattern, using the guidelines specified in About NXDOMAIN Rulesets.

    • In the Action column, select PASS, REDIRECT or MODIFY.

    • In the Order column, NIOS automatically displays the number of the entry in the list.
      The appliance applies the rules in the order they are listed. You can order the list as follows:

      • Use the up and down arrows to move rules up or down on the list.

      • Use the go-to-top or go-to-bottom arrow to move a rule to the top or bottom of the list.

      • Change the Order number of a rule to move it to the desired location.

      • Delete a rule by selecting it and clicking the Delete icon.

  4. Save the configuration and click Restart if it appears at the top of the screen.

Managing NXDOMAIN Rulesets

To view NXDOMAIN rulesets, navigate to the Data Management tab -> DNS tab -> NXDOMAIN Rulesets tab. The panel lists the configured rulesets and their associated comments. You can also display the Disabled column which indicates which rulesets are disabled. From this panel, you can do the following:

  • Add more rulesets, as described in the preceding section, Creating Rulesets.

  • Edit a ruleset, by clicking its checkbox and clicking the Edit icon. You can set the following in the NXDOMAIN Ruleset editor:

    • In the General Basic tab, you can change entries in any of the fields.

    • In the Rules tab, you can do the following:

      • Add a rule by clicking the add icon and specifying the pattern and action.

      • Change the pattern or action of a rule, by clicking in the appropriate row.

      • Delete a rule by clicking its checkbox and clicking the Delete icon.

      • Move rules up and down, by using the arrows.

      • In the Permissions tab, you can set admin permissions for the ruleset. For information about admin permissions, see Managing Administrators.

    • Delete a ruleset, by clicking its checkbox and clicking the Delete icon.

Enabling NXDOMAIN Redirection

Only DNS members with recursion enabled can support NXDOMAIN redirection.
You can enable this feature at the Grid level, and override it for a member or DNS view with recursion enabled. You must specify at least one IP address as the redirection destination. You can specify different redirection IP addresses and rulesets for each Grid member or DNS view, and you can also define members that do not provide redirection. This is useful when you want to define a set of "opt out" servers for DNS clients that do not want to be redirected.
You can also enable the DNS member to log queries that match rules with an action of "Redirect" or "Modify". The logs include the queried domain name, source IP address, the pattern of the matched rule, and the name of the corresponding ruleset. The DNS member does not log queries that matched rules with an action of "Pass".
To enable NXDOMAIN redirection:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member checkbox -> Edit icon.
    DNS View: From the Data Management tab, select the DNS tab and click the Zones tab -> dns_view checkbox -> Edit icon.
    Standalone DNS: From the Data Management tab, select the DNS tab, expand the Toolbar and click System DNS Properties.
    To override an inherited property, click Override next to it and complete the appropriate fields.

  2. If the Grid DNS Properties or Member DNS Properties editor is in basic mode, click Toggle Advanced Mode.

  3. Click NXDOMAIN and complete the following:

    • Enable NXDOMAIN redirection (recursive members only): Select this option to enable recursive DNS members to synthesize their responses to DNS queries for A records.

    • Rulesets: Click the Add icon to add an NXDOMAIN ruleset. Use the up and down arrows to move rulesets up and down in the list. The appliance applies them in the order they are listed.

    • Redirect to IPv4 addresses: Click the Add icon and enter the IPv4 addresses that the DNS server includes in its synthesized response for A type queries.

    • Redirect to IPv6 addresses: Click the Add icon and enter the IPv6 addresses that the DNS server includes in its synthesized response for AAAA type queries.

      Note that you can add up to 12 IP addresses, combination of both IPv4 and IPv6, for NXDOMAIN redirection.

    • TTL: Specify how long the DNS client caches the A record with the redirected IP address.

    • Log redirected queries: Select this checkbox to log the redirected queries to syslog.

  4. Save the configuration and click Restart if it appears at the top of the screen.