[SURBL-Announce] ISP nameserver NXDOMAIN modifications may cause false positives

Jeff Chan jeffc at surbl.org
Sun Feb 3 10:25:30 CET 2008

Some ISPs including Verizon and Charter have apparently started
modifying DNS NXDOMAIN responses in such a way that may cause false
positives on SURBLs and other lists for systems using their
nameservers.  They may be doing this in order to drive search traffic
for web sites that appear to not exist as indicated by an NXDOMAIN
response to a DNS query.   However SURBLs and other lists use a
response of NXDOMAIN to indicate that a queried object is not on the
list.  If the last octet of the modified response happens to
correspond to the bitmasked positions of blacklists (which seems
likely given that 6 of 8 possible bits are currently used), then false
positives may result.

Verizon and Charter have opt-out nameservers, but Charter's opt-out
nameservers reportedly do not correctly return a NXDOMAIN result.  One
solution is to not use their nameservers.  These issues won't affect
systems running their own nameservers, or using other nameservers.
These issues may affect other ISPs if they are also modifying NXDOMAIN

The situation is somewhat like OpenDNS before they changed their
behavior to not modify NXDOMAIN responses to list queries.


Jeff C.

More information about the Announce mailing list