by Mr. DNS on May 14, 2010 · 9 comments

in whatis

What is NXDOMAIN? How does nxdomain affects my browsing? Explains the relationship between NXDOMAIN and DNS Hijacking.

A DNS server is used to translate a domain name into an IP address or vise versa. For example, when you type dnsknowledge.com in your web browser, an authoritative dns server translate a domain name such as dnsknowledge.com into an IP address such as However, if you try dnsknowledgefoobarexamplefackdomain.com, you will get an error indicating non existing domain name.

Non-existent Internet Domain Names Definition

NXDOMAIN is nothing but non-existent Internet or Intranet domain name. If domain name is unable to resolved using the DNS, a condition called the NXDOMAIN occurred. In this example, try to find out an ip address for the domain called abcquq12examfooltest.com using the nslookup or host command line option:
nslookup abcquq12examfooltest.com
host abcquq12examfooltest.com
Sample outputs:

Host abcquq12examfooltest.com not found: 3(NXDOMAIN)

Since domain name is the invalid domain, you got a NXDOMAIN response i.e an error message indicating that domain is either not registered or invalid.

DNS Hijacking And NXDOMAIN

A few ISPs such as Optimum Online, Comcast, Time Warner, Cox Communications, RCN, Rogers, Charter Communications, Verizon, Virgin Media, Frontier Communications, Bell Sympatico, Airtel, and many others started the bad practice of DNS hijacking on non-existent domain name for making money by displaying the internet advertisements. These ISP and/or advertiser may collect your personal data too. These ISPs DNS server sends a fake IP address for all the NXDOMAIN responses. In most cases your browser will connect to a fake IP address server which will display page with advertising, instead of a proper error message to you. In some cases it is possible to obtain sensitive information too.

When you search for a Web site (domain) that doesn’t exist, these ISPs will hijack your session (also called as Error Redirection service), and it will show suggestions for sites that are similar to what you entered with tons of advertisements. In most circumstances DNS Error Redirection cause problems for customers running various specialty programs (such as game servers) or services (such as corporate vpn client and servers).

Example: DNS Hijacking On Non-existent Domain Name (NXDOMAIN)

The domain name foobar.dnsknowledge.com or a web site http://foobar.dnsknowledge.com doesn’t exist. If you run query for such address most ISPs will hijack your session and display advertisements. A typical dns query will look like as follows using the nslookup command on MS-Windows or host command on Mac OS X/Unix/Linux computer:
nslookup foobar.dnsknowledge.com
host foobar.dnsknowledge.com
Sample outputs:

foobar.dnsknowledge.com has address

As a result of this hijacking you will see the following page:

My ISP Has Hijacked Nxdomain Page

Fig.01: My ISP Has Hijacked Nxdomain Page (click to enlarge)

Example: Non-existent Domain Name (NXDOMAIN) Response

In this example, I’m using our corporate resolving DNS name servers i.e. I’m not using ISP’s dns server. This ensures that my DNS session can not be hijacked. A typical dns query will look like as follows using the nslookup command on MS-Windows or host command on Mac OS X/Unix/Linux computer:

nslookup foobar.dnsknowledge.com
host foobar.dnsknowledge.com
Sample outputs:

Host foobar.dnsknowledge.com not found: 3(NXDOMAIN)

No ip address returned and I got clean error message. This suggest that the domain foobar.dnsknowledge.com doesn’t exists. I’ve disabled hijacking of NXDOMAIN responses using my own resolving caching dns server:

Fig.02: No DNS hijacking / DNS Redirection Example

Fig.02: No DNS hijacking / DNS Redirection Example (click to enlarge)


  1. NXDOMAIN error message means that a domain does not exist.
  2. Some ISPs started DNS hijacking or DNS redirection for NXDOMAIN error messages.
  3. It is the practice of redirecting the resolution of Domain Name System (DNS) names to other DNS servers or web servers.
  4. Commonly used for displaying advertisements or collecting statistics.
  5. This practice violates the RFC standard for DNS (NXDOMAIN) responses.
  6. Phishing : Cross-site scripting attacks can occurred due to malicious hijacking.
  7. Censorship : DNS service providers to block access to selected domains.

{ 9 comments… read them below or add one }

AMDphreak April 4, 2011 at 12:36 pm

thanks for contributing.


Raven August 19, 2011 at 5:10 pm

Thank you for putting an understandable explanation here. I really appreciate it!


nottinhill October 19, 2011 at 4:47 am

Could you please explain the DNS Hijacking part a bit better? Also there are some grammer error which makes it harder to understand. Thanks!


police February 14, 2012 at 7:18 pm

@nottinhill: it’s GRAMMAR



admin March 13, 2012 at 3:57 pm

nottinhill / police:

Thanks for the heads up. The article has been updated.


Dude August 18, 2013 at 9:40 pm

great article


Boodah June 13, 2014 at 7:06 pm

Somebody knows how to prevent NXDOMAIN to be hijacked by our ISP’s?


Brian I. December 3, 2014 at 11:37 pm

You can switch your DNS settings and use a third-party provider. They are usually faster and may have more features (such as filtering & phishing protection). Two examples are Google’s Public DNS and OpenDNS. Both are free. Note that OpenDNS has recently switched from hijacking NXDOMAIN and stopped redirecting NXDOMAIN errors and Google has never been doing it. However, OpenDNS is not entirely RFC compliant, as they explain below:
“However, we still intercept phishing and malware attacks, which technically violate the RFCs. But we think the RFCs will change overtime to accommodate and endorse this kind of optional, opt-in, interception of malicious and harmful traffic…”


zezinho February 5, 2015 at 7:34 am

Boodah : yes. To prevent, you must configure manually another DNS server instead of your ISP’s one. Some very known examples are Google’s and, it is valid until Google starts hijacking too ;-)


Leave a Comment

Previous post:

Next post: