What Is NXDOMAIN Hijacking and How to Stop It
Understand what NXDOMAIN hijacking is, why ISPs do it, and how to use a clean DNS resolver to avoid it.
What is NXDOMAIN?
Every DNS query gets a response code. When you look up a domain that does not exist — one that was never registered, or has expired — the DNS server should return NXDOMAIN (response code 3, also called RCODE 3). This is the DNS protocol's way of saying "this domain does not exist."
Your browser, your mail server, and most network software depend on this answer. It tells them to stop trying and report the error back to the user or calling application.
What is NXDOMAIN hijacking?
Some ISPs and DNS providers intercept NXDOMAIN responses before they reach you. Instead of returning the honest "does not exist" answer, they substitute their own IP address. Your browser then loads a page controlled by the ISP — typically a search page filled with ads.
This practice goes by several names: NXDOMAIN hijacking, NXDOMAIN redirection, DNS hijacking, or DNS redirect. The mechanics are the same regardless of the label. The resolver lies about the state of the domain.
Why do ISPs do this?
Money, mostly. When a user mistypes a URL, the ISP redirects them to a search page plastered with pay-per-click ads. The ISP earns revenue on every click.
Some ISPs frame it as a feature — a "helpful" search page that suggests what you might have meant. Others use it for branding, showing their own portal instead of the browser's default error page.
Regardless of intent, the result is the same: the DNS resolver returns false information.
What problems does NXDOMAIN hijacking cause?
It is not just an annoyance. NXDOMAIN hijacking breaks real infrastructure:
- DNSBL and spam filtering — DNS-based blocklists work by checking whether a domain or IP appears in a list. If NXDOMAIN is hijacked, every lookup returns an address, and the blocklist becomes useless.
- SPF and email authentication — SPF records rely on DNS lookups. A hijacked NXDOMAIN for a non-existent sending domain can cause SPF checks to produce incorrect results.
- Security and monitoring tools — Intrusion detection systems, malware scanners, and other security software use NXDOMAIN as a signal. Hijacking removes that signal.
- DNSSEC validation — DNSSEC uses NSEC and NSEC3 records to cryptographically prove a domain does not exist. Hijacking the response breaks this chain of trust.
- Privacy — Every mistyped or non-existent domain query gets routed to the ISP's server, leaking your failed lookups to a third party.
How to detect NXDOMAIN hijacking
The simplest test is to query a domain that absolutely cannot exist. Open a terminal and run:
dig thisdoesnotexist12345.example.com @your-dns-server
Replace your-dns-server with the IP of the DNS resolver you want to test. If the response contains an A record pointing to an IP address, that server is hijacking NXDOMAIN. A clean resolver will return status: NXDOMAIN with no answer section.
You can also use nslookup on Windows:
nslookup thisdoesnotexist12345.example.com your-dns-server
If you get a resolved address instead of a "Non-existent domain" error, the server is hijacking.
We test for this automatically. Our status page flags servers that return forged answers for non-existent domains as NX_HIJACK. Check our DNS server status page to see which resolvers hijack and which do not.
How to stop NXDOMAIN hijacking
The most effective fix is to switch to a DNS provider that respects the protocol and returns honest NXDOMAIN answers. Several well-known public resolvers commit to this:
- Cloudflare —
1.1.1.1and1.0.0.1 - Google Public DNS —
8.8.8.8and8.8.4.4 - Quad9 —
9.9.9.9and149.112.112.112
Changing your DNS server takes a couple of minutes on most operating systems. You can set it on individual devices or at the router level to cover your entire network.
Browse our full directory of public DNS servers to find a reliable resolver tested from multiple locations.
DNS over HTTPS and DNS over TLS
Even after switching to a clean resolver, your ISP can still intercept plain-text DNS queries at the network level and redirect them. Encrypted DNS prevents this.
DNS over HTTPS (DoH) wraps DNS queries inside HTTPS traffic on port 443. DNS over TLS (DoT) encrypts DNS queries over a dedicated TLS connection on port 853. Both prevent your ISP from seeing or tampering with your DNS traffic.
If you cannot change the DNS server at the router level — for example, on a managed corporate network or a restricted ISP-provided router — encrypted DNS on individual devices is often the best path forward.
For a detailed comparison of the two protocols, see our DoH vs DoT guide.
Recommended DNS servers
We maintain a live-tested directory of thousands of public DNS servers worldwide. Every server is probed regularly for reliability, response time, and honest NXDOMAIN behaviour.
Browse the full directory to find servers that work well from your location and do not tamper with DNS responses.
Frequently asked questions
Is NXDOMAIN hijacking the same as DNS hijacking?
NXDOMAIN hijacking is one form of DNS hijacking. DNS hijacking is a broader term that also covers redirecting existing domains. NXDOMAIN hijacking specifically targets non-existent domains.
Can NXDOMAIN hijacking affect my email?
Yes. Mail servers rely on NXDOMAIN to reject messages from non-existent domains. If your DNS resolver hijacks NXDOMAIN, spam filtering tools like DNSBLs and SPF checks can return false results, letting spam through or bouncing legitimate mail.
Does DNSSEC prevent NXDOMAIN hijacking?
DNSSEC can prove that a domain does not exist by using authenticated denial-of-existence records (NSEC/NSEC3). However, if your resolver itself is the one hijacking, DNSSEC validation never happens. You need a resolver that both supports DNSSEC and does not hijack.
How do I know if my current DNS provider hijacks NXDOMAIN?
Query a domain that definitely does not exist, such as thisdoesnotexist12345.example.com. If you get an IP address back instead of an NXDOMAIN error, your provider is hijacking. Our status page flags servers that do this.
Will using a VPN stop NXDOMAIN hijacking?
Only if the VPN also provides its own DNS resolver that does not hijack. Many VPNs route your DNS queries through their own servers, which bypasses your ISP resolver. Check whether your VPN provider commits to returning honest NXDOMAIN responses.