I am not saying this is a rare occurrence. In fact, if I were to bet, I would bet that a large portion of major ISPs engage in this particular practice in some form or another. This was, however, the first time I had seen it in action so far.
Let's start with a little definition. NXDOMAIN, as defined by RFC2308, is another name for the "Name Error" code mentioned in RFC1035. This code is defined as signifying "...that the domain name referenced in the query does not exist." So, to put this into an example, if I try to browse to "faxebool.con", when an authoritative name server receives the quest, it will flag the query with the NXDOMAIN code to signify that the domain does not exist. This flag can be handled in a number of ways, but if you want to see how Verizon handles them versus, say, OpenDNS...
As you can see, Verizon is happy to return an IP address for a domain that OpenDNS is convinced doesn't exist.
And if we look at a packet capture for these requests?
Again, Verizon's response admitting that the domain doesn't exist, but happily returning an IP anyway.
So, which of these requests can we believe? Well, both Verion and OpenDNS respond with the 0x3 code (the "Name Error" code), but the difference is that Verizon still returns an IP, whereas OpenDNS does not. The natural thing to ask now is... what on earth lives at IP 126.96.36.199? The WHOIS tool over at DomainTools supplies the following information:
IP Location United Kingdom United Kingdom Belfast Barefruit Ltd.
ASN United Kingdom AS45028 BAREFRUIT-AS Barefruit Ltd Autonomous System (registered Apr 23, 2008)
Resolve Host unallocated.barefruit.co.uk
Whois Server whois.ripe.net
IP Address 188.8.131.52
Reverse IP 12 websites use this address.
I did some research, and here is how Barefruit describes their business model (pulled from the Barefruit opt-out page):
"Using Barefruit for DNS and HTTP error resolution improves the user experience for the vast majority of Internet users by suggesting relevant alternatives as opposed to serving unintelligible error messages."
If you want some more information on Barefruit and their practices, check out this Wikipedia page.
If you want to see an example of the page I got when I tried browsing to "faxenool.com" while having my primary DNS server set as 184.108.40.206, take a look here.
I do not want to get into the habit of discussing opinions on this blog if at all possible, but I would at least like to show you how I found out about this practice:
The anti-virus alert that was constantly appearing on a client's machine that led me to this issue.
I sussed this issue out once I knew that the internal Lync domain mentioned in the query did not, in fact, exist, and certainly if it did exist would not be located in the UK.
Again, I am not going to state whether or not this practice should be frowned upon, but I will state that it is certainly something that a lot of people are not aware even takes place.
Oh, and in case you were courious, you can always opt out of this service by changing your DNS addresses from 220.127.116.11 & 18.104.22.168 to 22.214.171.124 & 126.96.36.199, at least in the case of Verizon. Or you could, you know, just use a DNS server not provided by your ISP.
Stay safe out there.