Local Lookups Hijacked

Oliver Wine 

dig xxxxxxxxxxxxxxx
; <<>> DiG 9.10.6 <<>> xxxxxxxxxxxxxxx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34716
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;xxxxxxxxxxxxxxx.        IN    A
;; ANSWER SECTION:
xxxxxxxxxxxxxxx.    14308    IN    A    72.52.178.23
;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 25 00:54:28 CEST 2023
;; MSG SIZE  rcvd: 60

dig abcde.com.tr.dfgh

; <<>> DiG 9.10.6 <<>> abcde.com.tr.dfgh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4383
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;abcde.com.tr.dfgh.        IN    A
;; ANSWER SECTION:
abcde.com.tr.dfgh.    14400    IN    A    72.52.178.23
;; Query time: 555 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 25 00:55:08 CEST 2023
;; MSG SIZE  rcvd: 62

dig xx

; <<>> DiG 9.10.6 <<>> xx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23762
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;xx.                IN    A
;; ANSWER SECTION:
xx.            14318    IN    A    72.52.178.23
;; Query time: 90 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 25 00:59:00 CEST 2023
;; MSG SIZE  rcvd: 47

dig xxx

; <<>> DiG 9.10.6 <<>> xxx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24409
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;xxx.                IN    A
;; AUTHORITY SECTION:
xxx.            509    IN    SOA    a.nic.xxx. admin.tldns.godaddy. 1684957804 1800 300 604800 1800
;; Query time: 96 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 25 00:59:26 CEST 2023
;; MSG SIZE  rcvd: 93

dig xxxx

; <<>> DiG 9.10.6 <<>> xxxx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;xxxx.                IN    A
;; ANSWER SECTION:
xxxx.            13978    IN    A    72.52.178.23
;; Query time: 87 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 25 00:59:46 CEST 2023
;; MSG SIZE  rcvd: 49

real TLDs and nxdomains at real TLDs don't seem affected. it seems to only hijack no-existing tlds

NextDNS This seems to work, thanks!