I just configured a new DNS name in one of my domains, which did not exist before. The associated IP number is routed to Germany. But while the name was not really up, the answer should have been NXDOMAIN, meaning that the name does not exist. Example:
$ dig blablablablabla.oeko.net ; <<>> DiG 9.9.5-8-Debian <<>> blablablablabla.oeko.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38513 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;blablablablabla.oeko.net. IN A ;; AUTHORITY SECTION: oeko.net. 139 IN SOA a.ns.oeko.net. hostmaster.oeko.net. 1021018254 16384 2048 1048576 2560 ;; Query time: 10 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Feb 12 21:33:53 CET 2015 ;; MSG SIZE rcvd: 105
But instead, they gave a fake answer:
$ dig bla.oeko.net ; <<>> DiG 9.9.5-8-Debian <<>> bla.oeko.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9013 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;bla.oeko.net. IN A ;; ANSWER SECTION: bla.oeko.net. 20 IN A 184.108.40.206 ;; Query time: 32 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Thu Feb 12 19:55:14 GMT 2015 ;; MSG SIZE rcvd: 46 $
As a result, I am unable to check whether my DNS performed correctly, until they deceided to throw the fake answer away.
Of course, this has huge potential for censorship of all kinds, which I have seen in action elsewhere already. I am not the only person aggravated by this kind of behaviour. Please follow the link below to read other people's take on this problem.