this post was submitted on 20 Oct 2023
136 points (94.7% liked)

Crappy Design

3053 readers
1 users here now

Noticed that theres no equivalent to r/crappydesign here yet so i made one

founded 2 years ago
MODERATORS
 

Context: A local movie app have this warning to me as I have this domain blocked with NextDNS ๐Ÿ‘Œ

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 1 points 1 year ago (1 children)

You're probably right. Rather than responding with NXDOMAIN, they're probably synthesizing A or AAAA records that point to their own server. IMO, this is super weird behavior in the era of HTTPS. I'm also pretty sure there's an IETF RFC that says recursive resolvers "MUST NOT" synthesize address records, but I can't seem to dig it up on my phone (pun intended ;).

[โ€“] [email protected] 1 points 7 months ago (1 children)

It's an option, default off. If you enable it it prompts you to install the CA for the block page.

[โ€“] [email protected] 1 points 7 months ago

They ask you to install a root CA? That would enable your DNS provider to MITM your TLS traffic. Yikes.