This question is very very similar to RFC that requires DNS servers to respond to unknown domain requests but I figured I ought to ask it as a new question.
It appears that it is standard practice for an authoritative DNS server to respond with rcode REFUSED
to any query for a domain name for which the server is not authoritative. For example:
$ dig @ns1.google.com yahoo.com A | grep status
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53533
There are a few alternative behaviors that could make sense here, a priori:
- Blackhole the query entirely
- Return a non-authoritative
NXDOMAIN
response - Return a non-authoritative
NOERROR
response (this is silly, but I mention it for completeness) - Return a canned referral to the root nameservers (this is even sillier)
Is there an RFC or similar document that says "thou shalt return REFUSED
in this case"?
I'd expect to see some discussion of this situation in RFC 1034 section 4.3.1 and 4.3.2, but I don't.
Best Answer
It's simple really, RFC1035 Section 4.1.1 RCODE 5
The administrators of the system have decided to configure their system to return a REFUSED response rather than do anything else.