[Isomer]

There's lots of "privacy" improving DNS servers, but none of them mention trying to remove unintentional DNS queries.

It turns out lots of things will resolve anything that looks vaguely like a hostname to see if, in fact, they are a hostname. eg, "untitled.pdf". These queries get passed to your ISP, and then on towards the root name servers. So if you run a large nameserver, you quickly find that most of your DNS queries are very obviously rubbish.

With DNSSEC there are two new records (NSEC, NSEC3), that let you say "between these two names, I guarantee there is no valid records". Thus if your nameserver supports this, it can say "there are no valid names between .pccw and .pe, and thus anything that ends with .pdf is invalid". NSEC and NSEC3 records can both be cached and your resolver can synthesise NXDOMAIN records for them. (See RFC8198 for details).

So, instead of spraying queries for "untitled.pdf" across the internet, you can quickly, and efficiently return NXDOMAIN.

Another cause of these is search paths, when you look up "news.ycombinator.net", if that resolution fails, it will try adding the search path, eg: "news.ycombinator.net.example.org", again, leaking typos, and filenames to everyone in your search path.

If you actually value your privacy, this is the first step that you should take.

[JdeBP]

The easiest solution to that, that has been known for many years, and the actual first step that one has been able to take for quite some time now, is running one's own root content DNS server on the LAN. DNS traffic for queries that use invalid top-level domains never escapes the LAN and never even reaches an ISP.

It's a fairly simple exercise in content DNS service. I actually set my machines up with a root content DNS server each.

* http://jdebp.eu./Softwares/nosh/guide/services/djbdns.html#D...

* http://cr.yp.to/dnsroot.html

Search paths are a subject in their own rights.

* http://jdebp.eu./FGA/web-fully-qualified-domain-name.html

[LogicX]

At DNSFilter we solve for this by loading the list of valid TLDs from official sources every few hours and immediately rejecting invalid TLD requests. Works great for those who have mis-configured their LAN DNS and are sending us all their companydomain.lan traffic.

Doesn't solve for cases where it's a valid TLD, but the domain doesn't have a valid DNS record. Guess it would depend if the TLD in question is publishing said dnssec record.

[tptacek]

I'm not sure this works the way you say it works. NSEC records are provided by authority servers; they're a way for the delegated owner of "." to say that there aren't zones between .PCCW and .PE. They work because they have chained signatures. A recursive server can't generate NSEC records for the DNS root, and, obviously, wouldn't have to; any DNS server, DNSSEC or not, can accomplish what you're talking about with a simple "if" statement.