You’re probably right. Rather than responding with NXDOMAIN, they’re probably synthesizing A or AAAA records that point to their own server. IMO, this is super weird behavior in the era of HTTPS. I’m also pretty sure there’s an IETF RFC that says recursive resolvers “MUST NOT” synthesize address records, but I can’t seem to dig it up on my phone (pun intended ;).
You’re probably right. Rather than responding with NXDOMAIN, they’re probably synthesizing A or AAAA records that point to their own server. IMO, this is super weird behavior in the era of HTTPS. I’m also pretty sure there’s an IETF RFC that says recursive resolvers “MUST NOT” synthesize address records, but I can’t seem to dig it up on my phone (pun intended ;).
It’s an option, default off. If you enable it it prompts you to install the CA for the block page.
They ask you to install a root CA? That would enable your DNS provider to MITM your TLS traffic. Yikes.