Imagine typing a random, non-existent web address—like thisdoesntexist1234.com—into your browser, expecting an error. Instead, you’re redirected to a sketchy ad-filled page. Sounds weird, right? That’s exactly what happened to me, and it led me down a rabbit hole of investigating my Internet Service Provider (ISP). What I discovered? Some ISPs are quietly hijacking DNS queries to serve spam sites and make a quick buck. Here’s my story, what’s going on, and how you can protect yourself.

The Strange Redirect That Started It All

I was troubleshooting something on my laptop, running a simple curl -v thisdoesntexist1234.com command in my terminal. Normally, for a domain that doesn’t exist, I’d expect a “Could not resolve host” error. But instead, my request resolved to an IP address (185.38.109.109), and I got back an HTML page with a JavaScript redirect to some ad-laden URL: http://thisdoesntexist1234.com/?nodomainuid=344d5c53cec8e0e34d9863bf9f13a683. The page just said “Redirecting…”—classic spam site behavior.

At first, I thought it might be malware or a typo. But when I re-ran the command, it happened again. Something was fishy.

Digging Deeper: It’s the ISP’s DNS

I checked my DNS setup with resolvectl status. My system was using my router’s IP (192.168.1.1) as the DNS server, which in turn relied on my ISP’s default DNS servers. That’s when it clicked: my ISP was intercepting queries for non-existent domains (known as NXDOMAIN responses) and redirecting them to an ad server instead of letting them fail.

To test my theory, I switched my DNS to Google’s public servers (8.8.8.8 and 8.8.4.4). Sure enough, running the same curl command now gave me the proper “Could not resolve host” error. No redirect, no spam—just the expected behavior. The culprit? My ISP’s DNS servers.

What’s Happening? DNS Hijacking 101

This practice is called DNS hijacking or NXDOMAIN substitution, and here’s how it works:

• When you try to visit a domain that doesn’t exist, a legit DNS server should return an NXDOMAIN response, telling your device, “Sorry, that’s not a thing.”
• Some ISPs, however, override this. Instead of letting the query fail, they resolve it to an IP address they control—like 185.38.109.109 in my case—which serves up ads or tracking pages.
• Why? Money. Every time you land on one of these spam sites, the ISP (or their partners) can earn ad revenue. It’s a sneaky way to profit off your internet usage.

In my case, the default DNS from my ISP (via my router) was doing this. When I bypassed it with Google DNS, the problem vanished.

Why This Is a Bad Practice

This isn’t just annoying—it’s a shady move by ISPs for several reasons:

1. It Breaks the Internet’s Rules: DNS is supposed to be a neutral system. Hijacking queries for non-existent domains violates that trust and can mess up apps or scripts that rely on proper NXDOMAIN responses.
2. Privacy Risks: Those redirect pages could track your activity or harvest data. Even if it’s “just ads,” you don’t know who’s behind them or what they’re collecting.
3. Security Concerns: If the ISP’s ad servers get hacked, you could end up on a malicious site instead of a harmless spam page.
4. No Consent: Most users have no idea this is happening. ISPs don’t exactly advertise, “Hey, we’re redirecting your typos to ads for profit!”

To me, this feels like a cheap cash grab—prioritizing revenue over user experience and integrity.

How to Check If Your ISP Is Doing This

Want to see if your ISP is pulling the same trick? It’s easy:

1. Open a terminal or command prompt.
2. Run: curl -v thisdoesntexist1234.com (or ping thisdoesntexist1234.com).
3. If it fails with “Could not resolve host,” you’re good. If it resolves to an IP and you get a webpage, your ISP might be hijacking your DNS.

You can also use tools like dnsleaktest.com to see which DNS servers you’re actually hitting.

How to Stop It

The good news? You don’t have to put up with this. Here’s how to take back control:

• Switch to a Trusted DNS Provider: Use Google DNS (8.8.8.8, 8.8.4.4), Cloudflare DNS (1.1.1.1, 1.0.0.1), or OpenDNS (208.67.222.222, 208.67.220.220). I set mine via resolvectl on Linux, but you can also configure it in your OS network settings.
• Update Your Router: Log into your router (usually at 192.168.1.1) and change its DNS settings to one of the above. This fixes it for all devices on your network.
• Consider a VPN: A good VPN with its own DNS resolution can bypass your ISP entirely.
• Enable DNSSEC (If Possible): This ensures DNS responses are authentic, though it won’t stop NXDOMAIN redirection on its own.

I went with Google DNS, and the spam redirects stopped immediately. Problem solved.

Final Thoughts: ISPs Should Do Better

Finding out my ISP was hijacking DNS queries to serve spam left a bad taste in my mouth. It’s not illegal, but it’s definitely a questionable practice—one that prioritizes profit over transparency and user trust. The internet works best when it’s open and honest, not when middlemen like ISPs start tinkering with it for extra cash.

If you’ve noticed weird redirects or suspect your ISP is up to something similar, try the steps above. Let’s spread the word and push back against these shady tactics. Have you run into this too? Drop a comment—I’d love to hear your experiences!