I noticed that Quad 9 is not able to respond to the spy.pet query:
$ dig spy.pet @9.9.9.9 +short
;; communications error to 9.9.9.9#53: timed out
But Cloudflare DNS is able to do it:
$ dig spy.pet @1.1.1.1 +short
104.26.0.165
104.26.1.165
172.67.74.73
And to be sure, I checked another domain with the same TLD to rule out the option that Quad9 is unable to handle the .pet TLD, but I received a correct answer…
$ dig hello.pet @9.9.9.9 +short
3.64.163.50
Does Quad9 censor DNS queries?
How much simpler can I make this…
You have a primary ‘master’ server in the pool.
Replica/cache servers periodically ask the master for any updates.
Master gives a new update, which is a sinkhole for a marked malicious domain.
Replica/cache server now resolves malicious domain to the sinkhole address.
This is not a ‘feature’ you have to implement, it’s a basic function of running a redundant DNS system.