> I've been going in circles for about a month with Comcast on this > and they don't recall that they're the ones who told me three years > ago that they sometimes intercept DNS calls. I was wondering if > anyone has any ideas or suggestions on how to track down the errant > DNS calls?
First, what they say (or said) they do vis-a-vis intercepting a certain % of packets is completely possible: they own all networks in question, so they can skip any anti-spoofing measures. Plus with DNS, you are (usually) using UDP, which is makes it even easier to spoof a reply provided you can drop the original request. The problem for you is that a fully spoofed reply doesn't have to contain any identifying information (by definition) except perhaps inadvertent OS/stack level "fingerprints" that would, assuming the two packet sources have different OS and/or stack configs, let you sort out the your server from the other mysterious one. I would recommend p0f for this http://lcamtuf.coredump.cx/p0f3/. You might get a result that shows you, for example, a Solaris 2 source box for the old responses. Then you can at least start saying very firmly, "What is the Solaris box that is hijacking my packets?" Alleging a major security breach might not be a bad idea for escalating your case. Good luck. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
