> I've been going in circles for about a month with Comcast on this
> and they don't recall that they're the ones who told me three years
> ago that they sometimes intercept DNS calls. I was wondering if
> anyone has any ideas or suggestions on how to track down the errant
> DNS calls?

First, what they say (or said) they do vis-a-vis intercepting a
certain % of packets is completely possible: they own all networks in
question, so they can skip any anti-spoofing measures. Plus with DNS,
you are (usually) using UDP, which is makes it even easier to spoof a
reply provided you can drop the original request.

The problem for you is that a fully spoofed reply doesn't have to
contain any identifying information (by definition) except perhaps
inadvertent OS/stack level "fingerprints" that would, assuming the two
packet sources have different OS and/or stack configs, let you sort
out the your server from the other mysterious one.

I would recommend p0f for this http://lcamtuf.coredump.cx/p0f3/. You
might get a result that shows you, for example, a Solaris 2 source box
for the old responses. Then you can at least start saying very firmly,
"What is the Solaris box that is hijacking my packets?" Alleging a
major security breach might not be a bad idea for escalating your
case. Good luck.

-- S.

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to