On 11/18/19 12:45 PM, Marshall, Quincy wrote:
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
As far as I know, this has been going on for quite some time at least for folks not on Level3. I know I've seen it as far back as 5-7 years ago from various vantage points. I guess it's also possible somebody was intercepting those well known anycast addresses between me and Level3, but the "search guide" it redirected to didn't implicate any obvious suspects. It fails DNSSEC checking, of course, so if you have DNSSEC validation turned on at your recursive resolver, you should get something else (probably SERVFAIL). -- Brandon Martin