On Wed, Dec 03, 2014 at 05:22:58PM +0100, Notify Me <notify.sina@gmail.com> wrote a message of 13 lines which said:
I hope I'm wording this correctly.
Not really :-)
I had a incident at a client site where a DNS record was being spoofed.
How do you know? What steps did you use to assert this? Answers to these questions would help to understand your problem.
How does one track down the IP address that's returning the false records ?
If it's real DNS spoofing (which I doubt), the source IP address of the poisoner is forged, so it would not help. The main tool to use is dig. Let's assume the name that bothers you is foobar.example.com. Query your local resolver: dig A foobar.example.com Query an external resolver, here Google Public DNS: dig @8.8.4.4 A foobar.example.com Query the authoritative name servers of example.com. First, to find them: dig NS example.com Second, query them (replace the server name by the real one): dig @a.iana-servers.net. A foobar.example.com