11 Aug
2013
11 Aug
'13
11:40 a.m.
* Jared Mauch:
The incidence rate is too high for it to be multihomed hosts.
Let me know if you want to look at the raw data. Very interesting stuff.
Or just look for 8.8.8.8 in the openresolverproject page.
Indeed, I could verify that 5.61.0.0 can indeed spoof one of my IP addresses to the 8.8.8.8 DNS resolver. For a cache miss, I get a query from a Google IP address and the 8.8.8.8 reply has a plausible TTL, so I don't think it's spoofing the response. Apparently, they're implementing DNS proxy by destination-NATting, and because they listen also on the WAN interface, they get the source address wrong. This is quite scary.