29Ara
How to detect malicious actor altering DNS responses?
I am trying to detect what is causing my DNS to return fake IP addresses for domains like apple
, orange
, etc. which obviously don't exist.
If I do following on my Windows machine:
ipconfig /flushdns
- flush DNS cacheping apple
- invoke DNS queryipconfig /display
- see DNS cache
the ping
command doesn't fail and I can see DNS entry in the output.
I tried visiting http://apple
on both Windows machine and Android machine (which I checked are both using the same DNS config), my Android machine can't find the domain.
My question: What could possibly be acting maliciously between Windows' DNS client and the DNS server, or how could I go about finding where the malware is installed?
Note: my Windows machine is connected to router via Ethernet, while Android device uses Wi-Fi.