29Ara
How to detect malicious actor altering DNS responses?
I am trying to detect what is causing my DNS to return fake IP addresses for domains like apple, orange, etc. which obviously don't exist.
If I do following on my Windows machine:
ipconfig /flushdns- flush DNS cacheping apple- invoke DNS queryipconfig /display- see DNS cache
the ping command doesn't fail and I can see DNS entry in the output.
I tried visiting http://apple on both Windows machine and Android machine (which I checked are both using the same DNS config), my Android machine can't find the domain.
My question: What could possibly be acting maliciously between Windows' DNS client and the DNS server, or how could I go about finding where the malware is installed?
Note: my Windows machine is connected to router via Ethernet, while Android device uses Wi-Fi.
