RE: How to track DNS resolution sources

[teleric team <teleric-lists () outlook com>]

> Date: Wed, 3 Dec 2014 17:56:23 +0100
> From: bortzmeyer () nic fr
> To: notify.sina () gmail com
> Subject: Re: How to track DNS resolution sources
> CC: nanog () nanog org
>
> On Wed, Dec 03, 2014 at 05:22:58PM +0100,
>  Notify Me <notify.sina () gmail com> wrote 
>  a message of 13 lines which said:
>
> > I hope I'm wording this correctly.
>
> Not really :-)
>
> > I had a incident at a client site where a DNS record was being
> > spoofed.
>
> How do you know? What steps did you use to assert this? Answers to
> these questions would help to understand your problem.
>
> > How does one track down the IP address that's returning the false
> > records ?
>
> If it's real DNS spoofing (which I doubt), the source IP address of
> the poisoner is forged, so it would not help.
>
> The main tool to use is dig. Let's assume the name that bothers you is
> foobar.example.com. Query your local resolver:
>
> dig A foobar.example.com
>
> Query an external resolver, here Google Public DNS:
>
> dig @8.8.4.4 A foobar.example.com
>
> Query the authoritative name servers of example.com. First, to find them:
>
> dig NS example.com
>
> Second, query them (replace the server name by the real one):
>
> dig @a.iana-servers.net. A foobar.example.com

I didn't understand how this will help him identify the poisoner.
What an IDS rule will do is check for responding authoritative query IDs for DNS queries never made to that responder, 
but made for the authoritative server identified as per above (direct NS inquiry).
If no IDS is present, BIND logging would allow for identification of authoritative responses and query ID 
identification. 
In summary whatever is answered authoritatively by a server other than the NS ones tracked by "dig +trace 
foobar.examplecom" is the potential poisoner. But if the poisoing is done from an spoofed IP address (spoofing the 
authoritative IP), well good luck w/ that if the spoofed domain is not DNSSEC aware.