We ran into the same problem and are making some headway. Seems there is a rogue host 188.8.131.52 that infiltrates the DNS cache. The rogue host responds to a DNS query and includes DNS addresses that reflect a SOA for the .com domain. It basically tells your DNS to use six "root" servers (ns1.domain1.com, ns1.domain2.com..) to resolve .com host requests. Your DNS updates its cache to use the ns1.domain.com servers anytime it wants to look up a 'new' .com address. The ns1 address points back to the rogue host and it responds with its own address (218...). It also includes other popular addresses that your DNS caches. With the hijack .com SOA, you DNS thinks it is supposed to go to the hijack site for every .com address instead of the root servers. It becomes a loop. Clearing the cache clears out the .com SOA and stops the problem. We've added firewall entries to block UDP and TCP to the 218... address but haven't figured out how it infiltrated our DNS in the first place. This is a start. Hope this helps. I have traces if anyone is interested.
Your favorite shows are back!
Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!