When running diagnostics across multiple DNS resolvers, we found inconsistent responses for grahamhancock.com:
# Correct resolution
dig +short www.grahamhancock.com @8.8.8.8
> 104.24.103.73
# Incorrect resolution (Amazon EC2 IP)
dig +short www.grahamhancock.com @173.84.127.88
> 54.221.192.101To systematically diagnose the issue:
# Check DNS propagation globally
for resolver in $(cat public_dns_servers.txt); do
echo "$resolver: $(dig +short @$resolver www.grahamhancock.com)"
done
# Verify DNSSEC validation
delv www.grahamhancock.com
# Traceroute to identify hijack points
mtr --report-wide 54.221.192.101Key characteristics suggesting DNS cache poisoning:
- Inconsistent TTL values across resolvers
- Non-authoritative responses containing incorrect records
- Geographically clustered incorrect resolutions
Immediate actions to regaining control:
# Force refresh cache on affected nameservers
curl -X POST https://api.cloudflare.com/client/v4/zones/:zone_id/dns_records/:id/purge_cache \
-H "Authorization: Bearer API_TOKEN"
# Implement DNS monitoring script
import dns.resolver
import smtplib
def check_dns(domain, expected_ip):
resolvers = ['8.8.8.8', '1.1.1.1', '9.9.9.9']
for r in resolvers:
answer = dns.resolver.resolve(domain, 'A', resolver=r)
if answer[0].address != expected_ip:
send_alert(f"DNS mismatch on {r}: {answer[0].address}")- Enable DNSSEC with ECDSA P-256 keys
- Configure TSIG for zone transfers
- Implement rate limiting on DNS queries
- Set up DNS firewall rules blocking suspicious query patterns
Template for contacting providers with incorrect cached records:
Subject: Urgent: DNS Cache Poisoning Incident [Ticket #]
Body:
We've identified your resolver [IP] returning incorrect A records
for grahamhancock.com (54.221.192.101 instead of 104.24.103.73).
Evidence:
1. dig +norecurse @[IP] www.grahamhancock.com
2. delv @[IP] www.grahamhancock.com
Request:
- Purge cache for grahamhancock.com
- Verify upstream resolver integrity
- Share investigation resultsDuring routine monitoring, we discovered approximately 10% of global DNS resolvers return incorrect IP addresses for our domain (grahamhancock.com). These rogue responses point to an unauthorized Amazon EC2 instance hosting unrelated content, while 90% of resolvers correctly reflect our zone file.
# Example of incorrect resolution:
dig +short www.grahamhancock.com @173.84.127.88
203.0.113.45 # Fake EC2 IP
# Correct resolution from Cloudflare:
dig +short www.grahamhancock.com @1.1.1.1
192.0.2.67 # Our actual IPThe pattern suggests one of three scenarios:
- Cache poisoning via Kaminsky attack
- Compromised recursive resolvers
- Man-in-the-middle DNS hijacking
We ran traceroutes to the rogue IP and found it belonged to an AWS region we've never utilized:
traceroute 203.0.113.45
1 192.168.1.1 (192.168.1.1) 1.234 ms
2 * * *
3 ec2-203-0-113-45.ap-southeast-1.compute.amazonaws.com (203.0.113.45)1. DNSSEC Enforcement:
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE grahamhancock.com2. TTL Reduction (temporary):
; BIND zone file adjustment
$TTL 300 ; Reduced from 864003. Authoritative Server Hardening:
# Unbound config snippet
server:
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yesDNS Monitoring Script (Python example):
import dns.resolver
import smtplib
SERVERS = ['1.1.1.1', '8.8.8.8', '173.84.127.88']
EXPECTED_IP = '192.0.2.67'
def check_dns():
for server in SERVERS:
resolver = dns.resolver.Resolver()
resolver.nameservers = [server]
try:
answer = resolver.resolve('www.grahamhancock.com')
if str(answer[0]) != EXPECTED_IP:
send_alert(server, str(answer[0]))
except Exception as e:
log_error(server, e)We contacted major DNS operators with evidence packets showing the discrepancies. Cloudflare and Google quickly flushed their caches after verifying our DNSSEC records. For problematic resolvers:
dig +trace +additional www.grahamhancock.com @209.222.18.222This helped identify which hop introduced the incorrect record.
Since the rogue IP hosts fraudulent content, we:
- Filed AWS abuse report (ARIN record: NET-203-0-113-0-1)
- Submitted DMCA takedown for copyright infringement
- Notified ICANN's SSAC about suspected cache poisoning