* Jared Mauch: > The incidence rate is too high for it to be multihomed hosts. > > Let me know if you want to look at the raw data. Very interesting stuff. > > Or just look for 8.8.8.8 in the openresolverproject page.
Indeed, I could verify that 5.61.0.0 can indeed spoof one of my IP addresses to the 8.8.8.8 DNS resolver. For a cache miss, I get a query from a Google IP address and the 8.8.8.8 reply has a plausible TTL, so I don't think it's spoofing the response. Apparently, they're implementing DNS proxy by destination-NATting, and because they listen also on the WAN interface, they get the source address wrong. This is quite scary.