Not possible is a strong statement since it has happened
twice so far. The assumption you are making is the assumption
that I made, which is that the resolver would first try to
lookup exactly what was requested, but that is not what it
does for example, with the machines domain set to clementnt.com
and the default Append Primary DNS suffix to lookups checked
under thae advanced TCP/IP properties the result of an nslookup
from the machine for www.apple.com is to lookup
www.apple.com.clementnt.com which returns 64.94.110.11 because
it does not exist. It does this before actually looking up what
was typed. When I say it has happened twice, I mean that I have
had 2 Blaster infected machines sending spoofed IP address request
to 64.94.110.11 tcp port 80 containing the windowsupdate.com in
the host portion of the html header. Removing blaster using virus
tools eliminated this behavior.
Jeremy Powell