ISPs have a history of intercepting DNS. Often, DNS interception is done as part of a “value add” feature to block access to known malicious websites. Sometimes, users are directed to advertisements if they attempt to access a site that doesn't exist. There are two common techniques how DNS spoofing/interception is done:
This article has been indexed from SANS Internet Storm Center, InfoCON: green