##Your DNS queries are either being hijacked or improperly formed
###The Evidence
The output of your nslookup www.google.com command is:
>Server: dns-cac-lb-02.rr.com
Address: 209.18.47.62
Non-authoritative answer:
Name: www.google.com.socal.rr.com
Addresses: 198.105.254.228
198.105.244.228
Observations
- The answer to your query is
www.google.com.socal.rr.com instead of the expected www.google.com.
- The DNS server you're querying is in the same domain as the record of the incorrect answer:
rr.com
##Theory 1: DNS Hijacking
Your NSLOOKUP of www.google.com should return a Google IP address and the name www.google.com. Instead you're getting a completely different name record and an IP address (198.105.254.228) registered to a company named Search Guide Inc. (Source 1 Source 2).
If your ISP is Time Warner Cable (or a subsidiary) then this is a slam dunk explanation, because according to this Super User answer, DNS queries that resolve to the IP address 198.105.254.228 are the result of your ISP hijacking your DNS results as part of as "service" to give you search results when you type in an invalid Internet address. If this is the case, you can disable this feature on Time Warner's website here.
Even if your ISP isn't Time Warner, there's still a link between both the DNS server handling your request and the invalid www.google.com.socal.rr.com DNS answer you get. The domain name rr.com is registered to Time Warner Cable as shown in this GoDaddy WHOIS lookup:
Domain Name: rr.com
{...portions removed...}
Admin Name: Domain Name Administrator
Admin Organization: Time Warner Cable Inc.
Admin Street: 60 Columbus Circle,
Admin City: New York
Admin State/Province: NY
Admin Postal Code: 10023
Admin Country: US
{...portions removed...}
Name Server: dns2.rr.com
Name Server: dns6.rr.com
Name Server: dns3.rr.com
Name Server: dns5.rr.com
Name Server: dns1.rr.com
So, if Theory #1 is correct, you need to disable this preference per above, or use different DNS servers altogether.
##Theory #2: Improperly Formed DNS Query
As explained in Theory #1, the DNS server handling your NSLOOKUP of www.google.com is known to return a "valid" DNS record even when a user requests a non-existent Internet hostname. You can determine if this error redirection is taking place by performing a lookup of an intentionally invalid name:
nslookup no-such-site.example.com
You should get this response:
Server: <your DNS server name>
Address: <your DNS server IP>
*** <your DNS server name> can't find no-such-site.example.com: Non-existent domain
However, if you get a response similar to the one in your question, it's obvious invalid requests are being intercepted and redirected to an error-lookup/advertising webpage.
That established, Theory #2 proposes that when you're doing a search for www.google.com your system is appending another suffix to the DNS request which is causing your the lookup request to be invalid, triggering the error-redirect service of your DNS server.
You can determine if this is the case by running the following command and examining its output:
nslookup -d2 www.google.com
The -d2 parameter causes NSLOOOKUP to print the exact questions and answers submitted to resolve the lookup request.
In the output, in each SendRequest() section examine the QUESTIONS: being submitted. The first several will be to resolve the name of your DNS server. Following those will be the lookups to resolve www.google.com. Basically what you're looking for are any lookup requests other than for www.google.com, such as for www.google.com.socal.rr.com. If you find any, then your machine is actually making an invalid DNS lookup. This is different than Theory #1's proposal that your machine is making a valid lookup request that's being incorrectly modified.
If your machine is making bad lookup requests, you need to examine the domain name suffix(es) specified in your TCP/IP configuration and remove any that don't belong.
