Hmm...well that's not exactly what I had in mind, but that could work. Just a few questions:
For the DNS sequence number of the DNS query packet, would I have to "compile" a new payload with that sequence number hard coded into it, or could I specify the sequence number with the -s switch on Nemesis? Next what would be the best way to to "stop the DNS from responding" on my local network. Also for using a WAN DNS server, exactly how many seconds do you think I would have to intercept it with my spoofed packet? (Ill test that tomorrow, I did not think about looking at the time stamps). Lastly, if say I have a payload saved with Amazon leading to Google, and the person does a DNS query for say Yahoo and I reply with my Amazon to Google packet, they would just get a "Page cant be found" or would it bring up the response (Google) regardless what the packet resolves to (amazon) or what they requested (Yahoo)?