Connection specific DNS suffix spade symbol

Xpsavy...
I do appreciate the comment and the link....and I have a pretty solid understanding of DNS itself.
I work with MS products and SBS 2003/Server 2003/ Exchange Active Directory setups quite often.
Understanding what you can do with DNS and that is not the problem. Sure... you COULD use any of the 255 hidden key characters for a suffix....but WHY would you want to?...unless for dubious reasons.
Why create a hidden DNS suffix unless something is going on behind the scenes that someone whats to hide?
For what its worth,  I have seen these Linksys wireless boxes hacked before and rogue O/S's installed on them that act totally like the original router OS ...except they have DNS SPAM or redirector operations now hidden in them. I have confirmed this with a sniffer on the WAN side of these compromised boxes.
So far I have seen this 3 times over the last 2 years....and now this is number 4.
I truly wonder how many of these Linksys boxes are pw3nd and the no one ever catches on.

So someone chime in here please. I know this is a semi-odd question to be posting here...but it is relevant to DNS and small business networks...and poses serious security issues as well.

So...is the only solution a new router every time this happens? Maybe I should start using a new brand?...but all the consumer level routers run a modified Linux platform anyway...right?
SBS level customers generally won't cough up the extra $$ for a true Cisco product...which are rock solid....but now I want to know what exactly this crap is....and how to get rid of it without buying new routers for the customer every time this happens.

Someone MUST have seen this too. I can't be the only one seeing this with Linksys products.

Sorry for the delay getting back to you Rob....the holiday and other higher priorities took some of my time.

I did manage to spend some more time researching this "SPADE thing"...and the links you posted.
From that, I don't believe this to be TCP/IP stack corruption issue.  No issues with the loopback response...it looks as it should.  Also, to answer your question....yes, when I remove the Linksys router from the scenario and just connect one PC directly to the Motorola Surfboard SB5100 modem (using the DHCP services of the cable provider)...it connects and no SPADE character is present in the DNS information. To me this CONFIRMS that the Linksys product has been somehow modified....and my educated guess is that they are using TFTP remotely and exploiting a flaw in the  Linksys code that allows for root access. (btw...using a server is not an option for this client at the moment...as much as I agree with you in approach / thinking)

SOoooooo....
I replaced the client's Linksys product with a Netgear Wireless Router and have brought the Linksys router to my own personal lab at home to play with...promising the client an eventual answer.
With the new Netgear router the SPADE went away....so the Linksys is definitely somehow compromised.

I connected up my Javvin sniffer (Network Packet Analyzer) to the Linksys now in my test lab and I'm going to watch the traffic for a while to see what and where packets are going out to the internet.  
I truly think this a MAJOR THREAT to network security because since Linksys is such a widely used product in residential and commercial LAN infrastructures.

I'm going to bump up the points next round with this too.

...and again....
Anyone with thoughts, comments or experience with this...please chime in here.

The firmware was the first thing I updated before doing any of this....or even posting a question here....and it made ZERO difference. Sorry thought I mentioned that in the beginning.

It was also the same with the other "SPADE" incidents in the past as well....a firmware upgrade didn't resolve anything. This is apparently a well hidden little parasite....I wouldn't be surprised if it was some type of rootkit hack either.