Comcast Intercepts and Redirects Port 53 Traffic

An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.

Not happening to me

[jimmyhat3939]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use. I have not experienced this, and I just verified that it's not currently happening. I'm in California if that matters.

Re:Not happening to me

[kenp2002]

screen shot or it didn't happen ;)

Re:Not happening to me

[Shakrai]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use

Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP? If it's a business account than I would assume that they aren't redirecting those but could still be redirecting on consumer accounts.

Re:Not happening to me

[whoever57]

I just verified that it's not currently happening. I'm in California if that matters.

Me too. I'm also in CA and it is not curently happening.

Re:Not happening to me

[CodeBuster]

Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server (i.e. forging the response packets so that they appear to come from your server) then the only way to tell would be to place a deliberately wrong IP entry for a well known address on your server (i.e. something that Comcast wouldn't know about) and then run the query again to see if you get the wrong result (no redirection or impersonation) OR if you get the expected result (redirection or impersonation). Also, they might only be forwarding queries that they don't recognize to your server so that any custom or unusual queries hit your server but stuff like google.com is answered by their server(s).

Re:Not happening to me

[sanosuke001]

I don't have Comcast (anymore) but when I was living in CT I was privileged (/s) enough to have them as my only choice. This was at the time when they first started filtering BT traffic; I never had an issue so it might be a subsection of their consumer base.

Also, I have road runner now and I don't have a static IP. I just have a dyndns.org hostname I use coupled with their IP update tool that keeps my IP updated. they have free accounts as long as they stay updated. ie. deleted after 30 days without an update but I get nice emails reminding me 5 days in advance. He might be doing the same?

Re:Not happening to me

[Shakrai]

Also, I have road runner now and I don't have a static IP. I just have a dyndns.org hostname I use coupled with their IP update tool that keeps my IP updated. they have free accounts as long as they stay updated. ie. deleted after 30 days without an update but I get nice emails reminding me 5 days in advance. He might be doing the same?

Not if he's using his nameserver as an authoritative nameserver for one or more domains. You can't list those by hostnames, you have to list them by IP address. That said, I don't know how Comcast works but my Roadrunner IP hasn't changed in over a year. That's one of the nice things about them vs. Verizon DSL, where it seems to change on a almost daily basis.

Re:Not happening to me

[jeffmeden]

Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server (which is presumably above any such hijacking) and see if the request gets hijacked. Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?

Re:Not happening to me

[whoever57]

Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server

I'm certain. I sent a query to a DNS server that I control. I ran tcpdump on the DNS server and I could see the packets from my home IP address coming in with the query and the refusal going out (I asked the DNS server that I control to resolve yahoo.com, which it should refuse to do).

Re:Not happening to me

[EvilBudMan]

They are blocking port 53 it appears here in Virginia.

--UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

I don't know about them hijacking it though. I'm not sure what causing it yet.

Look this way for more info:
|
|
|
  \
      \
      V

Re:Not happening to me

[mea37]

That's the only way you can think of to verify what's happening?

GP controls the DNS server in question. Think server logs and monitoring tools.

Re:Not happening to me

Why are people suddenly so obsessed with pointing to the reply button?

Re:Not happening to me

[EvilBudMan]

Funny,

Here are the results from a static IP:

--Knoxville.hfc.comcastbusiness.net --

--UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

There might be some other issues here:
http://www.auditmypc.com/port/udp-port-53.asp

Re:Not happening to me

[mea37]

Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server? (Since, you know, the ISP routers would never even see the traffic if it were?)

Re:Not happening to me

[JorgeFierro]

Video or it didn't happen.

Re:Not happening to me

[whoever57]

Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server?

The machine from which I sent the request is connected to a Comcast residential Cable Internet connection. The server at the other end is a virtual machine in a colo facility somewhere -- not a Comcast facility. And before anyone asks, I tried both tcp and udp requests with the same result (no interception, no transparent proxy).

Re:Not happening to me

[EvilBudMan]

I would reply to that but I can't reply to something that doesn't exist (i.e. AC).

The answer to your question is here:

|||
  \\
    \|
      |
      |
      V

Re:Not happening to me

Me too. I'm also in CA and it is not curently happening.

That'll be CANADA, thank you very much.

Re:Not happening to me

[johannesg]

I just verified that it's not currently happening. I'm in California if that matters.

Me too. I'm also in CA and it is not curently happening.

Are you saying this is currently not happening?

Re:Not happening to me

[The+Moof]

Isn't that the point of this outrage?

More like intercepting traffic that isn't destined for Comcast as if it were. You're not attempting to contact Comcast in any way, but that's where the traffic is ending up.

Let's say Comcast, for some reason, suddenly decides that your site should no longer be reachable (by name), they could start intercepting DNS requests for your site and returning domain not found. Or worse, redirecting you to a site they find more "suitable."

Re:Not happening to me

[nweaver]

This is probably your NAT or firewall itself, not Comcast. We've seen this behavior across many customers regardless of ISP, and only a few comcast customers show this behavior.

Re:Not happening to me

I think Comcast binds IPs to MACs. My IP didn't change for over a year until I got a new modem and hasn't changed since.

Re:Not happening to me

[admiralex]

I'm in DC, and using Open DNS. No problems at all here. Aside from the throttling of my bandwidth, but that's a different story.

Re:Not happening to me

[Kadin2048]

I just ran the ICSI test from a host on Comcast's network in the Metro DC area (inside the 69.255.0.0/16 space) and port 53 was not redirected according to the results.

Ports blocked were:
135 (RPC)
139 (NetBIOS)
445 (SMB)

No blocks to anything else, although I have periodically experienced blocks on the common SIP negotiation ports (5060, 5061, etc.) that stop my VoIP from working until I change the port in use. I'm not sure what that's all about, and whether it's malice or just some sort of incompetent rate-limiting thing on Comcast's part.

Re:Not happening to me

[brasscount]

You mean like road runner does by default here in SC?

Re:Not happening to me

[Fuyu]

I'm a Comcast home customer in NJ and I can confirm this doesn't happen to me when querying my DNS servers on different networks.

Re:Not happening to me

[Obfuscant]

I'm in Oregon and it is not happening for me. I set resolv.conf on home system to point to a system I run outside Comlast and ran dig, saw connection rejected by iptables on the outside server for port 53 from home address.

Re:Not happening to me

[darthservo]

Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server

Thanks alot. Now I'm going to get slashdotted.

Re:Not happening to me

[Zoxed]

> Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com)

1) Quickly registered non-existing domain mentioned on Slashdot and put up an ad-serving site.
2) Wait for bored Slashdotters to try the link.
3) Profit.

Thanks Slashdot :-)

Re:Not happening to me

[Zetta+Matrix]

Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?

Actually, no. We've been outraged about that before. It's one thing if I use someone's server and it typojacks me due to a wildcard entry in the name tables. The alleged behavior we're discussing actually prevents* the user from using another nameserver outside of that ISP in order to sidestep the problem.
* (well, makes more difficult, requiring tunneling or something like that)

For quite awhile I've had the feeling that DNS will eventually be brokered through P2P/DHTs/etc with digitally signed payloads, and this type of behavior only makes that idea more appropriate.

Re:Not happening to me

i hosted my own personal domain, mostly for my own benefit, on a comcast home account. I ran it for three years and only ever rarely (usually during a power outage) lost my address. I kept my ttl's relatively short... 24 hours or so, so that on the rare occasion I could fix everything easily enough...

i even ran a mail server, well configured, and was never bothered; I knew people who had poorly configured mail servers who were contacted and threatened with having their service shut off because they were running an open relay in just weeks; I don't know if it is true anymore, but it certainly seemed at the time that if you took the time to do it right, they would leave you alone...

I did have to send mail through their servers (or something... it was over 4 years ago, so details are fuzzy) as there was some smtp funkiness going on, but nothing crazy...

Re:Not happening to me

I'm in DC, and using Open DNS.

So you have willingly subjected yourself to the problem that this article is complaining about. Brilliant.

Re:Not happening to me

[chundo]

Works for me in Chicago. I'm guessing it's his broadband router that's doing this, intercepting port 53 traffic and forwarding to the DNS servers it got from DHCP.

Re:Not happening to me

[falconwolf]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use

Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP?

My access is through Comcast, though like TFA's writer I get it from Earthlink, and I have a static IP with a consumer not a business account.

Falcon

Re:Not happening to me

[bsdaemonaut]

This really has nothing to do with dynamic/static IP's he's just trying to run his own private DNS server and it's getting hijacked. If he was seeking a simple dynamic IP solution it wouldn't matter if the client machine's DNS was getting hijacked since the DNS changes would get propagated out to Comcast's server eventually.

That being said this shouldn't effect him at all in a practicial sense. A private DNS server running inside of a private domain's network couldn't get hijacked except for when it has to seek upstream for an address it doesn't know, but for all practical uses this shouldn't matter. Your client machines would still be getting everything your DNS server is intentionally serving authoritatively or otherwise. The only time this would matter is if you want to completely ditch Comcast's DNS and go with another DNS server outside of your private domain, like OpenDNS.

Re:Not happening to me

[EvilBudMan]

Actually, I think it's the app now. We have VPN and an email server here, but not a web server. So the firewall is letting it through, but it's not going anywhere after that because the web server is not installed. Could that be it? Problem or lack thereof solved.

http://n9.netalyzr.icsi.berkeley.edu/summary/id=4b65b8c9-23945-2830067c-fc56-4979-89bd

I run the applet with IE because I have Firefox set to not run that stuff.
BTW, does anyone smart here know how to adjust packet buffering?
The only other negative thing was the computer clock being 76 seconds fast. Wait I get to go home 76 seconds early ;)

Re:Not happening to me

[Zadok_Allan]

Doesn't happen here ( comcast, eastern TN ) either. DNS requests are neither redirected nor do I get false responses for nonexistent domains.

Re:Not happening to me

[bsdaemonaut]

I think your talking about the difference between an A record or a CNAME record? Authoritative really has nothing to do with besides that it pushes changes upstream.

Re:Not happening to me

[CodeBuster]

The machine from which I sent the request is connected to a Comcast residential Cable Internet connection

Ahhh, but that is the very problem you see. Comcast is not above forging packets to make them look as if they came from a different host. Recall the forged reset packet bittorent fiasco where Comcast was caught red-handed forging reset packets from hosts outside their network. If the traffic passes through the network of Comcast on an unsecured connection then it is vulnerable to tampering and with advanced packet shaping and inspection devices and software just about anything is possible including interception and impersonation of a complete DNS exchange. Comcast has already shown that they are not above forging packets so they must be regarded with suspicion whenever funny business appears to be going on with traffic traversing their networks.

Re:Not happening to me

[nweaver]

That is probably your NAT or Firewall. We have observed in the big flashcrowd that there are scattered individuals (not from any particular ISP) who have NATs or firewalls that will only allow real DNS requests through.

Re:Not happening to me

[cprincipe]

This is retarded.

I point my router's DNS to OpenDNS.org and everything works great. If I type a BS domain I get the OpenDNS search page.

One idiot's Wordpress blog is enough to make it to the front page? I mean, I think Comcast is the devil incarnate, but there are plenty of legitimate reasons to hate them without making up BS stories.

Re:Not happening to me

[TheSpoom]

Except that he actually received and sent the packets on the server and verified as such.

Re:Not happening to me

[Iphtashu+Fitz]

I've had my Comcast IP (outside Boston) change about 2 or 3 times on me in the span of about 5 years. It doesn't happen often, but it does. I believe it's only been when they need to add capacity to an area.

Re:Not happening to me

[bsdaemonaut]

Assuming you have control of a decent firewall on both ends you can just reroute all your outbound traffic on port 53 to something of your choosing (lets say 16053) and then reroute the inbound traffic from 16053 to 53.

Re:Not happening to me

[bsdaemonaut]

the inbound being on the colo server of course.

Re:Not happening to me

[nweaver]

We have observed some firewalls that, regardless of settings, block random packets over UDP port 53 but do allow real DNS. And it may also be NATs as well. Nats do weird things, and you are behind a NAT.

The test works by first sending a random UDP packet that our server echos back (it tries 5 times). IF that fails, it then tries to send a request thats a legitimate DNS request to the same server (again, it tries 5 times).

It also tries to send a legitimate DNS request that will produce a large (~1800B) EDNS-present response. Again, this is attempted 5 times.

Looking at the transcript (the "transcript" link on the results page), the non-DNS request over port 53 was blocked, the large-response was not received, but the real request was allowed to pass unmodified.

QED, something in the network: A host-based firewall, a network firewall, a NAT, etc, parses DNS and only allows valid DNS requests through on UDP port 53.

Which NAT are you using?

But as a comcast customer myself, all my packets on port 53 are unaffected, whether or not they are valid DNS requests. As are most other Comcast customers. So I don't believe you are seeing a Comcast issue.

Re:Not happening to me

The "Reply to this" button?

Re:Not happening to me

so... am i typing the answer?

Re:Not happening to me

[Cyner]

I've got a consumer account and run a similar setup. My IP has changed 3 times in 7 years. Having to deal with the change once every few years isn't much for the cost savings; especially when it's just my domain.

Re:Not happening to me

[__aasqbs9791]

Then that's even worse! It means Comcast must have hacked his server to falsify the logs! /s

Re:Not happening to me

Assuming you have control of a decent firewall on both ends you can just reroute all your outbound traffic on port 53 to something of your choosing (lets say 16053) and then reroute the inbound traffic from 16053 to 53.

I have no need to do this. If Comcast ever starts intercepting my dns traffic, I have a VPN tunnel to my server and I can just send my outgoing DNS queries to the server via the tunnel.
And for the sake of clarity and before anyone asks -- for the experiment that I did, I made sure that the VPN tunnel was NOT used.

Re:Not happening to me

[Cyner]

I've run similar test. Between two comcast-connected home servers (on different connections) and between those servers and a T1 (non-Comcast) connected server. Same results.

Re:Not happening to me

[x4r]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use. I have not experienced this, and I just verified that it's not currently happening. I'm in California if that matters.

I'm a comcast user and it works for me...perhaps his home network is the problem. A Linux user having a misconfigured network?!??! Oh wait this is Slashdot...nevermind.

because interfering-exploiting DNS(can't wait 4 imes, where DNSSec infrastructure are become mandator ISP license aquiring(&Native IPv6 perhaps !)) easiest way to build botnets and/or use ISp 4 inteligency gathering. i mean, this case must be investigated by NSA, not FTC. so, you state(or more like , you THINKING about your state) location in CA, might mean, that someone dont need intel about you in that state.

Re:Not happening to me

[x4r]

dance or you dont alien. eat or you dont starving. make love or go war. fly airplanes or flying saucer. listen Elvis or BB King.

Re:Not happening to me

As much as I like the freedom of being able to contact any DNS server, there is some rationale for intercepting these kinds of requests. As we have seen, the DNS system can be abused by users to do nefarious things. None of us would question Comcast putting filters on their SMTP servers to limit the amount of SPAM that could be generated by Comcast users. And it's fairly normal for providers to limit, or at least monitor, SMPT connections to outside mail servers. And one would hope that Comcast would be responsive to situations when one of their users (or, more likely, one of their users' computers) is participating in a DDos attack.

Given that we expect ISPs to deal with SPAM and how we treat those ISPs that don't, is it really unreasonable that Comcast is preparing for the time when we expect the same from ISPs when it comes to DNS? So long as the results of a legitimate DNS query are correct compared to what the server would return (i.e. not cached), what's the harm?

Re:Not happening to me

[x4r]

you right, and US laws was wrong. in you dream.

Re:Not happening to me

same here, in Mass all is well
http://netalyzr.icsi.berkeley.edu/restore/id=4b65b5d3-14784-4fed2389-ad5e-4d83-8fe0

Re:Not happening to me

Ahhh, but that is the very problem you see. Comcast is not above forging packets to make them look as if they came from a different host.

Well, one could argue that the packets that my server saw were not the same packets that my home network sent out -- they were merely copies of the packets, passed through boxes that processed them called routers.

Re:Not happening to me

[sjames]

Same here. I routinely test work DNS servers from home (on Comcast). They include non-public domains that will not resolve anywhere else. Other zones may differ from what the authoritative nameserver would answer.

They may be intercepting DNS somewhere, but not here in Atlanta.

Re:Not happening to me

[hairyfeet]

I know you are probably just trying to troll Mr Coward but I don't think you've ever used OpenDNS. I admit my spelling is pretty bad and I have a tendency to bump adjacent keys when I am typing fast and I don't think I've seen the OpenDNS page twice in two years. They really do give it a "best effort" to try and figure out what you were looking for before giving up. Now compare that to the Comcast one where from what i understand if you get even one letter off you are going to be staring at their ad server.

I've found OpenDNS to be faster, safer, and more reliable than my local ISP. if the cost of that is seeing an ad page once a year when I type something so horribly bad that their DNS server goes "WTF?" then so be it and I'm guessing the above poster feels the same. So why not try OpenDNS for a week? It's free and you might like it.

Re:Not happening to me

[SanityInAnarchy]

All of this is still consistent with the possibility of packets being intercepted/proxied, and only altered under certain conditions.

But it is nice that someone's checking these claims before we all get medieval on Comcast. There are plenty of legitimate reasons to hate them without us making them up.

Re:Not happening to me

[SanityInAnarchy]

Possible, but RTFA -- the fact that it gets redirected to an Earthlink page suggests that either the NAT itself is shady, or Comcast is.

Re:Not happening to me

[nschubach]

I've had this happen on Insight (RR) near Columbus, OH recently. I'd type in www.google.com and it would take me to the RR Domain not found page and provide me a link to Google which would fail again, taking me to the same page. I got sick of it and changed my router's DNS servers to alternatives and enabled DNSMASQ.

Re:Not happening to me

[sjames]

Earlier today, I was changing nameservers for a domain. In preparation, I configured my nameserver with a zonefile containing the new IP addresses for that domain, but did not change the NS records at the registrar. I then used dig from home to query my DNS directly and got the new IPs, not what the authoritative nameservers would return.

Naturally after I was satisfied that the zone file was correct, I changed the ns records for the domain.

Re:Not happening to me

[nschubach]

^
|
|
  \
    \
      \
        \
I clicked on that and all I got was a lousy web form.

Re:Not happening to me

[Philip+K+Dickhead]

DNS tunneled over TOR or SOCKS?

Seems like the next step to take.

Re:Not happening to me

[alta]

Comcast is using nearly off the shelf DHCP with really long expires times. When you get an IP, you'll have it for months, and usually don't loose it until those months have passed AND you reboot your equipment and get a new IP.

DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly. Unlike a direct link, PPPoE must renegotiate every time there's a momentary signal loss, just like dialup would do.

From what I've read, they use PPPoE because it's the easiest way to enable/disable users in real time via a RADIUS server. Comcast has to use more complicated methods to kill accounts (in some places, even send out a truck to put on a filter)

Re:Not happening to me

[Blakey+Rat]

The only thing more annoying that arrows pointing to the Reply button are people posting about "we" without telling us all who "we" is. Who's "we?"

Re:Not happening to me

[thePowerOfGrayskull]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use.

It's not clear whether you're runnign that DNS server at home, on your comcast account, or externally? It sounds like the report is for out-of-network DNS servers - he has set up a pseudo-server listening on 53 on a slicehost box, which is not on comcast lines. If you're in-network, you may never be getting re-routed at all.

Re:Not happening to me

[thePowerOfGrayskull]

What would be the point of that in this case? Comcast intercepts DNS request, forwards it to the original server while pretending to be the client, and sends the reply back to the client while pretending to be the requested server?

If that was what were happening (as nonsensical as it would be), then the story poster would still have seen traffic on his remote pseudo DNS server -- he didn't.

Given what GP has posted, though,I'm inclined to think it's a testing configuration error... or an issue specific to certain comcast locations.

Re:Not happening to me

[number11]

DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly.

Depends on where you are. With Qwest (and a local third party ISP) I've had the same IP number since I got the service, maybe 10 years ago. That's regular consumer-grade (1.5M/1.0M) DSL. The reverse DNS lookup gives a name that has my ISP username embedded into it.

Re:Not happening to me

[spartacus_prime]

So THAT'S what "????" is.

Re:Not happening to me

[Koby77]

When the DNS servers don't work at all, as the article complains, then no.

Re:Not happening to me

[Jane+Q.+Public]

But TOR is slow, and has been compromised in some cases. Comcast shouldn't be doing this in the first place.

Re:Not happening to me

[pugugly]

My local TDS telecomm (Motto: "We're incompetent, we have a monopoly and we damn well like both these things.") has developed the fun habit of not finding sites and redirecting me to a page with a "Perhaps you meant (Site I was connecting too)?" Click on the link, it can't find the site --> Rinse repeat.

TDS Telecomm - I hate them so very much - {sigh}.

Pug

Re:Not happening to me

[Shakrai]

Comcast has to use more complicated methods to kill accounts (in some places, even send out a truck to put on a filter)

That's kind of silly, given that DOCSIS has provisions to remotely reboot and manage the modems. Time Warner can shut you off with a few keystrokes. Why wouldn't Comcast be able to do the same?

Re:Not happening to me

[nemesisrocks]

Wonder how long it'll take for some bored slashdotter to go and register asdfdsafdsafhdsds.com...

Re:Not happening to me

[orangesquid]

From New Castle County, Delaware, I get (netanalyzr):

"UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy, NAT, or firewall intercepted and blocked the deliberately invalid request.
The applet was also able to directly request a large DNS response. "

Normal test results of my own:
* Querying 128.175.13.92 (which only answers for hosts in .udel.edu) for copland.udel.edu works, but querying it for google.com returns Query refused (as it should).
* Sending any DNS queries to a network firewall / server of mine that is port-forwarding 53 to an internal server that is currently down results in timeouts (as they should).
* I turned off the port-forwarding and started a simple caching BIND setup on the firewall. Every time I query the firewall from the PC on a comcast connection, the firewall gets a query from my current comcast IP address (according to tcpdump).

Somewhat strange test result (of my own):
* Sometimes, though, if I haven't queried the firewall's nameserver in a few minutes, the next request will "time out" (although tcpdump on the firewall shows the reply was sent; it's possible it was dropped, and since it's UDP, would not be re-transmitted at the datagram level) -- and subsequent queries will time out (over and over again!! -- a sudden loss of *that many* specific types of UDP packets when everything else is getting through fine between the two hosts?) until I query a different nameserver, after which point queries to the "timing-out" nameserver (the firewall) will work fine. Since the firewall has two IPs, I even tested querying a "different" nameserver by just sending a query to the other IP, and the behavior was identical: after not querying the primary IP for a while, I sent a query that timed out; I retried the query several times and every try timed out; I sent the query to the secondary IP and it returned a result; I queried the primary IP again and then got a result; all the while, the firewall shows each request coming in and each reply going out. Am I confusing the DNS caching system they seem to be implementing?

* Another normal test result:
If there's a problem with invalid queries, it's not affecting TCP. I started a simple netpipes server "faucet $PORT --out echo hi" on the firewall on 9020 (to test) and then on 53 -- telnet'ing to the firewall from the PC on the comcast network on both ports gave "hi" and closed the connection, as expected.

* Completely abnormal:
Now, to test udp with netcat, I set up a dumb echo server with "nc -l -u -p $PORT -q5 /dev/null" which I can send a message to with "echo hello|nc -u $NS $PORT -q0". I tested this on port 9020 (worked fine), but when I tried the same thing on port 53 (meaning I sent a non-DNS packet to port 53 from the PC on comcast), the server never got it (I verified this with tcpdump). From a machine accessing the Internet not through comcast, "echo hello|nc -u $NS 53 -w0" [note: -w0 vs. -q0 depends on version of netcat] worked as expected, and the server printed "hello".

Comcast may or may not be caching and/or filtering DNS requests now and/or in the near future (who knows?), but they're definitely blocking outbound on UDP/53 for (at least some) invalid DNS packets.

Re:Not happening to me

[jnaujok]

Here's a hint: Don't let qwest move you to the DSLAM hotels on the FTTN network boxes. They'll talk up and down about how great it is that they run fiber to the box, and offer speeds up to 20MB if you switch to the FTTN box. However, despite having five different qwest people ensure me that the move wouldn't affect my 3rd party connection, if you move to the FTTN box, they'll limit your connection to 640K/256K and then tell you "hey, it's the same price as 1.5MB/1MB, so you can't complain."

I was convinced to switch after my CO connected DSL started dropping down to 7db signal to noise after 7 years without a problem. They convinced me that it would take 3 months to schedule a new cable pull and that I could connect to the FTTN node 200 feet away and get an always perfect signal with no problems. They told me repeatedly it wouldn't affect my third party ISP connection. I even had the guy from Qwest write it on the work order.

After the switch, I couldn't get over 640K/256K, no matter what. Actually on the first night, I called their customer service number and they said, "oh, a switch must be set wrong" and I was back up to 1.5/1 for a whole 45 minutes. Then it was back to 640/256. After three weeks of dealing with customer reps via in-person, voice, e-mail, and chat, they admitted that this is an intentional filter of third party ISP's on all the FTTN nodes to force you to switch to Qwest as your ISP.

After you do that, you get a new IP address every 22 minutes (at least on my connection.)

I've already filed a complaint with the FCC and told Qwest that if I can find any alternative (other than the local cable carrier, who's worse -- they advertise 45MB rates, but actual speeds on their overloaded networks are in the 150K range) that I will be dropping them immediately.

They could care less, because they know they're the only game in town.

Re:Not happening to me

[kidsizedcoffin]

Not too helpful, but you can disable the RR redirect. The option was either on the redirect page or on their page. I turned it off the day it was added, so it has been a while.

Re:Not happening to me

[Methlin]

Not if he's using his nameserver as an authoritative nameserver for one or more domains. You can't list those by hostnames, you have to list them by IP address.

Since when? The NS records of a domain registration are hostnames, the NS records in a zone file are also hostnames. There's nothing stopping you from using somehost.dyndns.org as your NS record in both your domain registration and zone file, and it will work just fine.

Re:Not happening to me

[Macgruder]

I did that, and I get a google page with this post as the only result. Hmm....

Re:Not happening to me

[Mister_Stoopid]

Feel free to intercept my DNS requests when you can guarantee that your DNS server will always be 100% up-to-the-minute correct and will have 0.000000% downtime. Until then, no.

Re:Not happening to me

Verizon DSL (don't know about FiOS) does not use PPPoE. I used to work for them and I also had their DSL product for a while. PPPoE requires the hardware to be set up with a username/password before first use. Verizon's hardware does not require this.

Re:Not happening to me

[enigma32]

Same thing here in NJ.

I see a connection to my virtual server in Chicago from a T3 here in Hoboken, but my residential Comcast ("Optimum") connection never connects.
So, not only do they block incoming connections to port 80 on my home connection (And deny it) but they also block outgoing port 53?

wtf?

Re:Not happening to me

I live in MD. My Comcast DHCP established IP is for one week only.
Minnemmj

Re:Not happening to me

Sometimes I wish there were a "-1 gibberish" moderation. Your point is valid but your writing is hopelessly awful.

Re:Not happening to me

[jabelli]

Lease length is irrelevant. My Earthlink DHCP lease is only 1 day, but my IP address hasn't changed since... well the earliest message on my phone from the updater is last April, and it's just an expiration-preventive update.

Re:Not happening to me

[thejynxed]

That's because Comcrap blocks outgoing port 25 traffic, but not incoming. Their tech support will lie to you about this, of course, and point to the ToS section that says "no servers".

Re:Not happening to me

[PitaBred]

I'm in Denver on Comcast, dynamic IP:

Direct UDP access to remote DNS servers (port 53) is allowed. The applet was also able to directly request a large DNS response.

I think this is the permalink.

Re:Not happening to me

[koehn]

OpenDNS allows you to turn off said feature. I did, and get NXDOMAIN back instead of the IP of their goofy page when I typo or try to resolve a non-existent name.

Re:Not happening to me

[KGIII]

Yes, yes it does - at least regionally and until not too long ago. I can't say that it *still* does but as you "used to" work for them I'm going with you talking out your ass on this one. Screenshots can likely be provided quite easily to show the protocol being used as well as the user/pass being entered into the "modem" settings to ensure connectivity.

They would have to be non-functional screenies though. Fairpoint has butchered those accounts and yes, they too still use PPPoE. Yes this is DSL/ADSL. I still have a Westel provided by Verizon setup and, in use, with GWI because Fairpoint sucked ballsack.

Re:Not happening to me

I used OpenDNS once.

That wildcard entry was really fun

I couldn't switch back fast enough. I don't understand why anybody uses that service.

Re:Not happening to me

[dna_(c)(tm)(r)]

A private DNS server running inside of a private domain's network couldn't get hijacked except for when it has to seek upstream for an address it doesn't know, but for all practical uses this shouldn't matter.

His own laptop. Configure it with an extra, private DNS at home, to find his computers by name in his home network, parents network, customers network... and accessing those being 'on the road'

Re:Not happening to me

You know, the word is lose, not loose.

If I had a dollar for every time I see this mistake, I'd be rich by now...

lose = misplace
loose = ill fitting, not tight

There, I fell much better now

Re:Not happening to me

[laughingcoyote]

Seems to work fine to me as well, I'm on Comcast and OpenDNS is working the same as always. Just tested by going to a nonexistent page, I still get the same OpenDNS "page not found" message. I also haven't noticed any slowdown in DNS resolution, which I normally notice quite acutely using Comcast's DNS.

I'd love to smack Comcast as much as anyone, but if this was happening it doesn't seem to be anymore. Let's save smacking them for when they really do pull something stupid. I'm sure they won't let us down for long.

Re:Not happening to me

You are a liar. I've used AT&T DSL for years and my IP only changes once every few weeks or once a month. I can unplug my modem/router, plug it back in and I will still have the same IP.

Re:Not happening to me

i suppose it it a strage thought but what really bithers me is:

1.) Is jeffmeden a lefthander?
2.) What else Information could be extracted from the letters ("asdfdsafdsafhdsds") he/she choosed to type into the keyboard?
3.) If under "2.)" there can more information to be extracted, what if you could take other things like typing speed, typing halts, errors (backspace) into account ... (isn't google wave supposed to transmit every letter you type) ...
4.) Besides of writing arwfull english, am i also paranoic?

Anonymous Caword.

Re:Not happening to me

[bluefoxlucid]

If they are forcing you to switch by limiting service, file with the FTC as well.

Re:Not happening to me

[clone53421]

nweaver & co:

Introducing the ICSI Netalyzr

Re:Not happening to me

[alta]

In SOME places they disable, largely not done any more because they use the method you describe. But I'd say that sending a config down stream to the modem is somewhat more touchy than flipping a bit on a radius server.

Re:Not happening to me

[bsdaemonaut]

Unless he has more then one public ip in his home/parent/whatever network that will not help him -- how do you plan on distinguising between different computers on the same network? NAT is the only way unless your going to use something like a VPN which would eliminate the problem in the first place.

Assuming you do have multiple public IPs they would eventaully propagate out and it wouldn't matter -- unless your trying to avoid that sort of thing. If your trying to keep your multiple public IPs relatively private and if you only have a few IP addresses to worry about on a couple computers.. a hosts file can handle that just fine.

Re:Not happening to me

[ginbot462]

Hmm... this new Slashdot CSS addition is cheesy. But, it's a hell of a lot better and faster than the last one.

Re:Not happening to me

[aldousd666]

they probably just have long dhcp leases. When they renew, they stay with the same address unless it's taken (in the off chance someone else renewed within your window, which is low, if the window is long,) and the leases work by MAC. Occasionally they'll change, and if you change a device out, the mac is all new. They could have various reasons for clearing out the leases or whatever too. I doubt they would really put so much effort into trying to keep an address with a person, when it's pretty simple to track it down, and not so simple to reserve them so often.

Re:Not happening to me

[digitalsushi]

I run public dns on a comcast dynamic ip. I can usually go about 8 months without a re-lease giving me a new IP, so it's always been very acceptable.

Re:Not happening to me

I get exactly the same result, but I'm on a T1 and have nothing to do with Comcast.

Re:Not happening to me

[skeeto]

I ran his test it in Maryland and they are not hijacking my port 53 traffic.

TFA is completely right about Comcast DNS servers sucking. I frequently find myself switching to different DNS servers temporarily when Comcast is being particularly awful. Not only would it fix the problem, but the other DNS servers resolved requests much, much faster. If they were hijacking port 53 back then this wouldn't work.

I still don't doubt TFA's claims. It's exactly the sort of scummy thing Comcast would do.

Re:Not happening to me

[GnomeThinker]

I show that line on my comcast connect as well, however the tcp connect is blocked. TCP is not generally needed on a home connection as it allows for requesting larger UDP and that gets most people through. Of course 'most people' isn't everyone :( Digs with tcpdump show me talking to opendns's servers so does not appear to be a redirect. This is on a basic Comcast home connection however Comcast has the apperance of placing different rules in various parts of the country. Permalink on scan

Re:Not happening to me

[EveLibertine]

On Comcast (home, not business) in Chicago, my out-of-comcast-network DNS requests appear to be working fine. Also: http://n3.netalyzr.icsi.berkeley.edu/summary/id=4b65b5d3-14844-ea3b2189-1d85-4789-8dd2

Re:Not happening to me

Let's say Comcast, for some reason, suddenly decides that your site should no longer be reachable (by name), they could start intercepting DNS requests for your site and returning domain not found. Or worse, redirecting you to a site they find more "suitable."

RoadRunner does that, you put in an invalid URL and it will pop a RoadRunner page with guesses.

Re:Not happening to me

[danielsfca2]

> What would be the point of that?

Simple... If they proxy the results, they reserve the right to censor the result for you. Sometimes they return what the real dns server said, sometimes they decide to instead return an IP with more Comcastic(tm) content. Just because they aren't using this capability yet doesn't mean they won't use it later. Why else have it? /Still would prefer comcast to my shitty "municipal cable" ... Blecch.

Re:Not happening to me

[thePowerOfGrayskull]

Well - sure, but then it's classic "MiM". Which, by definition, comcast already is because they are often routing traffic to and from networks not their own.

Re:Not happening to me

[danielsfca2]

I'm not sure what you're suggesting--of course unless you peered with every ISP in the world your packets have to go through other people's networks besides only the origin and destination.

The difference is, the Internet is "supposed" to work on the principle that you pass packets not meant for you on towards their addressee, not parse them at a much higher layer, decide their apparent intent for yourself, carry out that intent, and then return the results, or maybe your own interpretation of the results.

Re:Not happening to me

[thePowerOfGrayskull]

I would say it works on the exact opposite - the assurance that no matter how many routers it passes through (each with their own code for sending yon electrons to the right place), it will arrive at its destination as if nothing existed between the two endpoints.

Re:Not happening to me

Or perhaps Comcast is also sending requests on to the DNS server and blocking them on the return trip.

Re:Not happening to me

[kontos]

IF you think that you only see their (OpenDNS) ads a couple of times a year, you should look at the answer that they give out for www.google.com, and compare that with what the real nameservers for google.com hand out. You may be surprised.

I'd first post but

someone is intercepting my DNS requests.

Not happening here

[jimmyhat3939]

I have several domains I run on a private DNS server that I access from my house using Comcast. I haven't experienced this. I'm in California if it matters.

I suppose users could tunnel DNS over some other port if they had to.

Re:Not happening here

[Shakrai]

I suppose users could tunnel DNS over some other port if they had to.

I route all of my DNS requests through a VPN to the DNS server at my office. Not everybody has this luxury though. I wonder if OpenDNS would be inclined to set up a VPN solution for people stuck with an ISP as arrogant as Comcast?

Re:Not happening here

[mcgrew]

I'm wondering how this post ever made it to the slashdot front page. I haven't RTFM, but as it's from the domain comcastfuckingwithyourport53traffic.wordpress.com I don't see any reason to lend it credence.

The comments to this story say a lot, almost as much as the domain the story links to. Somebody screwed up posting this.

Re:Not happening here

[harryandthehenderson]

I'm wondering how this post ever made it to the slashdot front page.

kdawson hadn't met his daily quota for posting FUD articles yet?

Re:Not happening here

Somebody screwed up posting this.

Posted by kdawson on 02:11 PM -- Tuesday June 09 2009

Why am I not surprised.

Re:Not happening here

[Talderas]

Not only that, but the author freely admits that Earthlink has their hands in it as well, but uses the opportunity to just rail on Comcast. Seeing people post in CA that they don't experience this problem with Comcast, I'm more than willing to place the blame entirely on Earthlink, and this kid (I don't care if his actual age is above 18, his choice of writing style is that of a child) is just using what is likely Earthlink's policy to hammer on Comcast.

It would be like Dell adding some annoying feature to Windows, and the people who buy Dell machines complaining and bitching about Microsoft.

Re:Not happening here

[Chlorine+Trifluoride]

kdawson has a quota?

Re:Not happening here

[harryandthehenderson]

Yep. His quota is "as many as possible".

Re:Not happening here

No, he can post as many as he wants...

Re:Not happening here

[LodCrappo]

I route all of my DNS requests through a VPN to the DNS server at my office. Not everybody has this luxury though.

not everybody would want to take a simple udp packet and turn it into god knows how much traffic, adding a ridiculous amount of latency to something that depends on speed. luxury my ass.

I wonder if OpenDNS would be inclined to set up a VPN solution for people stuck with an ISP as arrogant as Comcast?

No, they won't. Because although OpenDNS is a bunch of opportunistic scammers, they aren't dumb.

Re:Not happening here

[machine321]

How is OpenDNS typo-jacking better than Comcast's?

Re:Not happening here

[machine321]

Perhaps he doesn't want a disgruntled (or gruntled) Comcast mid-manager maliciously canceling his service, so he wants to remain semi-anonymous.

Re:Not happening here

Agreed, anytime people get mad enough to setup a free blog they must be making shit up. 8|

Re:Not happening here

I route all of my DNS requests through a VPN to the DNS server at my office.

Do you really have your work name servers resolving your porn URL hostnames?

Re:Not happening here

[Vladus2000]

I use OpenDNS through comcast, and I still see the OpenDNS error pages and the like, I'm pretty sure it is going through. Perhaps they are looking for failure returns and hijacking those?

Re:Not happening here

[Shakrai]

not everybody would want to take a simple udp packet and turn it into god knows how much traffic, adding a ridiculous amount of latency to something that depends on speed. luxury my ass.

Umm, IPSEC doesn't turn it into "god knows how much traffic" and your "ridiculous amount of latency" argument doesn't hold water. Given that the object is to avoid Time Warner's NXDOMAIN hi-jacking it would seem obvious that I can't use their nameservers. So I can either run my own nameserver that serves nobody but me and contacts the root servers for every single domain I visit or I can run it as a local cache using the work nameserver as a forwarder. The nameserver at work serves thousands of clients and has a much better cache to draw upon, hence less queries to the root servers and a faster response time.

It also seems more polite to do what I can to keep the load on the root servers as low as possible, though in the grand scheme of things it doesn't really make that much of a difference.

Re:Not happening here

[Shakrai]

Do you really have your work name servers resolving your porn URL hostnames?

I don't surf that much porn and even if I did, who cares? I'm the network administrator/bastard operator from hell. I'm not routing my traffic through work, just using the DNS server.

Re:Not happening here

[michaelhood]

No, they won't. Because although OpenDNS is a bunch of opportunistic scammers, they aren't dumb.

Tell us how you really feel, Lod.

Re:Not happening here

[LodCrappo]

typical ipsec overhead on data packets is 52 bytes. ignoring all the housekeeping traffic since you probably need the tunnel for other purposes anyway, you've still managed to approximately double the size of your queries (of course depending on the length of the name you are looking up). you've also added all the hops between your host and work, the hops inside your corp. network to the DNS server, then the hops back out to the net and all the way to the authoritative server, quite possibly doubling or worse the number of hops for any uncached query. its a crapshoot whether you've reduced or increased the hops for cached answers.

not an efficient solution, to say the least.

Re:Not happening here

[LodCrappo]

sorry to be all bitchy. i just hate companies that prey on the ignorant. i've had to help clients resolve so many issues caused by opendns it's made me bitter I guess.

Re:Not happening here

[Shakrai]

typical ipsec overhead on data packets is 52 bytes

Crap that adds at least 0.05 milliseconds to the time it takes to transmit a packet with my upload speed...... Who knew I was holding myself back that badly.

you've also added all the hops between your host and work, the hops inside your corp. network to the DNS server, then the hops back out to the net and all the way to the authoritative server, quite possibly doubling or worse the number of hops for any uncached query. its a crapshoot whether you've reduced or increased the hops for cached answers.

My goal wasn't to reduce the number of hops, it was to be a more polite user of the root nameservers and not to have to deal with Time Warner's NXDOMAIN hijacking.

not an efficient solution, to say the least.

Got a better suggestion, Mr. Nitpicker?

Re:Not happening here

[LodCrappo]

typical ipsec overhead on data packets is 52 bytes

Crap that adds at least 0.05 milliseconds to the time it takes to transmit a packet with my upload speed...... Who knew I was holding myself back that badly.

You're not looking at the big picture. Sure, it isn't much time to get 52 bytes to your next hop. But even assuming that every hop between your network and corporate is just as fast, you've added 0.05ms * (about) 20 (hops) just to get there, and thats assuming a perfect world where there is no contention at any of the routers. Combined with the number of lookups on a typical web page and you've probably added half a second or more to every page's loading time. There are too many factors involved to be exact, but at times this delay will be even worse.

you've also added all the hops between your host and work, the hops inside your corp. network to the DNS server, then the hops back out to the net and all the way to the authoritative server, quite possibly doubling or worse the number of hops for any uncached query. its a crapshoot whether you've reduced or increased the hops for cached answers.

My goal wasn't to reduce the number of hops, it was to be a more polite user of the root nameservers and not to have to deal with Time Warner's NXDOMAIN hijacking.

And my goal was to show how silly an idea it would be to take your solution and apply it to a large number of users, as you suggested OpenDNS could do. It wouldn't be a good solution.

not an efficient solution, to say the least.

Got a better suggestion, Mr. Nitpicker?

Yes. Don't use the services of companies that hijack DNS.

Confirmed.

I'm on Comcast. When I tried to use another DNS server it was blocked.

Re:Confirmed.

[Presto+Vivace]

wow, it as if Comcast was trying to set a record of some sort for bad customer relations.

Re:Confirmed.

[Tokerat]

That confirms nothing.

Re:Confirmed.

[Plumber,+Programmer,]

Confirmed by an AC. Well, that's solid.

Re:Confirmed.

[Drinking+Bleach]

unconfirmed in seattle: http://netalyzr.icsi.berkeley.edu/restore/id=4b65b6fc-21491-2181f4fc-478a-4498-9b26

Re:Confirmed.

[ushering05401]

Solid, yet still floats on water... What could it be?!

Re:Confirmed.

I'm on Comcast. When I tried to use another DNS server it was blocked.

Really. That isn't even what the article said might be happening, and conflicts with everything I see & everyone else sees.

Please post the following:

Your city and state.
Type of connection: Business or home
Type of IP: Static or dynamic
What did you do to test this? Be specific. Ports, Protocols, applications used, type of DNS sent, what was received, etc.

Did you bypass your router to run this test? Do you even know how to log into your router?

I'm not defending CrapCast here, but an AC simply saying "it's blocked" is, quite frankly, bullshit.

Re:Confirmed.

It's a witch!

Not surprised

[Hyppy]

I've tried really hard to be shocked and surprised. I can't. This is just another example of a continuing trend of anti-customer behavior by these guys.

Re:Not surprised

[e9th]

Yeah. I predicted this a month ago.

Re:Not surprised

[delta98]

I agree. I tried to not sport a foil hat while keeping an eye on the reaction of some media power base's while he web was taking it's current form. Hell, I watched this grow from a little seed into what it is today and I see the problem in as far as whom owns the pipe.My ball my rules. That sucks. We all paid for this not only in our suv\bscriber fees but in grants and low interest loans to those who now have control through our tax dollars. There is a solution and there will be another round of cat and mouse. So it continues..

Re:Not surprised

[nomel]

No...it's anti-anyonebutnormalcustomer behavior. The people running dns servers are probably 0.000001% of internet users....the rest are probably just infected machines.

The question is *why* do they care about filtering DNS traffic? Do they offer this service as a paid service elsewhere, costing them *money*? Or is it simply to try to get a handle on worms and malware, which uses tons of bandwidth for a network as big as comcast, costing them *tons of money*.

They have a profit based mindset...it shouldn't be hard to figure out why they're doing it. If the cost from malware is more than the loss of a portion of a fairly insignificant customer base that in reality probably costs them what several regular users cost, then they'll choose to block the port!

At one point I called support and asked what kind of account I would need to legally (in terms of usage agreement: no servers allowed) run a website. They said I'd have to go elsewhere to a *hosting company*. That's probably what they'll tell you here.

I think as much as we complain, in the end, if you want a direct and unfiltered, higher risk, and more expensive to maintain connection to the internet, you'll have to...pay more....just like if you want to use 5x the bandwidth of a normal user, you'll have to pay more.

I like the idea of the internet being a standard connection, wide open and the same anywhere...but that's not going to happen without regulatory laws, cause it doesn't make much business sense.

Re:Not surprised

[peragrin]

what defines a normal user? I use 300 mega a month browsing 4 sites(/. , are techinca, etc) on my iPhone during lunch hour.

ISP are mainly cable companies who have a vested interest in keeping video off the Internet above and beyond the fact they massively oversold their service and are watching it catch up to them.

Re:Not surprised

[Kadin2048]

The only way I can imagine they'd profit from this is by blocking access to alternative DNS servers like OpenDNS, or even just putting in well-known public DNS servers like 4.2.2.2, so that they can intercept unknown requests and return ad-laden pages instead. Basically typosquatting.

Various ISPs have gone down this road before. (Rogers Cable has tried, and so has Road Runner.) Unfortunately -- for the shady ISPs, anyway -- it's easy for annoyed users to get around these schemes; they can just configure their computer or NATing router to use a different DNS server besides the one supplied by the ISP via DHCP.

By transparently redirecting all DNS requests to their own servers, Comcast would eliminate this method of circumventing their advertising. They could also block sites at the DNS level much more easily than before.

A lot of censorship schemes (ab)use DNS in order to return a bogus result to a query; these schemes aren't very good, though, because any user with two brain cells to rub together and the tiniest bit of motivation can change their DNS configuration to use clean servers instead. By doing transparent redirection, you prevent this.

Those strike me as the two obvious reasons. The profit-motivated one (squatting on failed DNS queries) is annoying and causes many non-web applications to fail or behave improperly, but it's not nearly as bad as the censorship-motivated one is. However, the same technique that makes failed-lookup ads harder to avoid could easily be used as part of a censorship scheme if demanded by the government. It's important that even casual Internet users (who may not really care about returning a "page not found" web page instead of the normal browser message) understand why letting their ISP monkey with DNS lookups is a Really Bad Idea.

In both cases you can get around the hijacking by using a VPN and forcing DNS queries though it, but that's significantly harder than changing from automatically-assigned DNS servers to well-known ones like OpenDNS's or Verisign's.

Re:Not surprised

[Propaganda13]

I'm not a fan of Comcast, but I can see this being done to prevent an attack that would just change your DNS server. Change the DNS then point everything useful through a MITM.

Re:Not surprised

[AB3A]

One reason why Comcast might be doing this is to put a stop to viruses that might redirect you to a malicious DNS that redirects your bank web page requests to their own servers.

Remember, they're not aiming at slashdotters, they're aiming at Joe and Jane Sixpack who haven't got the faintest idea what a DNS is or why they should care. That said, the do owe us an explanation before the conspiracy theories get out of hand.

Re:Not surprised

[delta98]

Was gonna type something snarky here but it's best to let thing's go for now.

Re:Not surprised

[HTH+NE1]

One reason why Comcast might be doing this is to put a stop to viruses that might redirect you to a malicious DNS that redirects your bank web page requests to their own servers.

Why would a virus change your DNS to point somewhere malicious when they can just put an entry in your local hosts file or otherwise hijack and resolve the look-up locally?

Re:Not surprised

[???]

The people running dns servers are probably 0.000001% of internet users....

ummm... Okay... Only that's not what the story was talking about. The story was talking about a user using a different resolver from comcast, rather than their resolver. This has nothing to do with running a dns server. There are a number of reasons to want to use another resolver, including:

• Security - Switching resolvers to OpenDNS was one of the suggested protection methods for Kaminsky's DNS flaw.
• Avoid NXDOMAIN hijacking / forgery - All the net is not the web, and NXDOMAIN hijacking breaks everything except the web (and sometimes even breaks the web too).
• Avoid outages - Outages that are caused by the provider's inability to achieve a simple task - keeping their caching name-servers up, while connectivity is still there, shouldn't cause an outage of your net access
• Alternative DNS roots

the rest are probably just infected machines... is it simply to try to get a handle on worms and malware... If the cost from malware

Sorry... what does using a different resolver have to do with malware? Yeah. I thought so.

The question is *why* do they care about filtering DNS traffic?

The reasons I've heard advanced most frequently to encourage the use of the ISP's caching nameserver are:

• Bandwidth - Though this will not impose a significant increase in bandwidth on the ISP, it can impose a somewhat larger load on the roots and TLDs. Though with the larger caching nameservers like OpenDNS this should not appreciably increase load
• Ad revenue - See above on NXDOMAIN hijacking / forgery. This is an inappropriate business practice that breaks everything except web and often breaks the web too

This detracts from their profitability only one one of their lines of business - the one where you are the product.

Re:Not surprised

[dave562]

If they are working with a local host file, they need to modify that file every time their spoofed site gets shut down. If they point you to a malicious DNS server, they can just change the records on the server instead of thousands(?) of individually compromised machines.

Re:Not surprised

[delta98]

Comcast has control. Sit back and enjoy happy fun. That is an order!{happy ;olz} L, here

Re:Not surprised

To play the devil's advocate here... it could be something well intentioned that's coming across wrong.

I recall a number of spyware/viruses that would alter the DNS settings on a PC so that it would send requests to some outside DNS server. At that point it didn't matter what you entered in the address bar on the browser, it would direct it to some trojan hosting (or other webpage trying to force you to install some software).

It actually gives me a good idea for my environment at work, where we want everyone to use the DNS servers at work. There is no reason that any workstation should be trying to use an outside DNS, so it makes sense to forcibly redirect all DNS traffic from workstations to our name servers.

not a comcast issue

[Archfeld]

but rather this appears to be earthlink. Time to find a new ISP. Since their policy changed it should invalidate any long term contract you have, time to move on. The ONLY language either entity will uncerstand is you voting with your dollars, by giving them to another company. I realize comcrap will probably see this as a violation of their right to profit, but OH WELL...

DNSSEC?

[Your+Anus]

How does this affect DNS with DNSSEC applied? Wouldn't there be a mismatch in the signing keys?

Re:DNSSEC?

[ScytheBlade1]

DNSSEC is validated at the resolver level. However, even if you run your own local DNS resolver, DNSSEC wouldn't come into play -- Comcast can simply strip the KEY/RRSIG records entirely before sending them to you -- leaving your resolver thinking that the zone has no DNSSEC records at all (at which point, they are blindly accepted as valid).

I'd imagine that there is an option somewhere in bind to only accept signed records (and if not, there will be eventually I'm sure), but even if Comcast wasn't futzing with your dataz, you wouldn't have a functional internet.

(I'm on comcast, and am not seeing this redirection. I also run a local DNS resolver.)

Re:DNSSEC?

No pre-Windows 7 or glibc-based distro (including most Linux distros) can verify DNSSEC-signed records, so sadly it really doesn't matter. glibc took the "resolv" code from BIND 4 and has refused to merge it again since (we're at BIND 9.6), so until Drepper realizes glibc is not the place for DNS-related code development (the puny patches that were made to it in glibc were duplicated in BIND like 15 years ago), or you can somehow supplant the gethostbyname, getaddrinfo, and/or res_search functions with BIND's libbind, you're SOL.

If anyone can tell me how to use libbind as a drop-in replacement to libc so I can use DNSSEC that would be great...

Re:DNSSEC?

[x4r]

there is NO WAY to determine presence of any kind of traffic alteration(against MITM attack, which is in some countries(includes EU and Russia)serious cryme by itself). even VPN tunneling dont help, because VPN traffic can be also altered-redirected. transparently and at lightspeed. i mean "not seeing redirection" is not a point. especially in case, ISP, get caught on such law liolation.

Re:DNSSEC?

[x4r]

thats what i MEAN. PROPERLY implemented DNSSec MUST be operational to BE a ISP. malforming traffic ? you biz is closed. court dissmised. this[and working IPv6]can help alot for US and Worldwide security.

Re:DNSSEC?

[marka63]

DNSSEC is validated at the resolver level.

Validation is designed to be in the application. Most sites validate in the resolver as that is the easiest place to update and protect non-DNSSEC aware applications.

However, even if you run your own local DNS resolver, DNSSEC wouldn't come into play -- Comcast can simply strip the KEY/RRSIG records entirely before sending them to you -- leaving your resolver thinking that the zone has no DNSSEC records at all (at which point, they are blindly accepted as valid).

DNSSEC is designed to detect when DNSKEYs/RRSIGs are stripped from responses and will treat those as bogus presuming you have a appropriate trust anchor configured. For the record I'm a BIND developer and have many years of DNSSEC experience.

Using OpenDNS on Comcast

no sign of any DNS hijacking in western MA.

Re:Using OpenDNS on Comcast

[CompSci101]

Likewise in Southern New Jersey (and Philadelphia before this -- the very heart of Comcast darkness)

I get OpenDNS error pages for nonexistent domains.

Re:Using OpenDNS on Comcast

[Snap+E+Tom]

Same here. Jersey Shore. OpenDNS is still working fine.

Re:Using OpenDNS on Comcast

[aztektum]

Me not so much a fan of OpenDNS. I prefer pointing my DNS @ L3's servers... 4.1.1.1-.6

I have Comcast Biz class (no cap, less snooping since there is a signed agreement dictating such - for me at least). I will check this when I have a chance.

Re:Using OpenDNS on Comcast

[geekboy642]

You may want to change that. I remember seeing an article a few weeks back saying that L3 was going to implement some access restrictions on those to lower their traffic.

Re:Using OpenDNS on Comcast

[trogdor8667]

Same here. I'm getting the OpenDNS error pages in TN.

Re:Using OpenDNS on Comcast

[Kadin2048]

I am not a big fan of OpenDNS either. Rather than use L3's or Verizon's servers (4.1.1.1 and 4.2.2.2 sets respectively, I think), you might want to try the Open Root Server Confederation's. They are what OpenDNS purports to be; an actual grassroots effort to provide an alternative DNS, without the sleazy failed-lookup pages or obvious profit motive of OpenDNS. There are some TLDs in the ORSC root zone that don't exist in the traditional ICANN one, but you can just ignore them unless you want to take part.

Their top-level servers are listed here. You can also run `dig . ns @ns1.vrx.net` for a more up-to-date list; when I run that I get the following:

a.root-servers.orsc. 172800 IN A 199.166.24.1
c.root-servers.orsc. 172800 IN A 199.166.26.200
f.root-servers.orsc. 172800 IN A 199.166.31.3
i.root-servers.orsc. 172800 IN A 199.166.26.51

I think their intention is that people will put the root file into their local caching nameserver rather than hitting one of their top-level servers with each request (unlike OpenDNS), but there's no actual discouragement of the latter practice and I assume it's considered acceptable for laptops and other portable machines.

Re:Using OpenDNS on Comcast

so you have your DNS hijacked by your own choice, rather than by Comcast.
when did using opendns become so popular? doesn't anyone realize they are an advertising firm providing a solution to a non existent problem so they can sell ads? WTF??

Re:Using OpenDNS on Comcast

[daemonburrito]

I think there are two main reasons that OpenDNS got popular.

First, it was an temporary solution for people whose ISPs were late in patching the Kaminsky flaw. Lots of people found that OpenDNS was faster and more reliable than their ISP and never switched back.

Second, after the Conficker algorithm for generating hostnames was figured out, OpenDNS and Kaspersky went proactive and started blocking predicted hostnames. Microsoft, Symantec and Verisign quickly did a "me too" on that as well; it's debatable whether or not they would have done so on their own.

Their web tools aren't so bad, either.

I agree that OpenDNS breaks DNS, but everything is so screwed up right now that I don't think playing by the rules counts for much. I don't know what the solution is; nobody's really trustworthy, for most people it's blind trust in somebody no matter how you slice it.

Re:Using OpenDNS on Comcast

[Cl1mh4224rd]

I get OpenDNS error pages for nonexistent domains.

I'm in southwestern Pennsylvania (roughly Pittsburgh area) and I have my router set to use OpenDNS servers.

However, I get Firefox's standard "Page Load Error" page with a nonexistent domain, and www.opendns.com/welcome/ tells me I'm not using OpenDNS.

This used to work just fine.

Re:Using OpenDNS on Comcast

[argiedot]

You probably know this, but if your computer does not get its DNS servers from the router you may well not be using OpenDNS even if you have it set in your router's settings.

Fuck `Em All

[Cpt_Kirks]

When Comcast took over from Time Warner here, I bailed.

I mean, Time Warner is evil. AT&T (who I switched to), is evil.

But Comcast is Motherfucking Sith Lord EVIL.

Scary fucking eeeeevil. Nazi evil. RIAA evil.

 

Re:Fuck `Em All

[Em+Emalb]

So what are you trying to say?

C'mon man, stop beating around the bush and get to your point.

Re:Fuck `Em All

[Shakrai]

Scary fucking eeeeevil. Nazi evil.

Yes, because hijacking your DNS packets and injecting RST packets to interfere with bittorrent is comparable to putting millions of people in ovens and trying to conquer Eurasia.......

Re:Fuck `Em All

[DarrenBaker]

That's the quickest Godwin proof I've seen in a while.

Re:Fuck `Em All

[danpritts]

glad to hear that comcast is morally equivalent to the perpetrators of the holocaust, who killed 12 million people in concentration camps.

Re:Fuck `Em All

You're right, there's no contest between the two.

The Third Reich has NOTHING on Comcast.

Re:Fuck `Em All

[Itninja]

I think the parent was just using a bit of hyperbole there. Also, it appears he only has a limited understanding of what the word 'evil' means. And the word 'fuck'. And, well, he just don't appear to be that bright in general.

Re:Fuck `Em All

[Skye16]

Even Hitler started with baby steps

Re:Fuck `Em All

[fpophoto]

Yes, because hijacking your DNS packets and injecting RST packets to interfere with bittorrent is comparable to putting millions of people in ovens and trying to conquer Eurasia......

Good point, although I think the result will be the same for both: failure.

Re:Fuck `Em All

[CorporateSuit]

From your post, I don't think you're aware that Time Warner is actually one of the presiding members of the RIAA (and the MPAA).

Re:Fuck `Em All

[Trivial_Zeros]

It's not evil... It's Comcastic!

Re:Fuck `Em All

[bretticus]

Don't make fun of Poland.

Re:Fuck `Em All

[interkin3tic]

C'mon man, stop beating around the bush and get to your point.

It had something to do with star wars. The sith lord part tipped me off.

Re:Fuck `Em All

[furby076]

So are you saying you wouldn't vote for them to win the Friendly Company Of the Year award?

Re:Fuck `Em All

[sckeener]

I like to think of it as indifferent Evil vs Active Evil.

Time Warner doesn't care about their customers (indifferent Evil)

vs

Comcast is out to get their customers. (Active Evil)

another good way to describe them is....Time Warner is a Thief whereas Comcast is an Assassin.

(I don't don't know who would be the Thief-Acrobat. Which one's stock is fluctuating today?)

Re:Fuck `Em All

[zmnatz]

No I think he's saying that they'd be the kind of company that forces all their employees to stuff the ballot box for that award.

Re:Fuck `Em All

Censorship was a big part of how the nazis got to be so in control. Things like this are the first steps in censorship.

Re:Fuck `Em All

[element-o.p.]

"Froo-its of the dev-il" evil?

Re:Fuck `Em All

[Abreu]

Yeah, I hear his paintings were atrocious!

Re:Fuck `Em All

[julesh]

It had something to do with star wars. The sith lord part tipped me off.

Star Wars _and_ Indiana Jones (that's where the Nazi's come from clearly).

Now, which movie were the RIAA the villains in?

Re:Fuck `Em All

[Culture20]

He's trying to say Weevil, but he can't form his lips to make the "w" sound.

Re:Fuck `Em All

[j79zlr]

Don't make fun of Poland.

Genius!

Re:Fuck `Em All

[DeafDumbBlind]

Or Overstock.com...

Re:Fuck `Em All

Now, which movie were the RIAA the villains in?

Real life? ow ow sorry now I get it. GGP is ironic because if it's not happening in the movies reallity can wait.

Re:Fuck `Em All

[Jake+Griffin]

Or stuffs their employees into the ballot box...

Re:Fuck `Em All

[Tokerat]

It's funny because Comcast has been the most reliable ISP I've ever had. I've had torrents hit 2MB/Sec (not a typo, that's Megabytes), although not sustained. The only problem was when they came to disconnect another apartment in my building and they pulled the plug on me by accident - the fault of the stupid installer guy. Took them a few days to turn it back on which sucked, but I never get over-billed, and it always just works.

Then I saw their commercials with the chick singing in a monotone about "Always dreaming, never stopping" and boy, do I agree with you.

Re:Fuck `Em All

[Sj0]

The Internet is Serious Business.

Re:Fuck `Em All

Correction: Time Warner Cable is a separate entity from Time Warner. Also, Warner Music is no longer a part of Time Warner as well.

Re:Fuck `Em All

[Cpt_Kirks]

It's funny because Comcast has been the most reliable ISP I've ever had.

Well, Mussolini made the trains run on time.

(Next up, a Hirohito reference. Stay tuned!)

Re:Fuck `Em All

[sharkey]

Comcast is like being forced to have group sex with Oprah Winfrey, Rosie O'Donnell, Roseanne Barr and Chelsea Clinton WITHOUT benefit of a blindfold, noseclip, earplugs and Wild Turkey.

Re:Fuck `Em All

I forgot about that.

Re:Fuck `Em All

[RulerOf]

group sex with Oprah Winfrey, Rosie O'Donnell, Roseanne Barr and Chelsea Clinton

That's the absolute worst thing I've read in a long time.

Well done, sir.

Re:Fuck `Em All

have you ever *seen* a RST packet???

Re:Fuck `Em All

I don't see any failure in the injecting RST packets. In fact, ISPs who are doing this seem to be getting accolades from politicians in doing their part to stop the evil pirates.

Yes, the Nazis == FAIL, but for ISPs doing bandwidth caps, active content hijacking and other things, they have seen nothing but big green lights with the word "WIN" on them.

Re:Fuck `Em All

[docbrody]

mod ^ funny, very funny

Re:Fuck `Em All

All your medias are belong to us!

Re:Fuck `Em All

That's the quickest Meta-Godwin's proof I've seen in a while.

(Meta-Godwin's law states that any mention of Nazis will be followed by another poster mentioning Godwin's law)

Re:Fuck `Em All

[guyminuslife]

My immediate response to that is that you must be fucking half the Board of Directors, because that 2MB/sec? That's more than all of the rest of us (I no longer subscribe) get, in aggregate.

Re:Fuck `Em All

[palegray.net]

It's all about the O.

Re:Fuck `Em All

[FireFly9]

Oh, that was funny! I was crying!!! So fucking true!

Re:Fuck `Em All

Wouldn't Hillary be worse (i.e. funnier) than Chelsea though?

Re:Fuck `Em All

Lars Ulrich evil?

Re:Fuck `Em All

All movies. All of the villians, scumbags, lawyers, druggies, losers, idiots, retards, drunks, bums and niggers are played by RIAA members.

Re:Fuck `Em All

But.....they are comcastic....they commercial told me so.

Re:Fuck `Em All

[docbrody]

OK. that is funny. Someone decided to mod me funny for saying that the parent should be modded funny. But just to clarify, it was the "weevil" which I found funny... and he is the only one in this thread that has not been modded funny. So now I suppose I am going to get modded offtopic... sorry.

Re:Fuck `Em All

[n3v]

Send them your "O" face!

That's a negative

[jjb3rd]

I'm a comcast user and it works for me...perhaps his home network is the problem. A Linux user having a misconfigured network?!??! Oh wait this is Slashdot...nevermind.

Re:That's a negative

[bem]

Not happening here in Oregon, either.

Re:That's a negative

If you read the article and understood the tests he performed, you'd know this wasn't the case.

Re:That's a negative

[element-o.p.]

As PP said..."Oh wait this is Slashdot...nevermind."

I mean, c'mon -- actually reading the post? Understanding what it says before commenting? You must be new here!

Re:That's a negative

[Leto-II]

Hey, another low UID Oregonian!

Neither here...

[Nightwraith]

Doesn't seem to be happening in Northwest Indiana either.

Given the poor availability of the Comcast DNS servers in this area, forcing their use seems like a very quick way to flood their customer service lines.

Re:Neither here...

[MBGMorden]

Given the poor availability of the Comcast DNS servers in this area, forcing their use seems like a very quick way to flood their customer service lines.

Not saying it isn't a bad practice, but how often do you honestly think that their users reconfigure their system to utilize a DNS server other than that of their ISP? Sure it happens, but it's done by tech geeks like us. The entirety of their user base that does this, even if they all called, probably wouldn't be enough to "flood their customer service lines".

Sometimes I think that we overestimate just how outraged a customer base will be to a specific change. It's akin to claiming that Pepsi is going to have to deal with a shitstorm of complaints for ceasing production of "Caffeine Free Diet Cherry Crystal Clear Pepsi".

Re:Neither here...

[Nightwraith]

I think you'd be surprised by the number of people (non-tech included) that are aware of the poor reliability of Comcast's DNS servers. It only happens once before they call their family tech. They'll call customer service, but CS won't be able to resolve the problem as they'll just recommend a reboot of the equipment.

I've even known of Comcast installers (contractors) that will set the second or third DNS server entry to Verizon's DNS (4.2.2.4) just so that when their local DNS servers go down, the customer's connection will continue to resolve domain names.

Nothing quite like having an irate housewife call on a weekend because she can't lookup her webmail or Oprah's book of the week.

I really am hoping this is NOT a gullibility test

[way2trivial]

My connection is comcast for biz-- go crazy- I took out my last subnet

The ICSI Netalyzr Beta
Introduction Analysis Results
Result Summary
74-92-106-XXX-Philadelphia.hfc.comcastbusiness.net / 74.92.106.XXX
Recorded at 14:15 EDT (18:15 UTC) on Tue, June 09 2009. Permalink. Transcript.
Noteworthy Events
Minor Aberrations

Certain protocols are blocked in outbound traffic
Address-based Tests
NAT detection: NAT Detected

Your global IP address is 74.92.106.XXX while your local one is 192.168.15.XX. You are behind a NAT. Your local address is in unroutable address space.

Your NAT renumbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis.

DNS-based host information: OK

You are not a Tor exit node for HTTP traffic.
You are not listed on any Spamhaus blacklists.
The SORBS DUHL believes you are using a statically assigned IP address.
Reachability Tests
General connectivity: Note

Basic UDP access is available.
Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
Direct TCP connections to remote FTP servers (port 21) failed.
This is commonly due to how a NAT or firewall handles FTP traffic, as FTP causes unique problems when developing NATs and firewalls.
Direct TCP access to remote SSH servers (port 22) is allowed.
Direct TCP access to remote SMTP servers (port 25) is allowed.
Direct TCP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote HTTP servers (port 80) is allowed.
Direct TCP access to remote POP servers (port 110) is allowed.
Direct TCP access to remote RPC servers (port 135) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote NetBIOS servers (port 139) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote IMAP servers (port 143) is allowed.
Direct TCP access to remote SNMP servers (port 161) is allowed.
Direct TCP access to remote HTTPS servers (port 443) is allowed.
Direct TCP access to remote SMB servers (port 445) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
Direct TCP access to remote secure IMAP servers (port 585) is allowed.
Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
Direct TCP access to remote POP/SSL servers (port 995) is allowed.
Direct TCP access to remote SIP servers (port 5060) is allowed.
Direct TCP access to remote BitTorrent servers (port 6881) is allowed.
Network Access Link Properties
Network latency measurements: Latency: 26ms Loss: 0.0%

The round-trip time (RTT) between your computer and our server is 26 msec, which is good.
We recorded no packet loss between your system and our server.
TCP connection setup latency: 29ms

The time it takes your computer to set up a TCP connection with our server is 29 msec, which is good.
Network bandwidth measurements: Upload 4.3 Mbit/sec, Download 7.1 Mbit/sec

Your Uplink: We measured your uplink's sending bandwidth at 4.3 Mbit/sec. This level of bandwidth works well for many users.
Your Downlink: We measured your downlink's receiving bandwidth at 7.1 Mbit/sec. This level of bandwidth works well for many users.
Network buffer measurements: Uplink 229 ms, Downlink 220 ms

We estimate your uplink as having 230 msec of buffering. This level may serve well for maximizing speed while minimizing the impact of large transfers on other traffic.
We estimate your

Using OpenDNS here

[rpmonkey]

I switched my DNS to OpenDNS because Comcast's DNS servers were unreliable for me. I am definitely hitting OpenDNS because if I typo a domain I'm redirected to the OpenDNS guide page. I'm a Northern California Comcast user.

Re:Using OpenDNS here

[pdragon04]

You're missing the point of the article. Even if you use OpenDNS, you're still getting redirected to Comcast's DNS servers.

Re:Using OpenDNS here

I switched my DNS to OpenDNS because Comcast's DNS servers were unreliable for me. I am definitely hitting OpenDNS because if I typo a domain I'm redirected to the OpenDNS guide page. I'm a Northern California Comcast user.

Same here. Southern Maine user.

Re:Using OpenDNS here

[Improv]

Not if they're reaching the OpenDNS guide page on typos.

Re:Using OpenDNS here

[pdragon04]

If you're not experiencing the issue described in the article, you're right, you'll see the OpenDNS error page. If you're experiencing what the article is describing, you will not see the OpenDNS error page, but whatever Comcast redirects you to.

Re:Using OpenDNS here

[cube135]

And he said that he's reaching the OpenDNS error page on typos.

Re:Using OpenDNS here

[argiedot]

You're missing the point. Even if you use OpenDNS, you're still getting redirected to Comcast's DNS servers.

That's it! I'm giving up the booze!

Somma bitch! I'm having this really weird deja vu! I think I'm seeing your post twice, but slightly different! I guess this is what happens when you're a serious alcoholic!

Fuck! I'm going to poor every drop of booze in my house down the sink!

Re:That's it! I'm giving up the booze!

[interkin3tic]

Fuck! I'm going to poor every drop of booze in my house down the sink!

Comcast has rerouted your sink too, so that will only help them! Getting drunk in this case? Not one of their better evil plans...

No problems for me

I use opendns and it seems to be functioning fine. My requests show up on my account and I get the occasional Opendns search if I misstype something.

Comcast is not alone in this

[timon]

I use Sprint Mobile Broadband at home and the last time I checked (several months ago), they were still intercepting and redirecting port 53 traffic.

Security

[YayaY]

They could be doing this for security reasons, to prevent DNS domain hijacking.

Re:Security

They could be doing this for security reasons, to prevent DNS domain hijacking.

Yeah, right.

Re:Security

They could be doing this for security reasons, to prevent DNS domain hijacking.

That could be true. After all anyone else could hijack the DNS request right after comcast hijacks it first... Oh wait

Re:Security

You can't be serious? What are you the PR guy for Comcast?!

Re:Security

[Crudely_Indecent]

That is the exact reason I redirect DNS traffic on my network.

Users cannot be trusted to enter correct information, they cannot be trusted to keep their machines free of infection and as a result, I receive more support requests. It only took 3 escalated calls to make up my mind about DNS redirection.

No more hijacking, users on my network may utilize external DNS only if they can tunnel to it (this takes care of my business clients)

I've had no complaints (I'm serious, not a single one)

Re:Security

[YayaY]

Think about it. What if someone change your DNS setting to a hostile DNS server. The domain name of your bank could resolve to a hostile web server that could trick you into entering your login info.

Doesn't happen for me

[nedlohs]

with comcast in NJ.

Thn again I don't get advertising page IPs in response to non-existant names either.

DNS-Based Filtering

[Bicx]

So does this mean that my DNS-based filtering through OpenDNS would stop? If so, my kids could be stumbling onto porn, malware, and dangerous sites that I was trying to shield them from. Thanks Big Brother! That's just awesome. No, that's Comcastic!

Well Written!

[sys.stdout.write]

I believe all academic journals should be published in the prose employed by the write-up. Well done, sir!

For those of us in the Midwest, Charter Communications can suck it too.

Re:Well Written!

[David+Gerard]

YM "I believe all academic journals should be fucking published in the goddamn prose. Assfelchers."

I'm in philly (Comcast HQ)

i ran the ICSI netalyzer and it reported the this as one of my "minor concerns"

Reachability Tests:
UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
The applet was also able to directly request a large DNS response.

If you want real Comcast fun...

[NecroPuppy]

Take a look at the packet loss on their Augusta, GA servers. Regularly, from 10 PM to 1 AM (or later), 50%+ packet loss.

I know because a buddy's radio show keeps crapping out, and it goes through there. But when I rebroadcast the show as a test (and don't go through that server), the issues don't happen.

But their L1 and L2 techs can't figure out the problem.

Re:If you want real Comcast fun...

[Exawatt]

There's a couple of servers that have similar problems across the country. I have to pass through two of 'em to get to Blizzard's servers to play WoW. It's sad when people from Europe have lower latency than I do. :-/

Re:If you want real Comcast fun...

You don't understand how DNS works (or TCP/IP, for that matter).

Re:If you want real Comcast fun...

Having just dealt with L1 and L2 techs with another ISP, let me tell you there's no difference in competence (Actually the one guy who DID fix my problem was AFAIK a L1 tech I got on my 4thish call BEFORE being rerouted, and unlike the 'L2' tech I'd gotten the day before this guy actually had the knowledge and router access to determine there was a problem, and get ahold of someone else with privileges to fix it. Mind you it broke the next day, and then wasn't resolved for ~3 more days when the actual network technicians came back from their weekend break... WTF?)

Anyways point is big ISPs are retarded across the board, to the point of appearing collusive.

Comcast results in Houston, TX

[macklin01]

Here are the ICSI results. Results are from a PC behind a bog-standard Linksys WRT-54g, for what it's worth.

Not my field, but I see Direct TCP access to remote DNS servers (port 53) is allowed. I'll leave it to the networking experts to pick through the rest of the report.

Re:Comcast results in Houston, TX

[EvilBudMan]

I think you have to test with a static IP. You are behind NAT so I don't think you are going to be running a web server. I think what has happened is that someone like me with a static IP run the test, but I forgot, we are not running a web server, so it couldn't get through. The applet got through the firewall and hit a dead end. No one else is getting it blocked pretty much so I'm suspicious about it.

BTW, I would post a link to my IP address on /. I would cut n paste and leave the vitals out of it.

Hmmm...

[tthomas48]

Interesting side-note. Time Warner's DNS servers stopped working recently for my Playstation 3. I switched to OpenDNS and all is well, but does anyone have an idea what's going on here? I thought DNS was DNS.

Re:Hmmm...

[metamatic]

What's going on is that ISPs often have underpowered and badly maintained DNS servers.

Re:Hmmm...

[fast+turtle]

TW's DNS service has been screwed up for the last 12 months at least, which is why I've been using OpenDNS though my router is configured with OpenDNS in Slot 1, TW in slot 2, OpenDNS slot 3 and TW in the final slot. Works nicely so far and I rarely hit the OpenDNS search page.

NN wars?

[Red+Flayer]

If true, this is a pretty serious escalation in the Net Neutrality wars.

It's not just an escalation in the NN wars (I didn't know we were fighting a war, anyway. I thought it was just a 'security detachment' or 'police action').

This represents a fundamental shift in how the internet works. If you can't use your own DNS servers, or at least send requests to an outside DNS server, then the internet loses some of its ability to route around damage (again, using the convention that 'damage' includes shit like deep packet inspection, etc).

If true, this is really a sad day... for it represents the true beginning of the end of the internet as we know it.

And now that I've got the Chicken Little hyperbole out of the way... seems to me like Comcast wants to be a forced portal, not just an ISP. Hopefully they are rewarded with the same fate AOL was rewarded.

The scary part

[Chardish]

This practice effectively prohibits the use of alternative DNS roots, such as OpenNIC. In other words, it gives ICANN even stronger dominance over internet naming.

Re:The scary part

This practice effectively prohibits the use of alternative DNS roots, such as OpenNIC. In other words, it gives ICANN even stronger dominance over internet naming.

Fortunately for us, collusion is illegal in the country both of those companies are in.
It also voids probably around 100% of their TOS, since I have no doubt it refers to what comcast sells as 'internet service' which they no longer provide at all (Wow, AOL actually helped define legal terms in court which come back to help.. who'd of thunk it!)

Costing them a lot of money that otherwise would have been profit is the only language these companies care to understand. It's time people spoke it, loudly...

Re:The scary part

[Culture20]

In other words, it gives ICANN even stronger dominance over internet naming.

Technically, it gives local ISPs stronger dominance over internet naming. Not that they can enforce it beyond their fiefdom...

Not for me...

[catseye]

Comcast customer in Colorado, just outside of Boulder. Not happening here; I use OpenDNS and am definitely hitting their servers.

Works fine in Chicago too

[hoosbane]

Just tried it from my home machine on Comcast in Chicago, and nothing's being redirected. Lookups for non-existant domains return NXDOMAIN like they should.

Netalyzer results

[MostAwesomeDude]

http://netalyzr.icsi.berkeley.edu/restore/id=ae8199f5-18807-f5eeee66-ce59-42a4-8803

Note that my DNS servers are Level3 servers (4.2.2.2, 4.2.2.4) since they are much faster than Comcast DNS.

Re:Netalyzer results

[julesh]

Note that my DNS servers are Level3 servers (4.2.2.2, 4.2.2.4) since they are much faster than Comcast DNS.

My last ISP used to give out 4.2.2.4 as the DNS server to use for all requests when you connected. It was fucking slow. I don't know how slow comcast is, but if that's better, they must _really_ suck. :)

Re:Netalyzer results

http://netalyzr.icsi.berkeley.edu/restore/id=ae8199f5-18807-f5eeee66-ce59-42a4-8803

Note that my DNS servers are Level3 servers (4.2.2.2, 4.2.2.4) since they are much faster than Comcast DNS.

Not only are they faster, but IME comcast's servers go down on a fucking weekly basis. Totally unacceptable.

Additionally, as comcast is a level 3 customer, they're not going to be blocking us from using those any time soon.

Just run BIND in your computer

or set up a server in your LAN.. run BIND, setup to do recursive lookup...
use that as your DNS server

Re:Just run BIND in your computer

[argent]

And your recursive DNS server performs its own lookups via requests on port 53 to the root servers, which get intercepted by Comcast, ...

Damn! That may stop my plan......

[whoever57]

Last time I had some spare time in an airport, I found that the T-Mobile hotspot allowed 53/UDP traffic out, so I was thinking of setting up openvpn on port 53 (instead of its usual 1194) in order to access my home machines (without a T-Mobile login). If Comcast intercepts this traffic, my evil plan won't work!

Re:Damn! That may stop my plan......

[AndrewNeo]

I think they're intercepting outgoing from your home, not incoming, so your plan may actually still work (at least from the home end)

Re:Damn! That may stop my plan......

Sounds like you need port 80,81 or 8080.

Re:Damn! That may stop my plan......

[Guanix]

Have you heard of IP over DNS? The DNStunnel software sends IP packets as TXT records over a real DNS, the client sends data in the request itself. Since these are real resolvable DNS records, proxying port 53 won't work. When I tried this software, I could only get a single stream over the tunnel, so I ran SSH over the DNStunnel and used ssh to forward a TCP port that I then ran OpenVPN on. This actually works, but it is very slow. And I can imagine that people would eventually find out because the wifi provider's DNS cache will fill up with IP data.

Re:Damn! That may stop my plan......

Which is why you should be using port 443 for your openvpn server. No one's going to block https.

Re:Damn! That may stop my plan......

[hab136]

the wifi provider's DNS cache will fill up with IP data.

No, the timeout on the returned data is set very low, so it expires immediately.

They may wonder why they're sending/receiving megabytes of DNS traffic though.

Comcast results in PA.

[thesolo]

Here are my ICSI results.

Direct UDP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote DNS servers (port 53) is allowed.


My office is just outside of Philadelphia, so southeastern PA, for regional results.

Re:Comcast results in PA.

[xenolion]

All ok on the other side of the state in Pittsburgh, Something is not right with the all of this no one can show what the story says.

OpenDNS

[Clipless]

A good friend of mine was using OpenDNS on Comcast and one day, without warning, his internet service was cut off.
When he called the phone rep said that Comcast had disabled his internet because he was not using their DNS server and that if he wanted to have Comcast as a provider he had no choice but to use DNS servers provided by DHCP!

Here's a permalink showing it may be happening...

http://netalyzr.icsi.berkeley.edu/restore/id=4b65aebb-18883-4ded0c2e-9922-4ace-8be5

Thanks for publishing the trick

Now every isp in the world will know that it could
be useful to do that. Thanks for letting them
know about these tricks. This ensures that
DNS will be useless in few years...

Not in philly

[dtdmrr]

So far

Is this happening for ANYONE?

[Itninja]

Was the original poster a shill for some other ISP or what? An anonymous user submits a story decrying a great technical wrong by Comcast, that no one appears to be able to reproduce. So a little fact check action might in order here. Up next, "toyotasuxors@ford.com says: Toyota tracking all US drivers with a device hidden in the glove box!

Re:Is this happening for ANYONE?

Yes, Me.

http://netalyzr.icsi.berkeley.edu/restore/id=4b65aebb-18883-4ded0c2e-9922-4ace-8be5

Re:Is this happening for ANYONE?

OMG!!! Toyota sucks no one should buy one or they are Communist!

Re:Is this happening for ANYONE?

[nweaver]

This is probably your NAT. We see such behavior among random visitors, but not those restricted to Comcast, and only a few Comcast-based visitors show this behavior.

Re:Is this happening for ANYONE?

"toyotasuxors@ford.com says: Toyota tracking all US drivers with a device hidden in the glove box!"

You mean GM and OnStar?

Re:Is this happening for ANYONE?

[jonaskoelker]

Toyota tracking all US drivers with a device hidden in the glove box!

They must be terrorists! Only terrorists would monitor a whole population. You should go over and fight them over there, so you don't have to fight them at home.

Uhmm... or something...

Re:Is this happening for ANYONE?

[macbuzz01]

so that's not my wife's emergency feminine hygiene product in my glove box? Smart, very smart.

Re:Is this happening for ANYONE?

come on, someone has to create slashdotminuskdawson.org

Falsely advertising "Internet access"

[davidwr]

Are you buying "Internet access" or something else? If you bought "Internet access" and you aren't getting it that's breach of contract. Odds are you are buying "partial Internet access as spelled out by the terms and conditions" which is probably not "Internet access."

Are they advertising "Internet access" or something else? If they are advertising "Internet access" and not delivering, that's false advertising. Unfortunately, it takes either deep pockets or a friend in your friendly neighborhood Attorney General's office to fight this battle.

Of course, most major IPSs haven't delivered "Internet access" to home users for years. They routinely block port 25 and other widely-abused ports, and some throttle traffic in ways that are not non-discriminatory. Business users, especially big business users, usually can get real Internet access but they have to pay.

Re:Falsely advertising "Internet access"

[adolf]

It's worth noting that the Netalyzer says my AT&T Uverse connection works fine, complaining only that upstream buffering might be a little heavy (which is typical for any consumer broadband). All the usual ports are open, including 25(*), except for those that I have blocked on purpose (Netbios, SMB, etc). I've never seen any throttling, even with hundreds of gigabytes of torrents monthly. I guess this means that AT&T gives me "real internet access."

Just FYI, FWIW, etc. They're even pretty responsive toward questions and problems -- I have cell phone numbers for the individuals who installed my service, and the desk phone for the local manager, and I didn't have to fight anyone to get this information. They just gave it to me as par for the course. This makes it feel, to me, a lot more like a local ISP than the huge conglomerate that it really is.

*: Port 25 is blocked by default on Uverse. It takes a phone call to tech support to get it switched on, which I've done. This seems reasonable enough to me, in light of the current problems with zombie spam botnets. Helpful hint: The native English-speaking Uverse techs seem pretty well clued and are remarkably easy to work with, while their outsourced non-native-English speaking script-readers are a pain in the ass. If you get the non-English kind, just hang up and try some other time -- it's not worth the effort to fight your way past them to the better-clued clued techs. Once you get someone on the phone with their wits about them, getting port 25 turned on takes only about a minute.

Boston South Shore: Nope

[Tokerat]

[machine]:~ [user]$ nslookup comcast.sucks.com testserv.mydomain.com
;; connection timed out; no servers could be reached

This was tested on testserv.mydomain.com (doesn't exist) because I knew it wouldn't respond. I don't have an outside box to test it with, so while not 100% conclusive, according to this test I should still get a DNS response if Comcast is intercepting. ICSI Netalyzr shows the following:

Basic UDP access is available.
Direct UDP access to remote DNS servers (port 53) is allowed. The applet was also able to directly request a large DNS response.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
Direct TCP access to remote FTP servers (port 21) is allowed.
Direct TCP access to remote SSH servers (port 22) is allowed.
Direct TCP access to remote SMTP servers (port 25) is allowed.
Direct TCP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote HTTP servers (port 80) is allowed.
Direct TCP access to remote POP servers (port 110) is allowed.
Direct TCP access to remote RPC servers (port 135) is blocked. This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote NetBIOS servers (port 139) is blocked. This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote IMAP servers (port 143) is allowed.
Direct TCP access to remote SNMP servers (port 161) is allowed.
Direct TCP access to remote HTTPS servers (port 443) is allowed.
Direct TCP access to remote SMB servers (port 445) is blocked. This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
Direct TCP access to remote secure IMAP servers (port 585) is allowed.
Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
Direct TCP access to remote POP/SSL servers (port 995) is allowed.
Direct TCP access to remote SIP servers (port 5060) is allowed.
Direct TCP access to remote BitTorrent servers (port 6881) is allowed.

Are you sure Comcast is doing this, or is it being intercepted by a NAT gateway or proxy?

California?

[bogaboga]

Californians are in some kind of budget crisis...or are they? I am in Timbuktu if that matters.

errmm...

[Tmack]

Most dns traffic uses UDP

TCP is generally only used for excessively large requests or zone transfers

Tm

Re:errmm...

[macklin01]

Whoops! Good point. :-)

Here's the relevant line, then: Direct UDP access to remote DNS servers (port 53) is allowed.

Thanks -- Paul

Re:errmm...

What exactly does the test test? If it just sends a query and reports success when it receives a response, then it may fail to distinguish between hijacked and non-hijacked queries.

If they worked maybe more people would use them

[Xeriar]

Was mostly a couple years ago, but even still, I had to keep a note of alternative DNS servers just in case Comcast's went on a fritz. Crazy annoying, and try explaining it to laymen!

Re:I really am hoping this is NOT a gullibility te

you should not have posted your session ID if you wanted to erase the details of your ip address..

Official Response

[ComcastBonnie]

Hey guys, I just caught this on Twitter, and I can confirm that we do not and have not hijacked any DNS traffic in our network and certainly not to 3rd party resolvers. 'nuff said. I spoke with our DNS engineering folks, and they have confirmed. If you would like to contact me, I'm @ComcastBonnie on Twitter.

Re:Official Response

[ultraexactzz]

Results posted above your comment would seem to confirm, which makes me wonder how this got to the front page. I doubt this is press release worthy, but it might not be a bad idea to post somewhere official that this is the case. Maybe a network status page or something?

Re:Official Response

Because Kdawson obsesses on bad news and especially when it comes to big corporations, come on what else is new around here.

Funny this crap got rushed to the front so fast but when it comes to actual breaking news tech/science it will not show up till two full days later.

Come on, even Digg has higher standards.

Re:Official Response

Nuff said? Really, as if thats all thats needed from a comcast flak is a flat denial with no explanation as to why some users are having problems. You sure you're cleared to know what the company is actually doing? You sure every tech knows what management is doing? Cause I don't think so. And btw I post AC because I don't care to get an account.

Re:Official Response

[Linux_ho]

Even assuming you're a real Comcast representative, why should we believe anything any Comcast rep says, after witnessing the series of lies, stonewalling, and misdirection Comcast produced after being accused of interfering with BitTorrent traffic, and then again after being caught red-handed interfering with BitTorrent traffic?

Re:Official Response

[kupekhaize]

Simple answer: Don't.

When a company does nothing but to give lies, damn lies, and then more lies when they are queried on this kind of thing, stop trusting anything that they say. Comcast is about as transparent as a brick. I think most Slashdot users know better then to take in the swine that Comcast regularly spews out of their corporate mouths in the name of customer retention. I'm sorry, but some random person making a new Slashdot account and posting an "official" response doesn't do it for me.

Their LAWYERS went to CONGRESS and LIED. They went to their entire customer base AND LIED. And then changed their policies with nothing more then a "Who, us?" reaction. "Reasonable network management" MY ASS. Don't trust anything these idiots say.

With that being said, seeing how no one has been able to reproduce so far, I think they are in the clear.

This time.

Re:Official Response

[QuietObserver]

When a company does nothing but to give lies, damn lies, and then more lies

You forgot statistics.

Mark Twain (attributed to Benjamin Disraeli): "There are three kinds of lies: lies, damned lies, and statistics." (Google the last part for the reference)

Re:Official Response

[religious+freak]

Way to be a dick to a hard working front line employee... yeah, I'm sure Comcast Bonny will get right on calling the board about the issues you mention...

Re:Official Response

"Hard working front line employees" are also the ones who astroturf to cover up shady practices, but don't let that little detail bother you.

As one of the authors of Netalyzr...

[nweaver]

We have not seen any redirection issues with Comcast user's DNS settings.

Questions on netalyzr itself will be answered in this thread.

Re:As one of the authors of Netalyzr...

Question: Did you happen upon this story in the course of your regular browsing habits, or did you just notice you were getting slashdotted and came to investigate?

Re:As one of the authors of Netalyzr...

[msimm]

Thanks, great project.

Re:As one of the authors of Netalyzr...

[nweaver]

A colleague who knew about our launch told us we just got slashdotted.

We actually WANT to get slashdotted, because that helps us measure the network.

Re:As one of the authors of Netalyzr...

Post an 'Ask Slashdot' on Firehose, I'm sure it will get picked up.

Re:As one of the authors of Netalyzr...

[nweaver]

We did do a story submission, but not as an ask-slashdot. The article did not get accepted.

We will probably wait until we are out of beta before we attempt to submit a story to slashdot again ourselves.

Re:As one of the authors of Netalyzr...

[wren337]

Looks like wowway is hijacking www.google.com, capturing the search and then doing a 302 to the actual search page (?)

http://netalyzr.icsi.berkeley.edu/restore/id=4b65aebb-24385-1985f52c-c397-4cc4-b780

Re:As one of the authors of Netalyzr...

[nweaver]

Are you a Wow Way customer? IF so, please email netalyzr-help@icsi.berkeley.edu

We would like to look into this in more detail.

thank you.

Re:As one of the authors of Netalyzr...

[mistahkurtz]

We will probably wait until we are out of beta before we attempt to submit a story to slashdot again ourselves.

don't worry about it. when you're on v2.2, and everyone knows about netalyzr, the original submission will be accepted and posted to the front page :)

So let me see if I have this straight...

[BaronHethorSamedi]

An anonymous reader submits a "story" linking to a random blog spouting off rumors about a nefarious scheme by Comcast to redirect port traffic. The "story" is then published under a headline asserting the rumor as fact, while the summary is actually a plea for the fact-checking on the story to be done by readers.

News for nerds, indeed.

Re:So let me see if I have this straight...

[harryandthehenderson]

Welcome to kdawson, editor extraordinaire.

Re:So let me see if I have this straight...

[Alzheimers]

Welcome to the new Media Democracy.

Re:So let me see if I have this straight...

[DaveV1.0]

You must be new here.

Re:So let me see if I have this straight...

I can understand the paranoia at least. We've seen this kind of shit being pulled before.

Re:So let me see if I have this straight...

[Nimey]

For small values of "editor", and of "extraordinaire".

Re:So let me see if I have this straight...

Hey, slow news day.

Re:So let me see if I have this straight...

I'd rather a user submit this and make a legitimate mistake versus Comcast screwing loads of customers over, which they have done in the past. Hell, they've flat out phrackin lied in the past.

At the very least, Comcast will see the shitstorm, and be less likely to implement such a strategy if they aren't now. It's also at least interesting to those of us who follow Comcast's screwups--their networks are not all the same or treated equally; particularly, California and western state subscribers seem to have a different network setup than the southern states, and the eastern states still a different setup. An area which does not show this issues does not mean it's not affecting a different area.

This is the company that has unsecured URLs in user accounts. This is a company that has TV, signal, and network monitors, yet doesn't know when entire networks go down, or argues with users or wastes people's time sending out techs versus checking main trunk lines. This is the company that is frequently a local monopoly.

So a user made a mistake. Darn. Lots of people looked into it. Good. Comcast burned the bridge of good will from their customers a couple of years back. They have to earn it back; it's not given.

Federal Wiretapping Laws

If this is true, wouldn't it be a violation of the Federal Wiretapping Act? They are certainly intercepting electronic communications, and worse yet, they are redirecting them and sending their own response. Is anyone an actual lawyer that is familiar enough with the act to comment intelligently on whether this is a violation or not?

As most of you may have noticed by now....

Comcast does not intercept port 53. A check using Netalyzer from ICSI or running a dig or nslookup will validate this for you against any third party resolver or any of the Comcast DNS servers.

This is just plain old FUD.

Everything is dandy in my town

[eclectro]

That is, Comcast Town

Re:I really am hoping this is NOT a gullibility te

[x78]

You couldn't have just dropped the link?!

Port 53 Rerouted in Seattle :|

[stacysmomsmokesabong]

I can verify this is happening in Lynnwood, WA - just north of Seattle - on my Comcast residential connection. First port 25 is blocked, now 53 is being rerouted? GD Comcast is a bunch of toolsheds.

My working third party server connected to the dummy DNS server just fine, while my home Comcast connected PCs couldn't. Tested in Windows 2008, Gentoo and Windows XP @ home - same results on all 3.

Webalyzer results: here

Re:Port 53 Rerouted in Seattle :|

[aaronmarks]

I have Comcast Business Class Internet in Seattle and I'm not re-rerouted; everything is working as it should. I internally have a split-horizon DNS setup where are DNS requests thare non-local are forwarded to OpenDNS's servers.

Re:Port 53 Rerouted in Seattle :|

[stacysmomsmokesabong]

Hmm, it seems I'm one of maybe (just maybe...) two people who report 53 being re-routed. Perhaps it's a fluke on my end as I've been having VERY bad issues with the signal cutting out for hours at a time this week.

I think I'm in agreement that the original article may not have been factual. I'll re-run my findings tonight (which is typically when the connection is most stable) and see what happens.

Re:Port 53 Rerouted in Seattle :|

[nweaver]

Your netalyzr results show no DNS issues in the link you posted, using a Comcast DNS server:

c-24-22-147-111.hsd1.wa.comcast.net / 24.22.147.111

Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.

The IP address of your ISP's DNS Resolver is 68.87.69.147,
which resolves to bvrt-cns01.beaverton.or.bverton.comcast.net.

Your ISP correctly leaves non-resolving names untouched.

Re:Port 53 Rerouted in Seattle :|

[stacysmomsmokesabong]

I wonder why I wasn't able to contact my netcat "DNS Server" then? No firewall or hosts restrictions on the "DNS Server" and another non-Comcast server can hit it just fine.

*shrugs* it seems like I'm fine then - just something else flaky going on.

Re:Port 53 Rerouted in Seattle :|

[clone53421]

Um, those Webalyzer results show that port 53 was connecting just fine.

Re:Port 53 Rerouted in Seattle :|

[DarthVain]

Sounds a lot like this:

http://www.gucomics.com/comic/?cdate=20090527

Have to test tonight.

[Rene+S.+Hollan]

I have the luxury of residential AND commercial internet service from Comcast in Monroe, WA. I can try both tonight.

Sorry Guys...

Sorry guys, He's a hijacked machine on my botnet. I Apologize about the story.

Article is full of it

[Dog-Cow]

I tested this with a server on a Comcast biz account (MI) going to a server on a non-Comcast network. Worked fine.

BS?

[singingjim1]

So basically this story is total bullshit? Here on Slashdot? Shocking. Even if it was true who does this affect? About 20 of you out there that would even notice? For the average user this makes absolutely no difference in our service. Yes, I'm just an average user. Sorry! Sorry I'm just an average user!

Re:BS?

[NotBornYesterday]

Sorry is no excuse. ;)

Re:BS?

[singingjim1]

That response was average.

Port 53 NOT Rerouted in Seattle area

[MortimerV]

I'm in Bellevue, WA, and it's not happening to me.

lack of competition

The more the big guys push the small guys out of business, the more this kind of crap is going to happen...

nslookup www.google.com flibitteyglibbit.com

[goffster]

look at that... it still worked.

I wonder if comcast decided to server your request when it could not resolve your dns server?

Perhaps Comcast DNS proxy redirects non-responders

[Rene+S.+Hollan]

Hmm. I RTFA and it appears that the author's beef is that Comcast is responding where the responder is non-existent.

To replace unresolved DNS lookups with IP addresses of ad servers, Comcast has to proxy port 53 traffic, yes?

Well, if they do that, they can certainly redirect to their own DNS resolvers if the specified DNS resolver is non-responsive, just as easily as they can substitute an IP address when the specified resolver fails to resolve.

They can also redirect all port 53 traffic to their resolver, always, but it does not appear that they are doing this.

That doesn't strike me as evil as the article suggests. Still, they should disclose that they do this.

business or home comcast?

[MoFoQ]

I wonder if a business class versus a home/residential version of Comcast service makes a difference.
And which one the guy used?

Comcast isn't sending you to a search for porn

[MattW]

Non-authoritative answer:
Name: comcast.sucks.com
Address: 207.69.131.9
Name: comcast.sucks.com
Address: 207.69.131.10

[matt@manticore ~]$ whois 207.69.131.10
[Querying whois.arin.net]
[whois.arin.net]

OrgName: EarthLink, Inc.
OrgID: ERMS
Address: 1375 PEACHTREE ST, LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US

NetRange: 207.69.0.0 - 207.69.255.255
CIDR: 207.69.0.0/16
NetName: EARTHLINK2000-D
NetHandle: NET-207-69-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: ITCHY.EARTHLINK.NET
NameServer: SCRATCHY.EARTHLINK.NET
Comment:
RegDate: 1998-10-20
Updated: 2007-03-30

RTechHandle: DAE4-ARIN
RTechName: Domain Administrator, Administrator
RTechPhone: +1-404-815-0770
RTechEmail: arinpoc@corp.earthlink.net

OrgAbuseHandle: ABUSE60-ARIN
OrgAbuseName: ABUSE TEAM
OrgAbusePhone: +1-404-815-0770
OrgAbuseEmail: abuse@abuse.earthlink.net

OrgTechHandle: ELNK-ORG-ARIN
OrgTechName: EarthLink, Inc.
OrgTechPhone: +1-404-815-0770
OrgTechEmail: arin_tech@lists.corp.earthlink.net

So I'm thinking... ok, if Comcast hijacked your dns, why would they send it to an earthlink IP?

So I navigate to 207.69.131.9...

And I get javascript redirecting me to:

http://earthlink-help.com/main?AddInType=Bdns&Version=1.4.11&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&Referer=&FailedURI=http%3A%2F%2F207.69.131.9%2F&SearchQuery=

Where I get some kind of branded search and this:

We are sorry, porn cannot be found.
We suggest that you check the spelling of the web address or try a different search term.

I'm not sure why Comcast would redirect you to Earthlink in the first place... but even if they did, I seriously doubt they'd redirect you to a search for pr0n in particular. Time to dig a little more.

Re:Comcast isn't sending you to a search for porn

[gothic]

Right, I think this guy may need to check what his DNS servers are set to. Attempting to use my Comcast DNS servers (Much like all the others here on the Slashdot), I get NXDOMAIN results back for fake domains.

Doing a quick search online for Earthlink DNS servers, I came back with one at 207.217.126.81. Running a query against this server (From inside and outside Comcast's network) returns the 207.69.131.9 & 207.69.131.10 IPs.

Unlikely to be a Comcast issue, maybe more of a PEBKAC issue.

Re:Comcast isn't sending you to a search for porn

[gothic]

Snap.. Forgot his traffic was being intercepted, not his DNS queries.. Shoots my theory in the butt.

Re:Comcast isn't sending you to a search for porn

[clone53421]

-1 Uninformed

Just because the server said "ZOMG P0RN!" when you asked it for "http://207.69.131.9" doesn't mean there wasn't supposed to be a more appropriate error page when you try to navigate to "http://www.nklasebvzvk.com" and the DNS server tells you to request the page from 207.69.131.9.

Servers discriminate based on the HTTP_HOST field all the time. You can run two separate web sites on the same server (and many hosting companies do) using the HTTP_HOST to determine which page to send... the IP address will be the same for both domains.

Re:Comcast isn't sending you to a search for porn

[MattW]

Did you think I was pasting in ARIN queries from a unix cli and don't know how http 1.1 vhosts work? oookay.

That said, that's a good point; of course a dns hijack search will try to be context sensitive. So I put comcast.sucks.com into my /etc/hosts file with that address and visited it...

We are sorry, comcast cannot be found.
We suggest that you check the spelling of the web address or try a different search term.

Of course comcast as a term DOES have search results, but they're clearly not handling a domain + no query term situation correctly.

I want to know more about how the OP came by his account; apparently Time-Warner offered some "combined with earthlink" accounts in some places, and then Comcast took over Time Warner's cable accounts....

It makes me wonder if there is dns hijacking on a per-port basis, and the OP's port used to be occupied by an Earthlink customer. It's easy to see a scenario were "Earthlink powered by Time Warner" customers were hijacked, and this is an artifact.

Re:Comcast isn't sending you to a search for porn

[clone53421]

Ok, that's a much more interesting test than sending your browser to the IP (and the error message is a lot more according to what you'd expect, too).

FWIW, "comcast.sucks.com" might have triggered on the word "comcast" because "sucks.com" actually resolves (74.84.194.56). When I try "comcast.sucks.com", and other actual nonexistent domains, they resolve to 208.69.36.132 (which sends me to an OpenDNS error page).

NAT box?

[bperkins]

I wonder if this could be caused by NAT boxes interfering with DNS.

I know my Netgear Wireless router does strange things with DNS requests but I never tried to verify what was going on.

please remove links the the original article

[goffster]

It is simply wrong, misleading, and unworthy of slashdot

Test market?

[irving47]

I don't see anyone else mentioning this, but it seems they could be using a particular area to test this "policy"

Re:Test market?

[The+Moof]

There seem to be a lot of Seattle, WA people saying theirs works just fine. So I'm willing to say that it's likely an error on the part of the two people claiming it's happening to them. Perhaps there's a nameserver built into a nat/firewall device that's returning a non-authoritative answer when the target nameserver doesn't respond.

Not in Oregon

I am using OpenDNS with Comcast here in Portland, OR because their DNS servers are way freaking slow. All indications seem to be that it is working correctly.

Re:Not in Oregon

[tholomyes]

Where did you set the DNS? At the router? Because I, too, am in Portland. I had set my router to point to OpenDNS (two different IPs) and one day about a year ago it stopped working. The only site I could reach was comcast.com. The problem persisted until I finally tracked it down to DNS and reset my router to the Comcast DNS servers.

Re: Linus Torvalds is a turd burglar

[multisync]

I am interested in signing up for your TRON fanzine. Please advise, is it a monthly, or a quarterly?

works fine here

[hymie!]

Howard County, MD. No problems using a specified DNS server.

I hate comcast more then most... but..

First, I hate comcast. I have a lot of reasons to hate comcast. I wish they would just go away. their service sucks, their support sucks, and well if they wanted to suck .... I would be worried about the horrible deadly diseases they would carry.

Anyways. I understand for the geek this sucks, but for the average home user, I think this is a good thing. How many less computers will be hijacked due to not being redirected to some rogue site? How many clueless people will not give up their bank account information to scammers because their dns couldn't be redirected?

I believe this is a necessary evil. I believe if they were doing it for legitimate reasons, they should have a choice to opt out for those in the clue.

Unfortunately as scammers/crackers(btw.. WTF? crackers? all scum bags who crack computers are white? What? :P) etc escalate because more and more retards are getting on the internet without having a clue how to protect themselves, this is going to become more and more of a norm.. isps "trying to protect you from yourself".

Think of it as getting a ticket for not wearing a seat belt. Supposedly it's to protect you from yourself.. but in reality it is to earn more money, and take away your control over your life.

Let the flamebait flow!

Re:Perhaps Comcast DNS proxy redirects non-respond

[Rene+S.+Hollan]

Hmm, in reflection, Comcast does not have to proxy port 53 to replace unresolved domains with their own IP address -- the resolvers can do this, and using alternate resolvers avoids the annoyance.

Comcast could proxy port 53 and do as I described above, which would be "less evil" than what the article claims, but as others note, they don't even seem to do that.

Rogers Cable in Canada does this.

Rogers Cable in Canada does this.

It's very annoying.

Re:I really am hoping this is NOT a gullibility te

[Ecuador]

Perhaps he wanted to mask his IP?
Pretty essential if he is running on HyperVM... ;)

FIOS VERIZON did this to me too...

[NukeDoggie]

I had to put a different Verizon DNS into the Router to get them to stop hijacking my DNS. I was having VPN issues and issues with stuff running as http://localhost/ and then it got my attention... They all seem to monitor as much as they can, Seems like ISP = iSPY4NSA!!!

Re:FIOS VERIZON did this to me too...

Your IQ is like 40 isn't it?

Router hijacking DNS

[Mondo1287]

$20 says this guy's router is actually doing the hijacking and redirecting requests to the servers it receives via DHCP.

Re:Router hijacking DNS

[Stauken]

I was trying to figure out how to blame this guy until I realized that he was probably fully running linux (or would at least claim that) and a virus was not likely responsible. This is how. Thanks, you win one internets. :P Not like this blog ever gets updated again though, most likely. The guy probably will figure out what caused the issue and just never come back :P

Re:I really am hoping this is NOT a gullibility te

[EvilBudMan]

I got a different result here. Not sure why yet, but just because they appear to be blocking incoming UDP 53 doesn't really bother me as we are are using our static for a mail server and VPN. It's being blocked alright but as of right now I dunno how or why. You can't always trust applets like this.

--Knoxville.hfc.comcastbusiness.net --

--UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

We have a firewall alright, but aren't hosting any web pages so that might just be it too.

Netalyzr indicates not filtered in OR

[The+Master+Control+P]

Direct UDP access to remote DNS servers (port 53) is allowed. The applet was also able to directly request a large DNS response.

I, for one, am absolutely astounded that /.'s editors would post some blog rant without fact checking it first... That would be irresponsible to the point of incompetent, something virtually unheard of around here.

It's not as if the original blog ranter said "Full disclosure: I dont know if its Comcast or Earthlink thats responsible for this behavior..." or anything. Screw it, he's not getting in the way of your Two Minute's Hate!

lol

[BitterAndDrunk]

+1 history

Re: Linus Torvalds is a turd burglar

YHBT. YHL. HAND.

Delaware seems fine

[wembley+fraggle]

http://n7.netalyzr.icsi.berkeley.edu/summary/id=ae8199f5-24744-ed002743-edf2-4f04-8f17

from the report:
"Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response."

Cannot verify this report

[kheldan]

Conducted my own test based on how OpenDNS works. Changed my DNS server settings to OpenDNS (208.67.222.222 and 208.67.220.220) then tried to browse to a non-existent web page (http://comcast.sucks.com). Since it doesn't exist, I got the OpenDNS Guide search results page instead of a 404 or some other generic error. Unless someone can poke holes in this method, this pretty clearly indicates to me that Comcast is not doing anything sketchy with DNS requests, at least not in my geographic location (Sacramento, California); as always, your mileage may vary.

"Official Response"

[rednip]

Wow it's nice to know that Comcast has both a twitter account and a brand new Slashdot account. Oh, it's most likely that you're an employee (maybe tech support), I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication? If so, I'd suggest a listing on the main corporate 'contacts' page, so that it'd be easy to verify it as 'official'. Also, the DNS team (or even the guy on duty) might not be complicit in the skulduggery, so your assessment might not be correct.

Re:"Official Response"

[fluxrad]

I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication?

Yes she is. She's handled one of my responses before. Recently corporations have started hiring "social networking" types to answer questions on places like twitter, facebook et al. It would Slashdot is another one of these venues.

Re:"Official Response"

Dude, there was a whole Wired article about how much effort Comcast has gone through lately with trying not to suck. Included in this article was the whole ComcastCares Twitter thing, which proved so successful that it went from one tech not wanting people to badmouth Comcast, to a team of Comcast employees deployed specifically to respond to events such as this.

For an overwhelmingly evil company, their Twitter presence is actually one of the brightest... most human... spots that Comcast has.

Re:"Official Response"

[minerat]

Comcast has been using twitter for a while now, under the @ComcastCares account. Multiple Comcast employees monitor twitter streams for complaints and are empowered to take action to resolve issues. ComcastBonnie (as well as a few others) are authorized (cs? pr?) representatives for Comcast. Given that her twitter page says the same thing as her post, you can probably take it at face value.

Re:"Official Response"

Troll moar.

Have you come out from under a rock and looked at the state of the internet in the last uh, 12 months? Did you miss the whole corporate Social Networking Explosion thing? Sorry. I'm totally trolling but w/e dude pay attention before you start talking. blol.

Re:"Official Response"

[Armarius]

I can confirm that ComcastBonnie is an authorized Comcast rep. I've dealt with @comcastcares on Twitter (Frank Eliason) and Bonnie is part of that team. Frank helped me cut through some BS with my local Comcast office about a year ago. They look on the Internet for folks with complaints about Comcast, such as my blog post as year ago, and are pretty quick with the Twitter responses these days. And apparently Slashdot responses as well. @LibraryMonk

Re:"Official Response"

Gosh Bonnie, it still seems like it might be pretty easy to spoof a "real" Comcast Representative until we publish all of our official handles in a prominent place on our website.

Love,
ComcastChuck

Re:"Official Response"

[bughunter]

Great, so now we can add "-1, Meatpuppet" to the list of needed moderation tags.

Re:"Official Response"

[wkcole]

Yeah, 'cuz you know there's never been anyone who has set up a Twitter account that claimed to be someone else. It just can't be done. Really. Wanna buy a bridge?

Re:"Official Response"

[TheSlashaway]

ComcastBonnie can be reached at comcast.bonnie@verizon.com...

Re:"Official Response"

[wolrahnaes]

As many things as there are to legitimately bitch about when it comes to Comcast, they were one of the pioneering companies in responding directly and publicly to complaints raised via the Internet. I don't know how long it will last, whether this is a fad or a lasting trend, but regardless of how it ends up working out I have to give them that it's great PR and seems to be working well at the moment.

Re:"Official Response"

Anyone else finds "ComcastBonnie" pretty close to "Jennifer Government" ? :)

Re:"Official Response"

[BitwiseX]

and yet if some guy came in and said "I'm Wil Wheaton!" you'd believe it!

ICSI Results in California

[Vexer77]

Comcast user in California using OpenDNS with following ICSI Netalyzer results:

Result Summary
c-24-7-17-xxx.hsd1.ca.comcast.net / 24.7.17.xxx
Recorded at 15:13 EDT (19:13 UTC) on Tue, June 09 2009. Permalink. Transcript. Wildcard DNS content.
Noteworthy Events

Major Abnormalities

* We received unexpected and possibly dangerous results when looking up important names

Minor Aberrations

* Your DNS resolver returns results even when no such server exists

Address-based Tests

NAT detection: NAT Detected

Your global IP address is 24.7.17.xxx while your local one is 192.168.1.xxx. You are behind a NAT. Your local address is in unroutable address space.

Your NAT renumbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis.

port sequence plot

DNS-based host information: OK
You are not a Tor exit node for HTTP traffic.
You are listed on the Spamhaus Policy Based Blacklist, meaning that your provider has designated your address block as one that should not be sending any email.
The SORBS DUHL believes you are using a dynamically assigned IP address.
Reachability Tests

General connectivity: OK
Basic UDP access is available.
Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
Direct TCP access to remote FTP servers (port 21) is allowed.
Direct TCP access to remote SSH servers (port 22) is allowed.
Direct TCP access to remote SMTP servers (port 25) is allowed.
Direct TCP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote HTTP servers (port 80) is allowed.
Direct TCP access to remote POP servers (port 110) is allowed.
Direct TCP access to remote RPC servers (port 135) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote NetBIOS servers (port 139) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote IMAP servers (port 143) is allowed.
Direct TCP access to remote SNMP servers (port 161) is allowed.
Direct TCP access to remote HTTPS servers (port 443) is allowed.
Direct TCP access to remote SMB servers (port 445) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
Direct TCP access to remote secure IMAP servers (port 585) is allowed.
Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
Direct TCP access to remote POP/SSL servers (port 995) is allowed.
Direct TCP access to remote SIP servers (port 5060) is allowed.
Direct TCP access to remote BitTorrent servers (port 6881) is allowed.
Network Access Link Properties

Network latency measurements: Latency: 81ms Loss: 0.0%
The round-trip time (RTT) between your computer and our server is 81 msec, which is good.
We recorded no packet loss between your system and our server.

TCP connection setup latency: 98ms
The time it takes your computer to set up a TCP connection with our server is 98 msec, which is good.

Network bandwidth measurements: Upload 1.0 Mbit/sec, Download 6.5 Mbit/sec
Your Uplink: We measured your uplink's sending bandwidth at 1.0 Mbit/sec. This level of bandwidth works well for many users.
Your Downlink: We measured your downlink's receiving bandwidth at 6.5 Mbit/sec. This level of bandwidth works well for many users.

Network buffer measurements: Uplink 370 ms, Downlink 51 ms
We estimate your uplink as having 370

Tweet

[Presto+Vivace]

Comcast denies that it is doing this http://twitter.com/ComcastBonnie/status/2092813922

Re:Tweet

[torune]

Yes, but someone else says they are doing it. So there.

No problems here

[davmoo]

I use Comcast and OpenDNS. Everything is as it should be here (central Indiana).

Yes!

[porky_pig_jr]

Getting 'response from unautorized servers' when I do nslookup. The servers are comcast servers. Can't reach *lot's* of site, by the way, fine going via my emergency alternate route (dial in, just think of that!). Massachusetts located.

Earthlink not Comcast

This seems like it's an Earthlink issue not a Comcast one if it exists at all. According to the blog he's in some sort of deal with Comcast + Earthlink service. He's getting Earthlink Adverts on non-existent pages. His DNS 'reroutes' are rerouting to an Earthlink page. If there's any truth to this it's because of Earthlink + Comcast and not Comcast on its own.

Re:Earthlink not Comcast

[sdBlue]

I was earthlink+TW till they got replaced in my area (MS) by Comcast.... Not a problem for me. (Results posted lower down)

Not blocking in NY

[grimace123_99]

Comcast DNS is working as expected in Upstate NY, I use OpenDNS from home (comcast cable service) and all is working as expected I can review my open dns logs and see that it is indeed serving me dns.

Not in NE Massachusetts...

(Comcast, North of Boston)

Re:Not in NE Massachusetts...

[Tokimasa]

Chelmsford, MA: http://n11.netalyzr.icsi.berkeley.edu/restore/id=4b65aebb-24402-a096f42c-4416-49d9-84c8/rd

TWX is MPAA, but not RIAA or cable

[tepples]

From your post, I don't think you're aware that Time Warner is actually one of the presiding members of the RIAA (and the MPAA).

Time Warner is a member of the MPAA. It is not a major record label; it spun off Time-Life Records in 2003 and Warner Music Group in February 2004. It is not a cable company; it spun off Time Warner Cable in March 2009.

This information is false

[jlivingood]

This information is false, we do not intercept port 53 traffic. The author of the linked blog should post their complete nslookup results, not the edited text they have posted. We'd also like to know what NAT is being used (some of those proxy DNS in odd ways). Jason Comcast National Engineering & Technical Operations

Earthlink here

[CSFFlame]

My DSL line is physically leased by earthlink from covad. I use opendns, no redirection away from opendns.

worse than hitler

[HappyEngineer]

I personally use the "worse than Hitler" meme all the time. When highway crews block a road and back up traffic I refer to them as worse than Hitler. When my landlord said I had to put my garbage can somewhere else I referred to him as worse than Hitler. My fiance has even sometimes jokingly said that I am worse than Hitler when I make some small infraction just because I use the phrase all the time.

I personally consider it an expression of emotion rather than a logical statement.

Re:worse than hitler

[David+Gerard]

You need a Certificate of Hitlertude.

Ob. Comic

[DarthVain]

Sounds like more of the same...

http://www.gucomics.com/comic/?cdate=20090527

My /etc/hosts is REALLY long

I don't trust DNS.

My /etc/hosts is REEEEEEEEEEEEEEAAAAAAAAAAAALLLLLLLLLLLLLLLLY long.

Every once in a while, a site doesn't work anymore.
When that happens, I call my parents to get the new IP address.

Re:My /etc/hosts is REALLY long

[glenstar]

You should talk to that jackass who posts on every story even remotely related to routing or DNS complaining that in Vista MS no longer allows for 64.90. to be a valid address and now needs the whole thing, or some such shit... I try to block it out so I am sure I am missing something. Although, I do seem to remember him spouting some nonsense about his hosts file now being 25MB in size... WTF!? What sort of bumbling moron would have a 25MB hosts file?

Re:Perhaps Comcast DNS proxy redirects non-respond

[clone53421]

they can certainly redirect to their own DNS resolvers if the specified DNS resolver is non-responsive

The responder wasn't non-existent, the responder was simply non-responsive. The active listen on port 53 should have caught any attempt by Comcast to see if it was a "real" DNS server. To do what you describe, they still would have had to send something to the specified DNS server, which apparently never happened.

VPN?

[msimm]

Assuming your using a standard switch as you gateway device it would be much easier to simply setup the DNS servers to listen on an alternate port. VPN (which I'm assuming you use for other things too) in most cases would be over-kill. In fact a simple iptables rule could handle the port redirect on the listening dns server.

Not the case for me

[Chris+Daniel]

I'm in the Portland, Oregon area. Tag: kdawsonfud.

Disregard; ORSN is SK

[Kadin2048]

Apparently the ORSN project has been shut down, at least for the moment, due to lack of involvement and resources.

Some of the servers continue to operate, but it was officially discontinued as of 31 Dec 2008. Too bad.

Re: Linus Torvalds is a turd burglar

[xeoron]

With that attitude, one could could also say, "After all, one only needs EMacs regardless if it is on Unix based computer or even almost ready for the desktop Pre MS Windows 7 OS's

Not happening in Mountain View, CA

http://koitsu.wordpress.com/2009/06/09/comcast-isnt-messing-with-my-port-53-traffic/

Re:Not happening in Mountain View, CA

[cppchriscpp]

Not in andover, ma either.

Re: Linus Torvalds is a turd burglar

It does indeed do its job very well. It crashes faster than an other OS that I have ever used.

What's the big deal?

[Pictish+Prince]

All of us power users have all the IPs memorized.

OpenDNS servers still ok from Colorado Comcast

[scum-o]

[root@localhost ~]# nslookup slashdot.org
Server: 208.67.222.222
Address: 208.67.222.222#53

Non-authoritative answer:
Name: slashdot.org
Address: 216.34.181.45

How to get around it

[rs79]

So primary the root zone for yourself and don't use their DNS. They can't intercept DNS requests to 127.0.0.1

The root zone is just a bunch of pointers to the TLD servers that have all the big files and the root zone is tiny.

Just declare yourself authoritative for . and use the root zone of your choice. The legacy one is at : ftp://rs.internic.net/domain/

Re:How to get around it

[Wowlapalooza]

Did anyone say that Comcast was only hijacking queries for the root?

The claim is that Comcast is hijacking all DNS queries, so your "solution" only works for the tiny percentage of queries that are for the root zone, and probably doesn't even have any effect on those, since Comcast is probably leaving TLD delegations alone (what reason would they have to mess with those?)

Or, were you suggesting that folks stuff everything they would ever want to look up into a ginormous private root zone? Good luck with that.

Re:How to get around it

[rs79]

I assumed they were doing this with packets without the AUTH bit set. If you ask for an authoritatiove answer from .com you can't get it from comcast.

But it appears now they either aren't doing it or have stopped doing it.

Re:How to get around it

[Wowlapalooza]

I assumed they were doing this with packets without the AUTH bit set.

What's an AUTH bit? There's the AA (Authoritative Answer) bit, but that is only set in responses, and the allegation is that Comcast is/was redirecting query packets, not response packets. So I don't understand your assumption.

If you ask for an authoritatiove answer from .com you can't get it from comcast.

Well, DNS clients have no way in the protocol to tell their resolvers they only want an authoritative answer. The only ways I can think of, offhand, to guarantee that an answer comes from an authoritative source is either a) bypass intermediate resolvers by identifying and querying the authoritative nameservers for the relevant zone, or b) for every resolver in the resolution path to disable caching, but that would be a performance disaster. Feel free to ask Comcast to turn off caching on their nameservers; if they're running anything based on BIND, they can't just "turn off" caching; they'd either have to replace the software with something more akin to a "DNS proxy", or perhaps simulate "no caching" with some extremely aggressive early-expiration-and-cleaning parameters.

But it appears now they either aren't doing it or have stopped doing it.

True, but it's still an interesting academic exercise nonethless.

try democracy

[emj]

having your own police helps.

Then start R'ing!

"I haven't RTFM..."

I'd suggest first RTFM, and then you'll be prepared to RTFA.

Yes, the comments here DO say a lot. And how you got modded +5 is beyond me.

Re:Then start R'ing!

[mcgrew]

I'd suggest first RTFM, and then you'll be prepared to RTFA

DOH!

how you got modded +5 is beyond me

Me too.

Re: Linus Torvalds is a turd burglar

[dalurka]

You are now a level -1 Flaimbait.

what is a port?

ok, I already know it is like a train station but for ships. However, I am still looking online describing what is a port (i.e. Port 53, Port 80, 88, etc.).

Re:what is a port?

[heypete]

http://en.wikipedia.org/wiki/TCP_and_UDP_port

Re: Linus Torvalds is a turd burglar

[machine321]

Probably a bi. Monthly. Bi-monthly.

ICSI Netalyzer results on comcast

[DragonTHC]

DNS Tests

Restricted domain DNS lookup: OK
We are able to successfully lookup a name which resolves to the same IP address as our webserver. This means we are able to conduct many of the tests on your DNS server.

Unrestricted domain DNS lookup: OK
We are able to successfully lookup arbitrary names from within the Java applet. This means we are able to conduct all test on your DNS server.

DNS resolver address: OK
The IP address of your ISP's DNS Resolver is 68.87.74.164, which resolves to npls-cns02.bonitasprngs.fl.naples.comcast.net.

DNS resolver properties: Lookup latency: 130ms
Your ISP's DNS resolver requires 130 msec to conduct an external lookup.
Your resolver is using QTYPE=A for default queries.
Your resolver is not automatically performing IPv6 queries.
Your DNS resolver does not use EDNS.
Your resolver does not use 0x20 randomization, but will pass names in a case-sensitive manner.

DNS glue policy: OK
Your ISP's DNS resolver does not accept generic additional (glue) records -- good.
Your ISP's DNS resolver does not accept additional (glue) records which correspond to nameservers.
Your ISP's DNS resolver does not follow CNAMEs.

DNS resolver port randomization: OK
Your ISP's DNS resolver properly randomizes its local port number.
The following graph shows DNS requests on the x-axis and the detected source ports on the y-axis.

port sequence plot

DNS lookups of popular domains: OK
74 of 74 popular names were resolved successfully. Show all names.
In the following table reverse lookups that failed but for which a Start Of Authority (SOA) entry indicated correct name associations are shown using an "X", followed by the SOA entry. Absence of both IP address and reverse name indicates failed forward lookups.
Name IP Address Reverse Name/SOA
www.abbey.co.uk 165.160.13.20 X (pdns1.cscdns.net)
ad.doubleclick.net 74.125.242.24 iad09megaadvi[...]ubleclick.net
www.alliance-leicester.co.uk 194.130.105.121 X (alice.ioko365.com)
www.amazon.com 207.171.166.252 166-252.amazon.com
www.ameritrade.com 204.58.27.121 beta-new.tdameritrade.com
www.bankofamerica.com 171.161.161.173 www.bankofamerica.com
www.bankofscotland.co.uk 195.171.171.21 X (ns0.bt.net)
www.bankofthewest.com 207.114.194.101 X (dns1a.bankofthewest.com)
www.barclays.co.uk 213.219.1.141 X (dns1.lon7.telecityredbus.net)
www.capitalone.com 208.80.50.112 X (chia.arin.NET)
www.careerbuilder.com 208.82.7.22 X (smokey.careerbuilder.com)
www.chase.com 159.53.60.105 X (ns1.jpmorganchase.com)
chaseonline.chase.com 159.53.64.54 resources-cdc2.chase.com
www.citi.com 192.193.232.227 X (ns.citicorp.com)
www.citibank.com 192.193.232.227 X (ns.citicorp.com)
www.citimortgage.com 192.193.103.118 X (ns.citicorp.com)
www.cnn.com 157.166.226.26 www.cnn.com
www.desjardins.com 142.195.128.44 desjardins.com
www.deutsche-bank.de 217.73.49.24 www.deutsche-bank.de
www.e-gold.com 209.200.169.10 unknown.prolexic.com
www.ebay.com 66.135.217.243 hp-core.ebay.com
www.etrade.com 12.153.224.22 etrade.com
www.f-secure.com 96.17.147.114 a96-17-147-114.[...]echnologies.com
www.facebook.com 69.63.186.31 www.13.06.ash1.facebook.com
www.fdic.gov 192.147.69.84 www.fdic.gov
www.friendfinder.com 208.88.180.81 X (ii53-30.friendfinderinc.com)
www.geocities.com 98.137.46.72 intl1.geo.vip.sp2.yahoo.com
www.google.com 74.125.65.103 gx-in-f103.google.com
www.halifax.co.uk 212.140.245.97 halifax.co.uk
www.hsbc.co.uk 193.108.74.126 X (ns3.hsbc.com)
www.irs.gov 96.17.147.97 a96-17-147-97.d[...]echnologies.com
www.jpmorganchase.com 159.53.60.166 X (ns1.jpmorganchase.com)
www.lloydstsb.com 193.34.230.181 X (ns2.lloydstsb.co.uk)
mail.google.com 209.85.133

Re: ICSI Netalyzer results on comcast

[DragonTHC]

Network buffer measurements: Uplink 810 ms, Downlink 390 ms
We estimate your uplink as having 810 msec of buffering. This level can in some situations prove somewhat high, and you may experience degraded performance when performing interactive tasks such as web-surfing while simultaneously conducting large uploads. Real-time applications, such as games or audio chat, may also work poorly when conducting large uploads at the same time.
We estimate your downlink as having 390 msec of buffering. This level may serve well for maximizing speed while minimizing the impact of large transfers on other traffic.

mysterious international terr org, works in US ?

[x4r]

I'm a comcast user and it works for me...perhaps his home network is the problem. A Linux user having a misconfigured network?!??! Oh wait this is Slashdot...nevermind.

because interfering-exploiting DNS(can't wait 4 imes, where DNSSec infrastructure are become mandator ISP license aquiring(&Native IPv6 perhaps !)) easiest way to build botnets and/or use ISp 4 inteligency gathering. i mean, this case must be investigated by NSA, not FTC.

Not on OpenDNS

[pvera]

At least for Comcast in zip 20190:

$ nslookup
> insomniaccoder.com
Server: 208.67.222.222
Address: 208.67.222.222#53

Non-authoritative answer:
Name: insomniaccoder.com
Address: 72.32.231.8

That's one of the two OpenDNS servers on port 53. Unless Comcast is faking/proxying/whatever the traffic and responding with OpenDNS' IP address.

No problems in central MA

[aaronl]

I'm a Comcast user in Lancaster, MA. I had no problems connecting to anything, and my DNS was not being tampered with. The only blocked services were Windows networking ports (135, 139, 445).

Re:I really am hoping this is NOT a gullibility te

[Dark_Gravity]

I took out my last subnet

s/subnet/octet/

Probably Not!

[Wowlapalooza]

Uh, "non-authoritative response" is what you always get (according to the RFCs) when the response came from a resolver's cache, as opposed to directly from the authoritative nameservers.

This factoid neither confirms nor denies whether Comcast is hijacking DNS transactions.

As for not being able to reach "*lot's* [sic] of site[sic]", since you haven't specified whether the DNS lookups are failing, this could be a totally separate problem/issue.

Not happening in South Florida

Verified not happening here via Comcast in Key West.

Copy/paste troll.

[SanityInAnarchy]

Enough said.

Seriously, if you're going to copy/paste, at least try one that bothered to, I don't know, at least spell properly. Web sights? Really?

Re:Copy/paste troll.

[MikeBabcock]

There seems to be a direct correlation between the ability to spell, and whether that same person has something to say worth paying attention to.

Personally, I'm still waiting for a version of Windows that supports multiple IP addresses per network device like Linux does.

Re:Copy/paste troll.

Personally, I'm still waiting for a version of Windows that supports multiple IP addresses per network device like Linux does.

something like this?

Re:Copy/paste troll.

[alteran]

Personally, I'm still waiting for a version of Windows that supports multiple IP addresses per network device like Linux does.

Well wait no more. Merely pick up a copy of Win2k from 9 years ago. Or WinXP.

http://www.itsyourip.com/networking/how-to-add-multiple-ip-address-in-windows-2000xp2003/

No problems in MS

[sdBlue]

I was originally Earthlink dialup (I lived in a VERY rural area in California), moved to Mississippi where it became TW. TW got replaced about 2 years ago or so by Comcast. My results appear clean: DNS Tests Restricted domain DNS lookup: OK We are able to successfully lookup a name which resolves to the same IP address as our webserver. This means we are able to conduct many of the tests on your DNS server. Unrestricted domain DNS lookup: OK We are able to successfully lookup arbitrary names from within the Java applet. This means we are able to conduct all test on your DNS server. DNS resolver address: OK The IP address of your ISP's DNS Resolver is 68.87.74.165, which resolves to npls-cns03.bonitasprngs.fl.naples.comcast.net. DNS resolver properties: Lookup latency: 170ms Your ISP's DNS resolver requires 170 msec to conduct an external lookup. Your resolver is using QTYPE=A for default queries. Your resolver is not automatically performing IPv6 queries. Your DNS resolver does not use EDNS. Your resolver does not use 0x20 randomization, but will pass names in a case-sensitive manner. DNS glue policy: OK Your ISP's DNS resolver does not accept generic additional (glue) records â" good. Your ISP's DNS resolver does not accept additional (glue) records which correspond to nameservers. Your ISP's DNS resolver does not follow CNAMEs. DNS resolver port randomization: OK Your ISP's DNS resolver properly randomizes its local port number. The following graph shows DNS requests on the x-axis and the detected source ports on the y-axis. port sequence plot DNS lookups of popular domains: OK 74 of 74 popular names were resolved successfully. Show all names. In the following table reverse lookups that failed but for which a Start Of Authority (SOA) entry indicated correct name associations are shown using an "X", followed by the SOA entry. Absence of both IP address and reverse name indicates failed forward lookups. Name IP Address Reverse Name/SOA www.abbey.co.uk 165.160.15.20 X (pdns1.cscdns.net) ad.doubleclick.net 209.62.176.153 eqnjmegaadvip3.doubleclick.net www.alliance-leicester.co.uk 194.130.105.121 X (alice.ioko365.com) www.amazon.com 72.21.207.65 X (ddiamond.amazon.com) www.ameritrade.com 204.58.27.97 beta-new.tdameritrade.com www.bankofamerica.com 171.159.65.173 www.bankofamerica.com www.bankofscotland.co.uk 195.171.171.21 X (ns0.bt.net) www.bankofthewest.com 207.114.194.101 X (dns1a.bankofthewest.com) www.barclays.co.uk 213.219.1.141 X (dns1.lon7.telecityredbus.net) www.capitalone.com 208.80.50.112 X (chia.arin.NET) www.careerbuilder.com 208.82.5.22 X (smokey.careerbuilder.com) www.chase.com 159.53.60.105 X (ns1.jpmorganchase.com) chaseonline.chase.com 159.53.64.54 resources-cdc2.chase.com www.citi.com 192.193.232.227 X (ns.citicorp.com) www.citibank.com 192.193.217.200 X (ns.citicorp.com) www.citimortgage.com 192.193.103.118 X (ns.citicorp.com) www.cnn.com 157.166.226.25 www.cnn.com www.desjardins.com 142.195.128.44 desjardins.com www.deutsche-bank.de 217.73.49.24 www.deutsche-bank.de www.e-gold.com 209.200.169.10 unknown.prolexic.com www.ebay.com 66.135.200.145 hp-core.ebay.com www.etrade.com 12.153.224.22 etrade.com www.f-secure.com 96.17.74.131 a96-17-74-131.d[...]echnologies.com www.facebook.com 69.63.184.31 www-11-01-ash1.facebook.com www.fdic.gov 192.147.69.84 www.fdic.gov www.friendfinder.com 208.88.180.81 X (ii53-30.friendfinderinc.com) www.geocities.com 98.137.46.72 intl1.geo.vip.sp2.yahoo.com www.google.com 209.85.165.99 eo-in-f99.google.com www.halifax.co.uk 212.140.245.97 halifax.co.uk www.hsbc.co.uk 193.108.74.126 X (ns3.hsbc.com) www.irs.gov 96.17.75.10 a96-17-75-10.de[...]echnologies.com www.jpmorganchase.com 159.53.60.166 X (ns1.jpmorganchase.com) www.lloydstsb.com 193.34.230.181 X (ns2.lloydstsb.co.uk) mail.google.com 209.85.165.18 eo-in-f18.google.com mail.live.com 64.4.20.169 dp2.mail.live.com mail.yahoo.com 209.191.92.114 l2.login.vip.mud.yahoo.com www.mbna.com 209.135.59.10 X (ns1.usi.net) www.mbna.net 209.135

Charter Cable In St. Louis

Direct UDP access to remote MSSQL servers (port 1434) is blocked.
This is most likely due to a filtering rule against the Slammer worm

Direct TCP access to remote SMTP servers (port 25) succeeds, but does not return the expected content.

Direct TCP connections to remote POP servers (port 110) succeed, but do not receive the expected content.

Direct TCP connections to remote IMAP servers (port 143) succeed, but do not receive the expected content.

Your ISP's DNS server returns IP addresses even for domain names which should not resolve. Instead of an error, the DNS server returns an address of 63.251.179.56, which does not resolve. You can inspect the resulting HTML content here.

And people were worried about comcast messing with their stuff

Used to have a problem...

I've been a Comcast residential high-speed customer since it came out here in 2001. Between 2003 and 2005, their DNS servers would fail all the time, so I went into the router and changed the DNS servers to the "for off-campus use" DNS servers of my local university. Worked like a charm.

The problem is since long gone. I might get blasted for saying this, but I've actually had really good luck with Comcast high-speed Internet.

The only part that sucks? Back in 2001 when it was Excite@home, there was no speed cap sent to the modem, and 7 mbps was commonplace. Today, my modem is capped at 6.6 mbps, and I typically get around 5 in a speed test.

Comcast in Ca.

[PPNSteve]

We're also on Comcast in Cali and use 3rd party DNS.. without issue. Comcast isn't messing with any of our port 53 traffic either: DNS Tests Restricted domain DNS lookup: OK We are able to successfully lookup a name which resolves to the same IP address as our webserver. This means we are able to conduct many of the tests on your DNS server. Unrestricted domain DNS lookup: OK We are able to successfully lookup arbitrary names from within the Java applet. This means we are able to conduct all test on your DNS server. DNS resolver address: OK The IP address of your ISP's DNS Resolver is 209.244.1.19, which resolves to ics3.SanJose1.Level3.net. DNS resolver properties: Lookup latency: 120ms Your ISP's DNS resolver requires 120 msec to conduct an external lookup, and 110 msec to lookup an item in the cache. Your resolver is using QTYPE=A for default queries. Your resolver is not automatically performing IPv6 queries. Your DNS resolver requests DNSSEC records. Your DNS resolver will accept DNS packets of up to 4096 bytes. Your DNS resolver can successfully receive a large (>1500 byte) DNS response. Your resolver does not use 0x20 randomization, but will pass names in a case-sensitive manner. Your ISP's DNS resolver respects a TTL of 0 seconds. Your ISP's DNS resolver respects a TTL of 1 seconds. DNS glue policy: OK Your ISP's DNS resolver does not accept generic additional (glue) records -- good. Your ISP's DNS resolver accepts additional (glue) records for nameservers located in subdomains of the queried domain. Your ISP's DNS resolver does not follow CNAMEs. DNS resolver port randomization: OK Your ISP's DNS resolver properly randomizes its local port number. The following graph shows DNS requests on the x-axis and the detected source ports on the y-axis. port sequence plot DNS lookups of popular domains: OK 74 of 74 popular names were resolved successfully. Show all names. In the following table reverse lookups that failed but for which a Start Of Authority (SOA) entry indicated correct name associations are shown using an "X", followed by the SOA entry. Absence of both IP address and reverse name indicates failed forward lookups. Name IP Address Reverse Name/SOA www.abbey.co.uk 165.160.13.20 X (pdns1.cscdns.net) ad.doubleclick.net 209.62.176.153 eqnjmegaadvip3.doubleclick.net www.alliance-leicester.co.uk 194.130.105.121 X (alice.ioko365.com) www.amazon.com 72.21.210.250 210-250.amazon.com www.ameritrade.com 204.58.27.97 beta-new.tdameritrade.com www.bankofamerica.com 171.161.161.173 www.bankofamerica.com www.bankofscotland.co.uk 195.171.171.21 X (ns0.bt.net) www.bankofthewest.com 207.114.194.101 X (dns1a.bankofthewest.com) www.barclays.co.uk 213.219.1.141 X (dns1.lon7.telecityredbus.net) www.capitalone.com 208.80.50.112 X (chia.arin.NET) www.chase.com 159.53.60.105 X (ns1.jpmorganchase.com) chaseonline.chase.com 159.53.60.54 resources-cdc1.chase.com www.citi.com 192.193.217.200 X (ns.citicorp.com) www.citibank.com 192.193.217.200 X (ns.citicorp.com) www.citimortgage.com 192.193.218.222 X (ns.citicorp.com) www.cnn.com 157.166.224.26 www.cnn.com www.desjardins.com 142.195.128.44 desjardins.com www.deutsche-bank.de 217.73.49.24 www.deutsche-bank.de www.e-gold.com 209.200.169.10 unknown.prolexic.com www.ebay.com 66.135.200.145 hp-core.ebay.com www.etrade.com 12.153.224.22 etrade.com www.f-secure.com 8.18.65.65 X (ns2.Level3.net) www.facebook.com 69.63.180.12 www2.02.07.facebook.com www.fdic.gov 192.147.69.84 www.fdic.gov www.friendfinder.com 208.88.180.81 X (ii53-30.friendfinderinc.com) www.geocities.com 98.137.46.72 intl1.geo.vip.sp2.yahoo.com www.google.com 74.125.155.99 px-in-f99.google.com www.halifax.co.uk 62.172.43.225 www.halifax.co.uk www.hsbc.co.uk 193.108.74.126 X (ns3.hsbc.com) www.jpmorganchase.com 159.53.60.166 X (ns1.jpmorganchase.com) www.lloydstsb.com 193.34.230.181 X (ns2.lloydstsb.co.uk) mail.google.com 74.125.155.17 px-in-f17.google.com mail.live.com 64.4.20.174 dp1.mail.live.com mail.yahoo.com 66.163.169.186 l1.login.vip.sp1.y

Unable to Confirm

[CyberLife]

Tried it from northwestern Washington-state to California. No problems.

Not blocked in North Florida

[dr00g911]

They're not redirecting DNS in my area of North Florida, but

Apart from their God-awful downtime (about an hour a day at around 3am EST)... ...and 1-hour almost instant disconnect if you're participating in a torrent they've flagged as unacceptable... ...and terrible upstream speeds (about 45k / sec after the first 3 second burst)... ...and random massive latency... ...and questionable traffic shaping... ...and "not really" unlimited internet...

They're ok-ish. Apart from being FUCKING EVIL. That said, the local cartel apparently hasn't gotten the same memo that caused TFA's seizure.

Ok, they suck compared to, say, Speakeasy in the old days, but AT&T hasn't upgraded infrastructure in my neighborhood to support DSL, so Comcast is quite literally the only game in town. Yeah, I'm 5 miles outside of downtown and I can't get DSL here because up until a few years ago only poor folk lived in these old houses and it wasn't worth the time. Same reason there's no cable underground in Jacksonville's downtown... Cox cable (at the time) decided only poor folks lived there in the 70s when they last dug up the streets.

Anyhow, apart from blocking non-comcast SMTP, here's all Netalyzer anomalies:

RPC (Port 135) blocked
NetBIOS (Port 139) blocked
SMB (Port 445) blocked
DNS resolver (Comcast DNS): 1700ms (!!!)

Nothing I'd flag as unacceptable apart from the DNS latency. I learned to get my own SMTP host on an alternate port years ago as blocking port 25 is standard procedure on most ISPs.

Re:Not blocked in North Florida

[dr00g911]

One more note, Netalyzer sees my upstream at 6.5 megabits and downstream at 15 megabits -- which means that Netalyzer's traffic is being shaped by Comcast to give better appearance than reality (same deal with almost all of the "speed test" sites out there).

I guarantee you in Jacksonville, FL that via FTP, SMTP, AFP, WebDAV or BitTorrent you will never see upstream speeds faster than 45k / second after an initial 3 to 5 second burst, no matter what you might think you're paying for.

How To Beta Test Your Software, the Slashdot Way

[damn_registrars]

Sure, you could follow "traditional" measure of beta testing your software, but what fun is that? Try the Slashdot Method(TM) instead, and launch your beta testing into the next level! Just follow our easy step-by-step instructions

• First: Make a plausible-sounding claim about a company people don't like (cable, MS, RIAA, telco, etc)
• Second: Claim that your software can help diagnose these problems
• Third: Watch as suckers from all over the world download your new program
• Fourth: When the truth happens that your claim holds less water than a screen door, point out that your software helped show that, and was never supposed to fix anything anyways
• Fifth: Point out that you still do a better job beta-testing before release than these guys
• Sixth: Do a happy dance
• Seventh:
• Eighth: Profit!

Per TFA It's Earthlink's Name Servers

From TFA:

"(Full disclosure: I don't know if it's Comcast or Earthlink that's responsible for this behavior, but Comcast is who I pay for internet access, so I'm blaming them for now, even though it's obvious Earthlink is involved)."

Later in article:

"The astute reader will notice that the addresses returned are those of the Earthlink host-not-found advertising page."

Sounds like it's Earthlink doing this (atleast, from a technical standpoint. At OSI layer 8 = business/political layer, it could be an agreement between the two of them). I understand why there might be some bad feeling against Comcast based on previous episodes, but based on your description it sounds like Comcast is just providing the last mile of connectivity and the actual IP communication with the Internet is Earthlink's piece (since they're your ISP). Comcast is just handling billing (and last mile cabling / layer 2 linkage). Taking it up with Comcast might still be useful in resolving the issue, but it sounds like they'd be the middlemen in this scenario.

Wide Open West has been doing this for years...

[Eggplant62]

Sorry this isn't re: Comcast, but I fired Comcast from providing my home cable service back in about 2003 since they wanted to put me on a NATted segment of their network on an RFC 1918 IP address. Ever since moving to Wide Open West, aka Wowway.com, traffic destined to my machine on port 53 from outside their network has been blocked. I don't pay extra for server connectivity, so I take my chances. Nevertheless, I've operated a hobby mail server sampling spam since being connected.

I strongly doubt this

[davidu]

I run OpenDNS and we have about 12,000,000 end users. A large number of those are comcast users. We would know if this was true, and we haven't had a single report about it.

I also know a few /really smart/ people in the Comcast engineering department who run their DNS infrastructure. These guys wouldn't do something like block port 53.

Based on the above, there is no truth to this rumor from what I can tell and from those I've talked to. I think an update on this story is warranted.

The comcast engineering team pride themselves on running a great network and robust infrastructure and I think they do a pretty good job (though of course I'm biased and think OpenDNS does a better job on the DNS side of the house) :-)

-David

Re:Here's a permalink showing it may be happening.

[mzs]

https://ws.arin.net/whois/?queryinput=!%20NET-69-253-0-0-1

CIDR: 69.253.0.0/16
NetType: Reassigned

Out of this larger block:

https://ws.arin.net/whois/?queryinput=!%20NET-69-240-0-0-1

I'm thinking it could be the smaller provider with that /16 that is proxying DNS instead of comcast itself, possibly a small company that is leasing this and using some filter software of their to keep employees from browsing NSFW sites.

reply

[snake+pliskin]

http://netalyzr.icsi.berkeley.edu/restore/id=43ca253f-12250-938258b8-71f4-4051-9c5a

Wouldn't mind so much

[OrangeTide]

I wouldn't mind so much if comcast's DNS servers didn't break on a regular basis. I use a different DNS because I got sick of waiting for theirs to come back up during some stupid 1am maintenance schedule. Why can't they do the maintenance at noon when housewives are on and hackers are sleeping?

Comcast hates VA?

[Cleeq]

c-76-123-201-223.hsd1.va.comcast.net / 76.123.xxx.xxx Your global IP address is 76.123.xx.xx while your local one is 192.168.xx.xx You are behind a NAT. Your local address is in unroutable address space. Your NAT renumbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis. port sequence plot DNS-based host information: OK You are not a Tor exit node for HTTP traffic. You are listed on the Spamhaus Policy Based Blacklist, meaning that your provider has designated your address block as one that should not be sending any email. The SORBS DUHL believes you are using a dynamically assigned IP address. Reachability Tests General connectivity: Note Basic UDP access is available. Direct UDP access to remote DNS servers (port 53) is blocked. The network you are using appears to enforce the use of a local DNS resolver. Direct UDP access to remote MSSQL servers (port 1434) is blocked. This is most likely due to a filtering rule against the Slammer worm. Direct TCP access to remote FTP servers (port 21) is allowed. Direct TCP access to remote SSH servers (port 22) is allowed. Direct TCP access to remote SMTP servers (port 25) is allowed. Direct TCP access to remote DNS servers (port 53) is allowed. Direct TCP access to remote HTTP servers (port 80) is allowed. Direct TCP access to remote POP servers (port 110) is allowed. Direct TCP access to remote RPC servers (port 135) is blocked. This is probably for security reasons, as this protocol is generally not designed for use outside the local network. Direct TCP access to remote NetBIOS servers (port 139) is blocked. This is probably for security reasons, as this protocol is generally not designed for use outside the local network. Direct TCP access to remote IMAP servers (port 143) is allowed. Direct TCP access to remote SNMP servers (port 161) is allowed. Direct TCP access to remote HTTPS servers (port 443) is allowed. Direct TCP access to remote SMB servers (port 445) is blocked. This is probably for security reasons, as this protocol is generally not designed for use outside the local network. Direct TCP access to remote SMTP/SSL servers (port 465) is allowed. Direct TCP access to remote secure IMAP servers (port 585) is allowed. Direct TCP access to remote authenticated SMTP servers (port 587) is allowed. Direct TCP access to remote IMAP/SSL servers (port 993) is allowed. Direct TCP access to remote POP/SSL servers (port 995) is allowed. Direct TCP access to remote SIP servers (port 5060) is allowed. Direct TCP access to remote BitTorrent servers (port 6881) is allowed.

Re:Here's a permalink showing it may be happening.

[mzs]

Never mind, your behind a NAT. That could be doing it.

Open DNS

[r6_jason]

http://netalyzr.icsi.berkeley.edu/restore/id=ae8199ad-23094-f50550b1-c25f-4332-87fe Seems like OpenDNS is working OK for me.

Oh well eathlink's not found page is interesting..

[Mark19960]

Try browsing to http://207.69.131.9/

I am getting...
"We are sorry, porn cannot be found.
We suggest that you check the spelling of the web address or try a different search term."

I did not search for anything.........

Netalyzer results - Peachtree City, GA

[thebigbadme]

http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-12268-d90b4111-dd9a-4663-ac6d

Currently in Peachtree City Georgia, Comcast triple play service - across wifi 2 stories away from base in concrete apt. structure

Lake County, IL

This is what I have. I figure the service is about the same for a whole bunch of small cities just north of Chicago, so I'm putting down the county rather than the specific city for my location. (Also I think most of the stuff that is blocked is due to my router settings. I don't see a reason to have ports open if I'm not actively using them.)

Reachability Tests:
General connectivity: Note
Basic UDP access is available.
Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
Direct TCP connections to remote FTP servers (port 21) failed.
This is commonly due to how a NAT or firewall handles FTP traffic, as FTP causes unique problems when developing NATs and firewalls.
Direct TCP access to remote SSH servers (port 22) is allowed.
Direct TCP access to remote SMTP servers (port 25) is allowed.
Direct TCP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote HTTP servers (port 80) is allowed.
Direct TCP access to remote POP servers (port 110) is allowed.
Direct TCP access to remote RPC servers (port 135) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote NetBIOS servers (port 139) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote IMAP servers (port 143) is allowed.
Direct TCP access to remote SNMP servers (port 161) is allowed.
Direct TCP access to remote HTTPS servers (port 443) is allowed.
Direct TCP access to remote SMB servers (port 445) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
Direct TCP access to remote secure IMAP servers (port 585) is allowed.
Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
Direct TCP access to remote POP/SSL servers (port 995) is allowed.
Direct TCP access to remote SIP servers (port 5060) is allowed.
Direct TCP access to remote BitTorrent servers (port 6881) is allowed.

No DNS issues here...

http://netalyzr.icsi.berkeley.edu/restore/id=4b65af4b-21402-5204573b-cf62-4504-84c7 permalink from the ICSI Netalyzr from a comcast user in Utah. Doesn't show any DNS issues.
I do however, know that comcast is fail, and unreliable as shit.

Oh Boy

[DaMattster]

This proof now that there is a need for a new internet and to go back to the mom and pop providers that don't pull all of this bull crap. I miss the days of my small ISP where I could call them and get helpful, friendly tech support instead of having to navigate the myriad of voice prompts and CSRs that barely speak English. I am all for the creation of new internet to go back to the ways of no regulation, no service tiering, and a completely neutral internet.

Hmmmm

[DaMattster]

Comcast has always been a dog that likes to test the fences and then gets slapped down. Remember their infamous "filter" that was forcibly shut down? They want to see what they can get away with. They'll fight and growl but if enough people notice and threaten to complain to the FCC or some other government agency, they'll stop.

Re:Oh well eathlink's not found page is interestin

Fact. I also got the same message. No search for porn on my end either. Check the redirected querystring; "&SearchQuery=" it's blank. This, if it's a registered earthlink IP, is something THEY are doing. :) This actually makes for a better headline than the actual one. I was just logging in after work to comment on why is this even still here? We've made ComcastBonnie's poor damn day miserable because some /b/tard got all click-happy on his keyboard. She probably didn't want in the least to deal with DNS hijacking, Port 53, 'redirection', 'filtering' or any of this.

reply, ran the analyzer

c-24-0-249-85.hsd1.pa.comcast.net / 24.0.249.85

http://n17.netalyzr.icsi.berkeley.edu/summary/id=43ca3cda-24640-2921bc58-01af-4d27-a12e

is the permalink for me from that test.

I think hahaha. I used to be big into computers, not so much anymore.

That's what pre-med'll do to you.

K. Holland

kt.holla1@gmail.com

Re:reply, ran the analyzer

http://netalyzr.icsi.berkeley.edu/restore/id=43ca3cda-24640-2921bc58-01af-4d27-a12e

sorry, thats the permalink.

Does not seem correct. For me at least.

[Tjp($)pjT]

$ nslookup
> server 207.69.131.9
Default server: 207.69.131.9
Address: 207.69.131.9#53
> comcast.sucks.com
;; connection timed out; no servers could be reached
> server www.microsoft.com
Default server: www.microsoft.com
Address: 207.46.193.254#53
Default server: www.microsoft.com
Address: 207.46.192.254#53
> comcast.sucks.com
;; connection timed out; no servers could be reached
>

So when I point lookups at the comcast ad servers even, or Microsoft, the lookups fail. Might be because we are on a business account here (to get a block of static IPs) but if our own captive ISP DNS servers are not reachable we'd have problems as we have some internal non-standard stuff going on for our internal networking. Our faked top level domain for our non-routable machines just would not show up. Again, might be because we are business clients of Comcast, but they have done all sorts of things like capped our bandwidth, excessively applied traffic shaping, etc. (corrected with a phone call mentioning we are business clients and _they_ committed to the usage rates we subscribed to.) But other than a few glitches we've been pretty happy with their service.

One check for the original author. Are the DNS servers "recommended" at your install time in an Earthlink domain or Comcast one.

I am a Comcast customer and these are my results

I rean the Netalyzr test and this is what I got.

http://n12.netalyzr.icsi.berkeley.edu/summary/id=ae8186a4-26161-bcbcc8bc-23a1-4c30-b4f9

Mod parent up

[petrus4]

It's information from a Comcast rep that could clear the company's name, potentially.

It is not fair of Slashdot to call a company evil if they don't ensure that clarifying/corrective information is also made prominent, if it is available.

Re:I am a Comcast customer and these are my result

I posted this and the only red there is the pop server and that was caused by my software firewall. So, the yellow warnings I believe probably also are caused by my software firewall. I really wouldn't want these ports open to the outside network anyway.

Make sure your facts are straight, Slashdot

[petrus4]

The editors should be a lot more careful about fact checking when posting stories like this. If it turns out to be false, and damaging to Comcast's business due to the amount of Slashbots ranting about how much they hate the ISP, Slashdot's parent company could be looking at a lawsuit from Comcast for libel; and IMHO, they'd be within their rights.

The anti-Capitalist bias on this site truly is genuinely appalling, and it highlights yet again the complete lack of integrity inherent in the double standard that Stallman has indoctrinated into his minions. Corporations doing the wrong thing doesn't give us carte blanche to likewise behave badly. If anything, it's exactly the opposite.

Re:Make sure your facts are straight, Slashdot

[buss_error]

The editors should be a lot more careful about fact checking when posting stories like this. If it turns out to be false, and damaging to Comcast's business due to the amount of Slashbots ranting about how much they hate the ISP, Slashdot's parent company could be looking at a lawsuit from Comcast for libel; and IMHO, they'd be within their rights.

Your logic cycle is broken. If Comcast gave good service, then even signifigant amounts of ranting would cause many more posts of "Huh? But Comcast always fixes my problems!" or "I have Comcast, and I never have problems." The fact is, that while I see and hear a lot of complaints about Comcast (and have no insignifigant amount of spam that originates on Comcast), I rarely see or hear of a good Comcast experience - at least, not on the Internet.

The anti-Capitalist bias on this site truly is genuinely appalling, and it highlights yet again the complete lack of integrity inherent in the double standard that Stallman has indoctrinated into his minions. Corporations doing the wrong thing doesn't give us carte blanche to likewise behave badly. If anything, it's exactly the opposite.

Again, if Comcast were dressed in pure white knight mode, any smudge or streak of mud would stand out. The fact that Comcast is generally seen as covered in excrement and their customers seem to be very vocal in their dissatisfaction with their services and offerings would indicate to me that Slashdot has very little to worry about vis-a-vi defimation even absent "Safe harbor" protections.

As for your comment of "anti-Capitalist bias on this site", I don't think I've seen people on Slashdot have anything against making money - only making it dishonestly. A view I share.

NW Indiana Comcast User

Here is my results from netalyzr:

Result Summary
c-68-53-176-XXX.hsd1.in.comcast.net / 68.53.176.XXX
Recorded at 19:46 EDT (23:46 UTC) on Tue, June 09 2009. Permalink. Transcript.
Noteworthy Events

Major Abnormalities

* No DNS Port Randomization

Minor Aberrations

* Certain protocols are blocked in outbound traffic
* Your computer's clock is slightly slow

Address-based Tests

NAT detection: NAT Detected

Your global IP address is 68.53.176.XXX while your local one is XXX. You are behind a NAT. Your local address is in unroutable address space.

Your NAT renumbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis.

port sequence plot

DNS-based host information: OK
You are not a Tor exit node for HTTP traffic.
You are listed on the Spamhaus Policy Based Blacklist, meaning that your provider has designated your address block as one that should not be sending any email.
The SORBS DUHL believes you are using a dynamically assigned IP address.
Reachability Tests

General connectivity: Note
Basic UDP access is available.
Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
Direct TCP connections to remote FTP servers (port 21) failed.
This is commonly due to how a NAT or firewall handles FTP traffic, as FTP causes unique problems when developing NATs and firewalls.
Direct TCP access to remote SSH servers (port 22) is allowed.
Direct TCP access to remote SMTP servers (port 25) is allowed.
Direct TCP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote HTTP servers (port 80) is allowed.
Direct TCP access to remote POP servers (port 110) is allowed.
Direct TCP access to remote RPC servers (port 135) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote NetBIOS servers (port 139) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote IMAP servers (port 143) is allowed.
Direct TCP access to remote SNMP servers (port 161) is allowed.
Direct TCP access to remote HTTPS servers (port 443) is allowed.
Direct TCP access to remote SMB servers (port 445) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
Direct TCP access to remote secure IMAP servers (port 585) is allowed.
Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
Direct TCP access to remote POP/SSL servers (port 995) is allowed.
Direct TCP access to remote SIP servers (port 5060) is allowed.
Direct TCP access to remote BitTorrent servers (port 6881) is allowed.
Network Access Link Properties

Network latency measurements: Latency: 46ms Loss: 0.0%
The round-trip time (RTT) between your computer and our server is 46 msec, which is good.
We recorded no packet loss between your system and our server.

TCP connection setup latency: 48ms
The time it takes your computer to set up a TCP connection with our server is 48 msec, which is good.

Network bandwidth measurements: Upload 7.4 Mbit/sec, Download >20 Mbit/sec
Your Uplink: We measured your uplink's sending bandwidth at 7.4 Mbit/sec. This level of bandwidth works well for many users.
Your Downlink: We measured your downlink's receiving bandwidth at >20 Mbit/sec. This level of bandwidth works well for many users.

Network buffer measurements: U

Like Three

[elronxenu]

Three Mobile Prepaid Broadband in Australia does this.

Upon connecting, a prepaid user gets an RFC1918 address. All TCP traffic is NAT'ed. All DNS requests are not NAT'ed, they are proxied through three's caching nameserver.

The problem with that is it causes hell for any caching nameserver at the client end. The client's nameserver expects to talk to the authoritative nameservers for whatever domain it looks up. It sends requests with the RD (Recursion Desired) bit cleared, because an authoritative nameserver does not need to use recursion to look up a name.

Three's proxy nameserver sees the cleared RD bit and, if the requested data is not already in the cache, returns an NXDOMAIN error to the client. It makes the client unable to resolve most domain names.

Mine seems fine - OpenDNS functioning normally

[flibbidyfloo]

I'm on Comcast in central California. Random character URLs and typos are all resolving via correctly OpenDNS, which is configured on my router.

No Problems, and some more info...

[archiac]

http://n18.netalyzr.icsi.berkeley.edu/summary/id=ae817952-25497-39a13fe0-7769-4072-beae All seems fine to me. So if you really want to test this.. Change your resolver to 70.88.178.97 (Comcast Business IP) and then attempt to lookup some name such as http://atlantic.ocean/ or http://www.servers.ucann2/ The second page is a parked page which is correct, the first page should give you a ftp style listing, if you do not get either of these pages, then you may be experiencing this type of hijacking. But I highly doubt this would be performed on commercial accounts, maybe residential. David - UCANN2

Comcast ICSI Netalyzer link - Augusta, GA

[ccoder]

ICSI link from Augusta: http://netalyzr.icsi.berkeley.edu/restore/id=43ca3cda-24704-6729e1f9-944a-4263-9b69

Maryland reporting in

[stevegee58]

http://netalyzr.icsi.berkeley.edu/restore/id=ae819c33-24534-54c0c922-5d71-4950-9aea

EARTHLINK!!!!!!!

[Tokerat]

Everyone that has reported this problem has a Comcast account that is somehow lined with Earthlink service. Even the linked article says so. Why don't we investigate that route? Did Comcast buy out Earthlink recently? Is there some kind of cross-promotional service where you buy from Earthlink over Comcast infrastructure? They fit into this somehow...

Re:EARTHLINK!!!!!!!

[jlivingood]

You can buy Earthlink broadband that uses Comcast's network as the transport, which seems to be the case here. Not Comcast's network decision making or DNS.

Posting your IP address

[Tokerat]

it's really sad that, not only are Slashdotters foolish enough to post a results page with their own IP in them, but also that the advice to do so was given by a Slashdot editor!

We've been modded as Flamebait for months when criticizing this guy but... but I mean....really? REALLY? *facepalm*

If I was a subscriber, I'd be canceling. Taco should be pissed, and you should be ashamed of yourselves for posting those Netalyzr direct URLs unless you're testing from a business with a public IP address; and really if we're talking about Comcast home accounts, what good is that?

Re:Posting your IP address

Your computer is broadcasting an IP address. Better run!

Dipshit.

Previous Problems in Colorado

[_Nuke_]

I haven't had time to re-test to find out what my current situation is, but I can tell you that I have experienced COMCAST mucking up my DNS traffic in the past.

I have a Linux server on my local network that acts as a caching DNS for all of my client machines. Several months ago I found that there were large holes in my internet access (including for some reason, most hotels in Las Vegas... I was planning a vacation).

I have 2 separate internet connections to my house, one from COMCAST and one from QWEST. I did not do significant detective work when I had the problem. I used some online DNS tools to verify that the sites had good DNS entries (when not querying through COMCAST), I then accessed them with IP addresses successfully, SO, I went to my router and added a rule for all port 53 traffic to go over the QWEST connnection and (surprise)... everything worked!

I chalked it up to something being messed up on COMCAST's network and not a nefarious plot; I left the rule in to direct all of the port 53 traffic out the QWEST connection and I haven't had a similar problem since.

Nuke

What is the real motive here ?? to access netalyz

Well, there may be another motive to this original post than has been discussed here.

And it's sinister too.

In order to run the suggested test which the OP requests, one must allow the "Netalyzer" JS access to your machine. And that is an excellent way to investigate and acquire "interesting" data on people. Does this ring any bells??

So now Netaylzer people will have an interesting list of Slash-dotters who are concerned about this & Comcast issues in general. Ah at least then we will be safer than before we had that list of subversive "Slash-dotters".

Wonder where htey will use this newly acquired information. ????

Cox DNS TTLs

[heypete]

While we're on the topic of DNS, could someone please tell the DNS folks at Cox Cable that it's really rude to arbitrarily rewrite all TTLs to 30 seconds.

There's a reason why some people set their TTLs to higher than 30 seconds. Fortunately, I have my DD-WRT box set to use OpenDNS' resolvers, which work well.

All of my attempts to inform Cox of their TTL issue have met with responses like "We've received your email regarding your difficulties in configuring your wireless router at home. Here's some instructions for configuring your wireless router..." even when I don't mention anything about a wireless network.

To thwart IP-over-DNS...

[PhotoGuy]

Is there any chance that this is done to thwart 'IP-over-DNS' attempts?

Many ISP's will forward port 53 traffic happily, even before a cable modem is provisioned. If you attempt to go to any site (port 80, etc.) it will redirect you to their provisioning page. But DNS requests work.

So there are tools to funnel *all* of your traffic through a tunnel on port 53, as fake DNS requests.

You need a DNS server on the other end as an exit for the gateway, and control over your domain to redirect the requests appropriately, but I've used it on unprovisioned modems in a pinch, and it does work. I wouldn't want to download Redhat ISO's over it, but for casual browsing when nothing else is available, it does work. (Not recommending the practice of course.)

I could see grabbing control of port 53 to avoid this tunneling (although it's doubtful it's widespread enough to warrant such work).

In general, I'm a bit mixed on the topic; I'm all for net neutrality, but to provide a good, consistent user experience, an ISP taking control of DNS requests (and cacheing) isn't too far out there. If they are redirecting things inappropriately, however, then that's an absolute no-no, and should be slapped down immediately...

Verified @Comcast in Salem, Oregon

I can confirm DNS is redirected from Comcast IP 76.115.5.109 in Salem, Oregon using NetCat to open a port on a server I have sitting in Seattle, Washington and verifying the port responds to a dig client sitting in Kent, Washington. The Seattle and Kent machines are not on Comcast's network.

If I allow Comcast's server to resolve my request (both existant and NXDOMAIN) the result is correct. If I try to force use of a specific resolver, my request never makes it to the resolver and times out.

flawed diagnostics?

[GaryTorello]

using Comcast in CT.. OpenDNS.org for DNS service.. works flawlessly. Perhaps OP is the subject of a conspiracy targeting only him.

Verizon does this too

If this makes you feel any better, Verizon also does this and none of us really care.

Can't test it.

[shentino]

My college is blocking outbound port 53

Re:Not happening here May be something or nothing

[davidsyes]

"I'm wondering how this post ever made it to the slashdot front page. I haven't RTFM, but as it's from the domain comcastfuckingwithyourport53traffic.wordpress.com I don't see any reason to lend it credence."

I once lamented/assailed in /. that /. can't expect to attain journalistic credibility, and responses came to me to the effect that i was crazy to expect credibility here.

So, to your lament(?), i say, Kojak would say, "It's about page hits/impressions, baby....."

Some of this kind of "story posting" my be considered the work of miscreants in many of the more respectable journals. Now, if the IEEE or some such entity takes hold of this story and watches comcast to see if this story is false, or if the story is breaking the lid off a clandestine, localized test (maybe comcast is doing something on behalf of the NSA? Maybe in exchange for immunity from ALL sorts of future investigation/prosecution/fines...), then we might have something to talk about....

No problem in Boston

In the Boston, MA area, I get these results from home (dynamic IP account plugged into a NAT switch):

> Direct UDP access to remote DNS servers (port 53) is allowed.
> Direct TCP access to remote DNS servers (port 53) is allowed.

Cavalier Dsl Delaware

Noteworthy Events
Major Abnormalities

We received unexpected and possibly dangerous results when looking up important names
Your DNS resolver returns results even when no such server exists

Minor Aberrations

Your computer's clock is slightly fast

Address-based Tests
NAT detection: No NAT Detected

Your global IP address is 98.141.97.123 and matches your local one. You are not behind a NAT.

Your machine numbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis.

DNS-based host information: OK

You are not a Tor exit node for HTTP traffic. You are not listed on any Spamhaus blacklists. The SORBS DUHL believes you are using a statically assigned IP address.
Reachability Tests
General connectivity: OK

Basic UDP access is available. Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response. Direct UDP access to remote MSSQL servers (port 1434) is allowed. Direct TCP access to remote FTP servers (port 21) is allowed. Direct TCP access to remote SSH servers (port 22) is allowed. Direct TCP access to remote SMTP servers (port 25) is allowed. Direct TCP access to remote DNS servers (port 53) is allowed. Direct TCP access to remote HTTP servers (port 80) is allowed. Direct TCP access to remote POP servers (port 110) is allowed. Direct TCP access to remote RPC servers (port 135) is allowed. Direct TCP access to remote NetBIOS servers (port 139) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network. Direct TCP access to remote IMAP servers (port 143) is allowed. Direct TCP access to remote SNMP servers (port 161) is allowed. Direct TCP access to remote HTTPS servers (port 443) is allowed. Direct TCP access to remote SMB servers (port 445) is allowed. Direct TCP access to remote SMTP/SSL servers (port 465) is allowed. Direct TCP access to remote secure IMAP servers (port 585) is allowed. Direct TCP access to remote authenticated SMTP servers (port 587) is allowed. Direct TCP access to remote IMAP/SSL servers (port 993) is allowed. Direct TCP access to remote POP/SSL servers (port 995) is allowed. Direct TCP access to remote SIP servers (port 5060) is allowed. Direct TCP access to remote BitTorrent servers (port 6881) is allowed.
Network Access Link Properties
Network latency measurements: Latency: 46ms Loss: 0.0%

The round-trip time (RTT) between your computer and our server is 46 msec, which is good. We recorded no packet loss between your system and our server.
TCP connection setup latency: 48ms

The time it takes your computer to set up a TCP connection with our server is 48 msec, which is good.
Network bandwidth measurements: Upload 920 Kbit/sec, Download 4.7 Mbit/sec

Your Uplink: We measured your uplink's sending bandwidth at 920 Kbit/sec. This level of bandwidth works well for many users. Your Downlink: We measured your downlink's receiving bandwidth at 4.7 Mbit/sec. This level of bandwidth works well for many users.
Network buffer measurements: Uplink 300 ms, Downlink 69 ms

We estimate your uplink as having 300 msec of buffering. This level may serve well for maximizing speed while minimizing the impact of large transfers on other traffic. We estimate your downlink as having 69 msec of buffering. This level may serve well for maximizing speed while minimizing the impact of large transfers on other traffic.
HTTP Tests
Address-based HTTP proxy detection: OK

There is no explicit sign of HTTP proxy use based on IP address.
Header-based HTTP proxy detection: OK

No HTTP header or content changes hint at the presence of a proxy.
HTTP proxy detection via malformed requests: OK

Deliberately malformed HTTP requests arrive at our server unchanged. We are not able to detect a proxy along the path to our server using this method.
Filetype-based filtering: OK

Seems plausible in Salt Lake City

[iroberts]

I've noticed for some time that it seems whenever comcast dns is not working (and this is *very* frequent, for periods of 15 seconds to a minute, as often as not), that neither do any other dns servers. I ran a test just now, periodically doing lookups through comcast and through 4.2.2.1, and there appeared to be a very high correlation between failures of the two. At the same time, I was also running a ping out to google, and it never missed a beat. This would suggest that either comcast is proxying dns traffic, or does some weird traffic shaping on port 53.

Appears to be blocking in my area..

I'm a comcast customer from Indiana with a "sticky" ip, though not a true static. It appears that they're messing with the DNS in my area

http://tinyurl.com/ncghzc

Perma

[SchizoStatic]

Comcast Residential in Minnesota. I use OpenDNS to filter the net here at home so the kiddies don't hit to much porn while trying to do homework. http://netalyzr.icsi.berkeley.edu/restore/id=482c3e43-1843-a5565296-caaa-42bf-819d

Use wikipedia?

[TheDreadedGMan]

A quick search of information on Earthlink returned this:

http://en.wikipedia.org/wiki/Earthlink#DNS_and_filtering_controversy

Which links to a page with DNS servers that are unsupported and unfiltered... might pay for anyone affected to at least try them.

FTFS:

"If true, this is a pretty serious escalation in the Net Neutrality wars."

Now, you can either wait until Comcast say they do, or don't. You can wait until someone else says it's happening too. Or you can post it and let people say on the blog that they don't see it.

Now that last one won't happen UNLESS someone reports widely enough this accusation. Without wide reporting, if it's a local problem, it will get blown out of proportion since only local people will hear of it and check.

If it doesn't get widely reported, it won't be tested and it could stay unresolved. Then 2 years down the line someone will hear of this and say "In the past, Comcast has...". There's no proof it didn't happen, is there.

So slashdot HAS done the right thing.

Try UDP

Barnpot.

Though many others don't see the problem, so it likely isn't corporate wide if it exists at all.

But "proving" DNS works (which normally uses UDP) by showing ***TCP*** access is frigging stupid.

DNS issue = BULL****

Hello i you want free comcast internet. goto a store buy a cable modem. do not subscribe the modem to comcast. plug the modem in. set it up. you will notice they gave you an outbound ip addy. now if you are on a router or your pc is directly hooked up goto any page. you will notice it redirected you to a self registration page. now on the pc/router change your dns server to 4.2.2.2 and 4.2.2.3 respectfully.

there you go free internet from comcast. nothing more than changing your dns. and if this works to get free inet then they are NOT screwing with your dns.

and to slashdot this site is getting worse by the day. all opinion articles.

starting to think you should rename the site to debatedot.org

free inet

buy modem. plug it in. do not register the modem with comcast. change your dns manually. free inet

want free inet from comcast?

[luciferxe]

goto a store. buy a cable modem. plug it into your comcast line. change your dns manually. your done free inet from comcast i believe the speeds are 5/1mbit or something along those lines but its free. with a bit of modem modification you can uncap your modem completely.

Re:I really am hoping this is NOT a gullibility te

I got almost the same results, except for this:

Direct TCP access to remote RPC servers (port 135) is allowed.
Direct TCP access to remote NetBIOS servers (port 139) is allowed.
Direct TCP access to remote SMB servers (port 445) is allowed.

Can anyone tell me what that means?

Did any of you try a IP-Whois?

Seriously? Did no one check the IP? The IP Whois shows that IP in the redirect is owned by Earthlink, not Comcast.

http://ws.arin.net/whois/?queryinput=207.69.131.9

I hate Comcast as much as the next person (almost drove across town to defecate on their desks I was so pissed), but they are clearly not at fault here.

I'm surprised the Comcast "engineers" didn't pick up on this; or at the very least their spokesperson (read: spokesgirl).

Re:Not happening to me (either)

[jetole]

I just logged into the DNS server at my office via ssh and enabled djbdns on a public port. I opened the firewall to allow me to access it. Then on my home comcast account (consumer / not business) I ran host -t a comcast.com work.dns.com (fake name) and got back comcasts proper DNS entries. I then changed DNS for comcast.com on the temp DNS at work so that comcast.com would return an A record of 127.0.0.1 and from my home account I ran the same command. Our work systems our on a private metro ethernet provider who is not comcast but either way, my home computer on a residential comcast account connecting to a remote DNS server not on comcast and asking for the A record for comcast.com returned the address modified as I told it to in a way that comcast would never approve and it all went through fine so it seems comcast is not redirecting DNS in Miami, Florida.

Re:Not happening to me - more good info

[EvilBudMan]

I doubt even they would do it. I just blindly posted the data while forgetting "yeah were running a mail server and VPN but not web server". We just apparently didn't everything we didn't use blocked at the firewall. I did wonder about that network buffer thing though everything else seems OK from them 1500 ms is a lot? I think they are throttling that.

Network buffer measurements: Uplink 1500 ms, Downlink 100 ms

We estimate your uplink as having 1500 msec of buffering. This is quite high, and you may experience substantial disruption to your network performance when performing interactive tasks such as web-surfing while simultaneously conducting large uploads. With such a buffer, real-time applications such as games or audio chat can work quite poorly when conducting large uploads at the same time.

Re:Static Dynamic IPs

[ohnobinki]

Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP? If it's a business account than I would assume that they aren't redirecting those but could still be redirecting on consumer accounts.

Dynamic IPs are not ``dynamic'' if one nevers gives up the lease. I have WOW (wide open west / http://wowway.com/ ) Internet and the only time my IP has changed is when our router was replaced (giving it a different client ID) and, of course, when I directly plugged my computer into a hub connected to the modem (to give it direct Internet access). Because WOW has blocked all UDP traffic on port 53, I have a gracious friend who has ComCast and serves my DNS. Comcast doesn't seem to change IPs unless if the router/DHCP client releases a lease. This means I essentially don't need to change glue records at all. But Comcast has seemed to more often supposedly required people to re-plug-in their modems and (I'm guessing only from slight experience) Comcast may have even forced an IP change upon one router I've had access to.

Has any other WOW user tested serving DNS? I sent a query to WOW people and they said:

Port 53 is reserved for internal WOW! network use only. Please try using an alternate port.

Thanks!

Thanks for the heads up on the link: comcastisfuckingwithyourport53traffic.wordpress.com. I should be getting a call from IT-Security any minute now...

It is happening to me

[beastie666]

Port 53 blocked. Comcast user in Plymouth MA

Re: Linus Torvalds is a turd burglar

[dave87656]

the average computer user isn't going to spend months learning how to use a CLI and then hours compiling packages so that they can get a workable graphic interface to check their mail with

True, they'll use Ubuntu or any other Linux distribution from the last 8 or so years. You stick with Windows and let us know when you get your registry fixed.