Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Intercepts and Redirects Port 53 Traffic

Posted by kdawson on from the why-we-need-ipv6 dept.

An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.

36 of 527 comments (clear)

  1. Not happening to me by jimmyhat3939 · · Score: 5, Informative

    I'm a Comcast user, and I run a DNS server for a few private domains that only I use. I have not experienced this, and I just verified that it's not currently happening. I'm in California if that matters.

    --
    Free Conference Call -- No Spam, High Quality
    1. Re:Not happening to me by whoever57 · · Score: 3, Informative

      I just verified that it's not currently happening. I'm in California if that matters.

      Me too. I'm also in CA and it is not curently happening.

      --
      The real "Libtards" are the Libertarians!
    2. Re:Not happening to me by jeffmeden · · Score: 3, Informative

      Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server (which is presumably above any such hijacking) and see if the request gets hijacked. Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?

    3. Re:Not happening to me by whoever57 · · Score: 5, Informative

      Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server

      I'm certain. I sent a query to a DNS server that I control. I ran tcpdump on the DNS server and I could see the packets from my home IP address coming in with the query and the refusal going out (I asked the DNS server that I control to resolve yahoo.com, which it should refuse to do).

      --
      The real "Libtards" are the Libertarians!
    4. Re:Not happening to me by EvilBudMan · · Score: 4, Informative

      They are blocking port 53 it appears here in Virginia.

      --UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
      The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
      The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

      I don't know about them hijacking it though. I'm not sure what causing it yet.

      Look this way for more info:
      |
      |
      |
        \
            \
            V

    5. Re:Not happening to me by whoever57 · · Score: 5, Informative

      Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server?

      The machine from which I sent the request is connected to a Comcast residential Cable Internet connection. The server at the other end is a virtual machine in a colo facility somewhere -- not a Comcast facility. And before anyone asks, I tried both tcp and udp requests with the same result (no interception, no transparent proxy).

      --
      The real "Libtards" are the Libertarians!
    6. Re:Not happening to me by chundo · · Score: 2, Informative

      Works for me in Chicago. I'm guessing it's his broadband router that's doing this, intercepting port 53 traffic and forwarding to the DNS servers it got from DHCP.

    7. Re:Not happening to me by falconwolf · · Score: 2, Informative

      I'm a Comcast user, and I run a DNS server for a few private domains that only I use

      Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP?

      My access is through Comcast, though like TFA's writer I get it from Earthlink, and I have a static IP with a consumer not a business account.

      Falcon

      --
      Should there be a Law?
    8. Re:Not happening to me by Iphtashu+Fitz · · Score: 2, Informative

      I've had my Comcast IP (outside Boston) change about 2 or 3 times on me in the span of about 5 years. It doesn't happen often, but it does. I believe it's only been when they need to add capacity to an area.

    9. Re:Not happening to me by sjames · · Score: 2, Informative

      Same here. I routinely test work DNS servers from home (on Comcast). They include non-public domains that will not resolve anywhere else. Other zones may differ from what the authoritative nameserver would answer.

      They may be intercepting DNS somewhere, but not here in Atlanta.

    10. Re:Not happening to me by alta · · Score: 4, Informative

      Comcast is using nearly off the shelf DHCP with really long expires times. When you get an IP, you'll have it for months, and usually don't loose it until those months have passed AND you reboot your equipment and get a new IP.

      DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly. Unlike a direct link, PPPoE must renegotiate every time there's a momentary signal loss, just like dialup would do.

      From what I've read, they use PPPoE because it's the easiest way to enable/disable users in real time via a RADIUS server. Comcast has to use more complicated methods to kill accounts (in some places, even send out a truck to put on a filter)

      --
      Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
    11. Re:Not happening to me by number11 · · Score: 2, Informative

      DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly.

      Depends on where you are. With Qwest (and a local third party ISP) I've had the same IP number since I got the service, maybe 10 years ago. That's regular consumer-grade (1.5M/1.0M) DSL. The reverse DNS lookup gives a name that has my ISP username embedded into it.

  2. Not happening here by jimmyhat3939 · · Score: 2, Informative

    I have several domains I run on a private DNS server that I access from my house using Comcast. I haven't experienced this. I'm in California if it matters.

    I suppose users could tunnel DNS over some other port if they had to.

    --
    Free Conference Call -- No Spam, High Quality
  3. Using OpenDNS on Comcast by Anonymous Coward · · Score: 1, Informative

    no sign of any DNS hijacking in western MA.

    1. Re:Using OpenDNS on Comcast by CompSci101 · · Score: 4, Informative

      Likewise in Southern New Jersey (and Philadelphia before this -- the very heart of Comcast darkness)

      I get OpenDNS error pages for nonexistent domains.

      --
      The Sun is proof that we can't even do fire properly.
  4. I really am hoping this is NOT a gullibility test by way2trivial · · Score: 2, Informative

    My connection is comcast for biz-- go crazy- I took out my last subnet

    The ICSI Netalyzr Beta
    Introduction Analysis Results
    Result Summary
    74-92-106-XXX-Philadelphia.hfc.comcastbusiness.net / 74.92.106.XXX
    Recorded at 14:15 EDT (18:15 UTC) on Tue, June 09 2009. Permalink. Transcript.
    Noteworthy Events
    Minor Aberrations

    Certain protocols are blocked in outbound traffic
    Address-based Tests
    NAT detection: NAT Detected

    Your global IP address is 74.92.106.XXX while your local one is 192.168.15.XX. You are behind a NAT. Your local address is in unroutable address space.

    Your NAT renumbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis.

    DNS-based host information: OK

    You are not a Tor exit node for HTTP traffic.
    You are not listed on any Spamhaus blacklists.
    The SORBS DUHL believes you are using a statically assigned IP address.
    Reachability Tests
    General connectivity: Note

    Basic UDP access is available.
    Direct UDP access to remote DNS servers (port 53) is allowed.
    The applet was also able to directly request a large DNS response.
    Direct UDP access to remote MSSQL servers (port 1434) is allowed.
    Direct TCP connections to remote FTP servers (port 21) failed.
    This is commonly due to how a NAT or firewall handles FTP traffic, as FTP causes unique problems when developing NATs and firewalls.
    Direct TCP access to remote SSH servers (port 22) is allowed.
    Direct TCP access to remote SMTP servers (port 25) is allowed.
    Direct TCP access to remote DNS servers (port 53) is allowed.
    Direct TCP access to remote HTTP servers (port 80) is allowed.
    Direct TCP access to remote POP servers (port 110) is allowed.
    Direct TCP access to remote RPC servers (port 135) is blocked.
    This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
    Direct TCP access to remote NetBIOS servers (port 139) is blocked.
    This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
    Direct TCP access to remote IMAP servers (port 143) is allowed.
    Direct TCP access to remote SNMP servers (port 161) is allowed.
    Direct TCP access to remote HTTPS servers (port 443) is allowed.
    Direct TCP access to remote SMB servers (port 445) is blocked.
    This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
    Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
    Direct TCP access to remote secure IMAP servers (port 585) is allowed.
    Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
    Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
    Direct TCP access to remote POP/SSL servers (port 995) is allowed.
    Direct TCP access to remote SIP servers (port 5060) is allowed.
    Direct TCP access to remote BitTorrent servers (port 6881) is allowed.
    Network Access Link Properties
    Network latency measurements: Latency: 26ms Loss: 0.0%

    The round-trip time (RTT) between your computer and our server is 26 msec, which is good.
    We recorded no packet loss between your system and our server.
    TCP connection setup latency: 29ms

    The time it takes your computer to set up a TCP connection with our server is 29 msec, which is good.
    Network bandwidth measurements: Upload 4.3 Mbit/sec, Download 7.1 Mbit/sec

    Your Uplink: We measured your uplink's sending bandwidth at 4.3 Mbit/sec. This level of bandwidth works well for many users.
    Your Downlink: We measured your downlink's receiving bandwidth at 7.1 Mbit/sec. This level of bandwidth works well for many users.
    Network buffer measurements: Uplink 229 ms, Downlink 220 ms

    We estimate your uplink as having 230 msec of buffering. This level may serve well for maximizing speed while minimizing the impact of large transfers on other traffic.
    We estimate your

    --
    every day http://en.wikipedia.org/wiki/Special:Random
  5. Re:DNSSEC? by ScytheBlade1 · · Score: 4, Informative

    DNSSEC is validated at the resolver level. However, even if you run your own local DNS resolver, DNSSEC wouldn't come into play -- Comcast can simply strip the KEY/RRSIG records entirely before sending them to you -- leaving your resolver thinking that the zone has no DNSSEC records at all (at which point, they are blindly accepted as valid).

    I'd imagine that there is an option somewhere in bind to only accept signed records (and if not, there will be eventually I'm sure), but even if Comcast wasn't futzing with your dataz, you wouldn't have a functional internet.

    (I'm on comcast, and am not seeing this redirection. I also run a local DNS resolver.)

  6. Comcast results in Houston, TX by macklin01 · · Score: 3, Informative

    Here are the ICSI results. Results are from a PC behind a bog-standard Linksys WRT-54g, for what it's worth.

    Not my field, but I see Direct TCP access to remote DNS servers (port 53) is allowed. I'll leave it to the networking experts to pick through the rest of the report.

    --
    OpenSource.MathCancer.org: open source comp bio
  7. Just run BIND in your computer by Anonymous Coward · · Score: 0, Informative

    or set up a server in your LAN.. run BIND, setup to do recursive lookup...
    use that as your DNS server

    1. Re:Just run BIND in your computer by argent · · Score: 3, Informative

      And your recursive DNS server performs its own lookups via requests on port 53 to the root servers, which get intercepted by Comcast, ...

  8. errmm... by Tmack · · Score: 2, Informative
    Most dns traffic uses UDP

    TCP is generally only used for excessively large requests or zone transfers

    Tm

    --
    Support TBI Research: http://www.raisinhope.org
  9. Official Response by ComcastBonnie · · Score: 4, Informative

    Hey guys, I just caught this on Twitter, and I can confirm that we do not and have not hijacked any DNS traffic in our network and certainly not to 3rd party resolvers. 'nuff said. I spoke with our DNS engineering folks, and they have confirmed. If you would like to contact me, I'm @ComcastBonnie on Twitter.

  10. So let me see if I have this straight... by BaronHethorSamedi · · Score: 5, Informative

    An anonymous reader submits a "story" linking to a random blog spouting off rumors about a nefarious scheme by Comcast to redirect port traffic. The "story" is then published under a headline asserting the rumor as fact, while the summary is actually a plea for the fact-checking on the story to be done by readers.

    News for nerds, indeed.

    1. Re:So let me see if I have this straight... by Anonymous Coward · · Score: 1, Informative

      I can understand the paranoia at least. We've seen this kind of shit being pulled before.

  11. Re:Port 53 Rerouted in Seattle :| by nweaver · · Score: 3, Informative

    Your netalyzr results show no DNS issues in the link you posted, using a Comcast DNS server:

    c-24-22-147-111.hsd1.wa.comcast.net / 24.22.147.111

    Direct UDP access to remote DNS servers (port 53) is allowed.
    The applet was also able to directly request a large DNS response.

    The IP address of your ISP's DNS Resolver is 68.87.69.147,
    which resolves to bvrt-cns01.beaverton.or.bverton.comcast.net.

    Your ISP correctly leaves non-resolving names untouched.

    --
    Test your net with Netalyzr
  12. Re:Is this happening for ANYONE? by nweaver · · Score: 2, Informative

    This is probably your NAT. We see such behavior among random visitors, but not those restricted to Comcast, and only a few Comcast-based visitors show this behavior.

    --
    Test your net with Netalyzr
  13. Not blocking in NY by grimace123_99 · · Score: 2, Informative

    Comcast DNS is working as expected in Upstate NY, I use OpenDNS from home (comcast cable service) and all is working as expected I can review my open dns logs and see that it is indeed serving me dns.

  14. TWX is MPAA, but not RIAA or cable by tepples · · Score: 2, Informative

    From your post, I don't think you're aware that Time Warner is actually one of the presiding members of the RIAA (and the MPAA).

    Time Warner is a member of the MPAA. It is not a major record label; it spun off Time-Life Records in 2003 and Warner Music Group in February 2004. It is not a cable company; it spun off Time Warner Cable in March 2009.

  15. Re:"Official Response" by fluxrad · · Score: 4, Informative

    I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication?

    Yes she is. She's handled one of my responses before. Recently corporations have started hiring "social networking" types to answer questions on places like twitter, facebook et al. It would Slashdot is another one of these venues.

    --
    "It is seldom that liberty of any kind is lost all at once." -David Hume
  16. Disregard; ORSN is SK by Kadin2048 · · Score: 3, Informative

    Apparently the ORSN project has been shut down, at least for the moment, due to lack of involvement and resources.

    Some of the servers continue to operate, but it was officially discontinued as of 31 Dec 2008. Too bad.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  17. Re:"Official Response" by Anonymous Coward · · Score: 1, Informative

    Dude, there was a whole Wired article about how much effort Comcast has gone through lately with trying not to suck. Included in this article was the whole ComcastCares Twitter thing, which proved so successful that it went from one tech not wanting people to badmouth Comcast, to a team of Comcast employees deployed specifically to respond to events such as this.

    For an overwhelmingly evil company, their Twitter presence is actually one of the brightest... most human... spots that Comcast has.

  18. Re:As one of the authors of Netalyzr... by nweaver · · Score: 4, Informative

    A colleague who knew about our launch told us we just got slashdotted.

    We actually WANT to get slashdotted, because that helps us measure the network.

    --
    Test your net with Netalyzr
  19. Re:"Official Response" by minerat · · Score: 2, Informative

    Comcast has been using twitter for a while now, under the @ComcastCares account. Multiple Comcast employees monitor twitter streams for complaints and are empowered to take action to resolve issues. ComcastBonnie (as well as a few others) are authorized (cs? pr?) representatives for Comcast. Given that her twitter page says the same thing as her post, you can probably take it at face value.

    --
    ...and you've eaten your pen. simply stunning.
  20. Re:"Official Response" by Armarius · · Score: 2, Informative

    I can confirm that ComcastBonnie is an authorized Comcast rep. I've dealt with @comcastcares on Twitter (Frank Eliason) and Bonnie is part of that team. Frank helped me cut through some BS with my local Comcast office about a year ago. They look on the Internet for folks with complaints about Comcast, such as my blog post as year ago, and are pretty quick with the Twitter responses these days. And apparently Slashdot responses as well. @LibraryMonk

  21. try democracy by emj · · Score: 2, Informative

    having your own police helps.

  22. Re:Fuck `Em All by RulerOf · · Score: 4, Informative

    group sex with Oprah Winfrey, Rosie O'Donnell, Roseanne Barr and Chelsea Clinton

    That's the absolute worst thing I've read in a long time.

    Well done, sir.

    --
    Boot Windows, Linux, and ESX over the network for free.