Slashdot Mirror
Comcast Intercepts and Redirects Port 53 Traffic
An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.
They could be doing this for security reasons, to prevent DNS domain hijacking.
Yeah, right.
From your post, I don't think you're aware that Time Warner is actually one of the presiding members of the RIAA (and the MPAA).
I am the richest astronaut ever to win the superbowl.
http://netalyzr.icsi.berkeley.edu/restore/id=4b65aebb-18883-4ded0c2e-9922-4ace-8be5
Was the original poster a shill for some other ISP or what? An anonymous user submits a story decrying a great technical wrong by Comcast, that no one appears to be able to reproduce. So a little fact check action might in order here. Up next, "toyotasuxors@ford.com says: Toyota tracking all US drivers with a device hidden in the glove box!
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
No...it's anti-anyonebutnormalcustomer behavior. The people running dns servers are probably 0.000001% of internet users....the rest are probably just infected machines.
The question is *why* do they care about filtering DNS traffic? Do they offer this service as a paid service elsewhere, costing them *money*? Or is it simply to try to get a handle on worms and malware, which uses tons of bandwidth for a network as big as comcast, costing them *tons of money*.
They have a profit based mindset...it shouldn't be hard to figure out why they're doing it. If the cost from malware is more than the loss of a portion of a fairly insignificant customer base that in reality probably costs them what several regular users cost, then they'll choose to block the port!
At one point I called support and asked what kind of account I would need to legally (in terms of usage agreement: no servers allowed) run a website. They said I'd have to go elsewhere to a *hosting company*. That's probably what they'll tell you here.
I think as much as we complain, in the end, if you want a direct and unfiltered, higher risk, and more expensive to maintain connection to the internet, you'll have to...pay more....just like if you want to use 5x the bandwidth of a normal user, you'll have to pay more.
I like the idea of the internet being a standard connection, wide open and the same anywhere...but that's not going to happen without regulatory laws, cause it doesn't make much business sense.
Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server? (Since, you know, the ISP routers would never even see the traffic if it were?)
Welcome to kdawson, editor extraordinaire.
Confirmed by an AC. Well, that's solid.
Welcome to the new Media Democracy.
Isn't that the point of this outrage?
More like intercepting traffic that isn't destined for Comcast as if it were. You're not attempting to contact Comcast in any way, but that's where the traffic is ending up.
Let's say Comcast, for some reason, suddenly decides that your site should no longer be reachable (by name), they could start intercepting DNS requests for your site and returning domain not found. Or worse, redirecting you to a site they find more "suitable."
Wow it's nice to know that Comcast has both a twitter account and a brand new Slashdot account. Oh, it's most likely that you're an employee (maybe tech support), I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication? If so, I'd suggest a listing on the main corporate 'contacts' page, so that it'd be easy to verify it as 'official'. Also, the DNS team (or even the guy on duty) might not be complicit in the skulduggery, so your assessment might not be correct.
The force that blew the Big Bang continues to accelerate.
The only way I can imagine they'd profit from this is by blocking access to alternative DNS servers like OpenDNS, or even just putting in well-known public DNS servers like 4.2.2.2, so that they can intercept unknown requests and return ad-laden pages instead. Basically typosquatting.
Various ISPs have gone down this road before. (Rogers Cable has tried, and so has Road Runner.) Unfortunately -- for the shady ISPs, anyway -- it's easy for annoyed users to get around these schemes; they can just configure their computer or NATing router to use a different DNS server besides the one supplied by the ISP via DHCP.
By transparently redirecting all DNS requests to their own servers, Comcast would eliminate this method of circumventing their advertising. They could also block sites at the DNS level much more easily than before.
A lot of censorship schemes (ab)use DNS in order to return a bogus result to a query; these schemes aren't very good, though, because any user with two brain cells to rub together and the tiniest bit of motivation can change their DNS configuration to use clean servers instead. By doing transparent redirection, you prevent this.
Those strike me as the two obvious reasons. The profit-motivated one (squatting on failed DNS queries) is annoying and causes many non-web applications to fail or behave improperly, but it's not nearly as bad as the censorship-motivated one is. However, the same technique that makes failed-lookup ads harder to avoid could easily be used as part of a censorship scheme if demanded by the government. It's important that even casual Internet users (who may not really care about returning a "page not found" web page instead of the normal browser message) understand why letting their ISP monkey with DNS lookups is a Really Bad Idea.
In both cases you can get around the hijacking by using a VPN and forcing DNS queries though it, but that's significantly harder than changing from automatically-assigned DNS servers to well-known ones like OpenDNS's or Verisign's.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?
Actually, no. We've been outraged about that before. It's one thing if I use someone's server and it typojacks me due to a wildcard entry in the name tables. The alleged behavior we're discussing actually prevents* the user from using another nameserver outside of that ISP in order to sidestep the problem.
* (well, makes more difficult, requiring tunneling or something like that)
For quite awhile I've had the feeling that DNS will eventually be brokered through P2P/DHTs/etc with digitally signed payloads, and this type of behavior only makes that idea more appropriate.
This really has nothing to do with dynamic/static IP's he's just trying to run his own private DNS server and it's getting hijacked. If he was seeking a simple dynamic IP solution it wouldn't matter if the client machine's DNS was getting hijacked since the DNS changes would get propagated out to Comcast's server eventually.
That being said this shouldn't effect him at all in a practicial sense. A private DNS server running inside of a private domain's network couldn't get hijacked except for when it has to seek upstream for an address it doesn't know, but for all practical uses this shouldn't matter. Your client machines would still be getting everything your DNS server is intentionally serving authoritatively or otherwise. The only time this would matter is if you want to completely ditch Comcast's DNS and go with another DNS server outside of your private domain, like OpenDNS.
The machine from which I sent the request is connected to a Comcast residential Cable Internet connection
Ahhh, but that is the very problem you see. Comcast is not above forging packets to make them look as if they came from a different host. Recall the forged reset packet bittorent fiasco where Comcast was caught red-handed forging reset packets from hosts outside their network. If the traffic passes through the network of Comcast on an unsecured connection then it is vulnerable to tampering and with advanced packet shaping and inspection devices and software just about anything is possible including interception and impersonation of a complete DNS exchange. Comcast has already shown that they are not above forging packets so they must be regarded with suspicion whenever funny business appears to be going on with traffic traversing their networks.
This is retarded.
I point my router's DNS to OpenDNS.org and everything works great. If I type a BS domain I get the OpenDNS search page.
One idiot's Wordpress blog is enough to make it to the front page? I mean, I think Comcast is the devil incarnate, but there are plenty of legitimate reasons to hate them without making up BS stories.
bun-fhuinneog agam!
Even assuming you're a real Comcast representative, why should we believe anything any Comcast rep says, after witnessing the series of lies, stonewalling, and misdirection Comcast produced after being accused of interfering with BitTorrent traffic, and then again after being caught red-handed interfering with BitTorrent traffic?
include $sig;
1;
When the DNS servers don't work at all, as the article complains, then no.