Slashdot Mirror
Comcast Intercepts and Redirects Port 53 Traffic
An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.
I suppose users could tunnel DNS over some other port if they had to.
I route all of my DNS requests through a VPN to the DNS server at my office. Not everybody has this luxury though. I wonder if OpenDNS would be inclined to set up a VPN solution for people stuck with an ISP as arrogant as Comcast?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I'm a Comcast user, and I run a DNS server for a few private domains that only I use
Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP? If it's a business account than I would assume that they aren't redirecting those but could still be redirecting on consumer accounts.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
So does this mean that my DNS-based filtering through OpenDNS would stop? If so, my kids could be stumbling onto porn, malware, and dangerous sites that I was trying to shield them from. Thanks Big Brother! That's just awesome. No, that's Comcastic!
I'm wondering how this post ever made it to the slashdot front page. I haven't RTFM, but as it's from the domain comcastfuckingwithyourport53traffic.wordpress.com I don't see any reason to lend it credence.
The comments to this story say a lot, almost as much as the domain the story links to. Somebody screwed up posting this.
Free Martian Whores!
Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server (i.e. forging the response packets so that they appear to come from your server) then the only way to tell would be to place a deliberately wrong IP entry for a well known address on your server (i.e. something that Comcast wouldn't know about) and then run the query again to see if you get the wrong result (no redirection or impersonation) OR if you get the expected result (redirection or impersonation). Also, they might only be forwarding queries that they don't recognize to your server so that any custom or unusual queries hit your server but stuff like google.com is answered by their server(s).
http://netalyzr.icsi.berkeley.edu/restore/id=ae8199f5-18807-f5eeee66-ce59-42a4-8803
Note that my DNS servers are Level3 servers (4.2.2.2, 4.2.2.4) since they are much faster than Comcast DNS.
~ C.
A good friend of mine was using OpenDNS on Comcast and one day, without warning, his internet service was cut off.
When he called the phone rep said that Comcast had disabled his internet because he was not using their DNS server and that if he wanted to have Comcast as a provider he had no choice but to use DNS servers provided by DHCP!
Are you buying "Internet access" or something else? If you bought "Internet access" and you aren't getting it that's breach of contract. Odds are you are buying "partial Internet access as spelled out by the terms and conditions" which is probably not "Internet access."
Are they advertising "Internet access" or something else? If they are advertising "Internet access" and not delivering, that's false advertising. Unfortunately, it takes either deep pockets or a friend in your friendly neighborhood Attorney General's office to fight this battle.
Of course, most major IPSs haven't delivered "Internet access" to home users for years. They routinely block port 25 and other widely-abused ports, and some throttle traffic in ways that are not non-discriminatory. Business users, especially big business users, usually can get real Internet access but they have to pay.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
We have not seen any redirection issues with Comcast user's DNS settings.
Questions on netalyzr itself will be answered in this thread.
Test your net with Netalyzr
That's the only way you can think of to verify what's happening?
GP controls the DNS server in question. Think server logs and monitoring tools.
I can verify this is happening in Lynnwood, WA - just north of Seattle - on my Comcast residential connection. First port 25 is blocked, now 53 is being rerouted? GD Comcast is a bunch of toolsheds.
My working third party server connected to the dummy DNS server just fine, while my home Comcast connected PCs couldn't. Tested in Windows 2008, Gentoo and Windows XP @ home - same results on all 3.
Webalyzer results: here
Funny,
Here are the results from a static IP:
--Knoxville.hfc.comcastbusiness.net --
--UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--
There might be some other issues here:
http://www.auditmypc.com/port/udp-port-53.asp
I don't see anyone else mentioning this, but it seems they could be using a particular area to test this "policy"
I had a sucky sig.
You mean like road runner does by default here in SC?
Confidentiality, Integrity, Availability: without Availability the other two are assured, as is Bankruptcy.
Comcast denies that it is doing this http://twitter.com/ComcastBonnie/status/2092813922
Have you heard of IP over DNS? The DNStunnel software sends IP packets as TXT records over a real DNS, the client sends data in the request itself. Since these are real resolvable DNS records, proxying port 53 won't work. When I tried this software, I could only get a single stream over the tunnel, so I ran SSH over the DNStunnel and used ssh to forward a TCP port that I then ran OpenVPN on. This actually works, but it is very slow. And I can imagine that people would eventually find out because the wifi provider's DNS cache will fill up with IP data.
Except that he actually received and sent the packets on the server and verified as such.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Assuming you have control of a decent firewall on both ends you can just reroute all your outbound traffic on port 53 to something of your choosing (lets say 16053) and then reroute the inbound traffic from 16053 to 53.
As much as I like the freedom of being able to contact any DNS server, there is some rationale for intercepting these kinds of requests. As we have seen, the DNS system can be abused by users to do nefarious things. None of us would question Comcast putting filters on their SMTP servers to limit the amount of SPAM that could be generated by Comcast users. And it's fairly normal for providers to limit, or at least monitor, SMPT connections to outside mail servers. And one would hope that Comcast would be responsive to situations when one of their users (or, more likely, one of their users' computers) is participating in a DDos attack.
Given that we expect ISPs to deal with SPAM and how we treat those ISPs that don't, is it really unreasonable that Comcast is preparing for the time when we expect the same from ISPs when it comes to DNS? So long as the results of a legitimate DNS query are correct compared to what the server would return (i.e. not cached), what's the harm?
I know you are probably just trying to troll Mr Coward but I don't think you've ever used OpenDNS. I admit my spelling is pretty bad and I have a tendency to bump adjacent keys when I am typing fast and I don't think I've seen the OpenDNS page twice in two years. They really do give it a "best effort" to try and figure out what you were looking for before giving up. Now compare that to the Comcast one where from what i understand if you get even one letter off you are going to be staring at their ad server.
I've found OpenDNS to be faster, safer, and more reliable than my local ISP. if the cost of that is seeing an ad page once a year when I type something so horribly bad that their DNS server goes "WTF?" then so be it and I'm guessing the above poster feels the same. So why not try OpenDNS for a week? It's free and you might like it.
ACs don't waste your time replying, your posts are never seen by me.