Comcast Intercepts and Redirects Port 53 Traffic

An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.

Not happening to me

[jimmyhat3939]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use. I have not experienced this, and I just verified that it's not currently happening. I'm in California if that matters.

Re:Not happening to me

[Shakrai]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use

Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP? If it's a business account than I would assume that they aren't redirecting those but could still be redirecting on consumer accounts.

Re:Not happening to me

[whoever57]

I just verified that it's not currently happening. I'm in California if that matters.

Me too. I'm also in CA and it is not curently happening.

Re:Not happening to me

[CodeBuster]

Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server (i.e. forging the response packets so that they appear to come from your server) then the only way to tell would be to place a deliberately wrong IP entry for a well known address on your server (i.e. something that Comcast wouldn't know about) and then run the query again to see if you get the wrong result (no redirection or impersonation) OR if you get the expected result (redirection or impersonation). Also, they might only be forwarding queries that they don't recognize to your server so that any custom or unusual queries hit your server but stuff like google.com is answered by their server(s).

Re:Not happening to me

[jeffmeden]

Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server (which is presumably above any such hijacking) and see if the request gets hijacked. Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?

Re:Not happening to me

[whoever57]

Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server

I'm certain. I sent a query to a DNS server that I control. I ran tcpdump on the DNS server and I could see the packets from my home IP address coming in with the query and the refusal going out (I asked the DNS server that I control to resolve yahoo.com, which it should refuse to do).

Re:Not happening to me

[EvilBudMan]

They are blocking port 53 it appears here in Virginia.

--UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

I don't know about them hijacking it though. I'm not sure what causing it yet.

Look this way for more info:
|
|
|
  \
      \
      V

Re:Not happening to me

[mea37]

That's the only way you can think of to verify what's happening?

GP controls the DNS server in question. Think server logs and monitoring tools.

Re:Not happening to me

Why are people suddenly so obsessed with pointing to the reply button?

Re:Not happening to me

[EvilBudMan]

Funny,

Here are the results from a static IP:

--Knoxville.hfc.comcastbusiness.net --

--UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

There might be some other issues here:
http://www.auditmypc.com/port/udp-port-53.asp

Re:Not happening to me

[mea37]

Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server? (Since, you know, the ISP routers would never even see the traffic if it were?)

Re:Not happening to me

[whoever57]

Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server?

The machine from which I sent the request is connected to a Comcast residential Cable Internet connection. The server at the other end is a virtual machine in a colo facility somewhere -- not a Comcast facility. And before anyone asks, I tried both tcp and udp requests with the same result (no interception, no transparent proxy).

Re:Not happening to me

[The+Moof]

Isn't that the point of this outrage?

More like intercepting traffic that isn't destined for Comcast as if it were. You're not attempting to contact Comcast in any way, but that's where the traffic is ending up.

Let's say Comcast, for some reason, suddenly decides that your site should no longer be reachable (by name), they could start intercepting DNS requests for your site and returning domain not found. Or worse, redirecting you to a site they find more "suitable."

Re:Not happening to me

[brasscount]

You mean like road runner does by default here in SC?

Re:Not happening to me

[darthservo]

Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server

Thanks alot. Now I'm going to get slashdotted.

Re:Not happening to me

[Zoxed]

> Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com)

1) Quickly registered non-existing domain mentioned on Slashdot and put up an ad-serving site.
2) Wait for bored Slashdotters to try the link.
3) Profit.

Thanks Slashdot :-)

Re:Not happening to me

[Zetta+Matrix]

Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?

Actually, no. We've been outraged about that before. It's one thing if I use someone's server and it typojacks me due to a wildcard entry in the name tables. The alleged behavior we're discussing actually prevents* the user from using another nameserver outside of that ISP in order to sidestep the problem.
* (well, makes more difficult, requiring tunneling or something like that)

For quite awhile I've had the feeling that DNS will eventually be brokered through P2P/DHTs/etc with digitally signed payloads, and this type of behavior only makes that idea more appropriate.

Re:Not happening to me

[chundo]

Works for me in Chicago. I'm guessing it's his broadband router that's doing this, intercepting port 53 traffic and forwarding to the DNS servers it got from DHCP.

Re:Not happening to me

[falconwolf]

I'm a Comcast user, and I run a DNS server for a few private domains that only I use

Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP?

My access is through Comcast, though like TFA's writer I get it from Earthlink, and I have a static IP with a consumer not a business account.

Falcon

Re:Not happening to me

[bsdaemonaut]

This really has nothing to do with dynamic/static IP's he's just trying to run his own private DNS server and it's getting hijacked. If he was seeking a simple dynamic IP solution it wouldn't matter if the client machine's DNS was getting hijacked since the DNS changes would get propagated out to Comcast's server eventually.

That being said this shouldn't effect him at all in a practicial sense. A private DNS server running inside of a private domain's network couldn't get hijacked except for when it has to seek upstream for an address it doesn't know, but for all practical uses this shouldn't matter. Your client machines would still be getting everything your DNS server is intentionally serving authoritatively or otherwise. The only time this would matter is if you want to completely ditch Comcast's DNS and go with another DNS server outside of your private domain, like OpenDNS.

Re:Not happening to me

[CodeBuster]

The machine from which I sent the request is connected to a Comcast residential Cable Internet connection

Ahhh, but that is the very problem you see. Comcast is not above forging packets to make them look as if they came from a different host. Recall the forged reset packet bittorent fiasco where Comcast was caught red-handed forging reset packets from hosts outside their network. If the traffic passes through the network of Comcast on an unsecured connection then it is vulnerable to tampering and with advanced packet shaping and inspection devices and software just about anything is possible including interception and impersonation of a complete DNS exchange. Comcast has already shown that they are not above forging packets so they must be regarded with suspicion whenever funny business appears to be going on with traffic traversing their networks.

Re:Not happening to me

[cprincipe]

This is retarded.

I point my router's DNS to OpenDNS.org and everything works great. If I type a BS domain I get the OpenDNS search page.

One idiot's Wordpress blog is enough to make it to the front page? I mean, I think Comcast is the devil incarnate, but there are plenty of legitimate reasons to hate them without making up BS stories.

Re:Not happening to me

[TheSpoom]

Except that he actually received and sent the packets on the server and verified as such.

Re:Not happening to me

[Iphtashu+Fitz]

I've had my Comcast IP (outside Boston) change about 2 or 3 times on me in the span of about 5 years. It doesn't happen often, but it does. I believe it's only been when they need to add capacity to an area.

Re:Not happening to me

[bsdaemonaut]

Assuming you have control of a decent firewall on both ends you can just reroute all your outbound traffic on port 53 to something of your choosing (lets say 16053) and then reroute the inbound traffic from 16053 to 53.

Re:Not happening to me

[__aasqbs9791]

Then that's even worse! It means Comcast must have hacked his server to falsify the logs! /s

Re:Not happening to me

[x4r]

dance or you dont alien. eat or you dont starving. make love or go war. fly airplanes or flying saucer. listen Elvis or BB King.

Re:Not happening to me

[sjames]

Same here. I routinely test work DNS servers from home (on Comcast). They include non-public domains that will not resolve anywhere else. Other zones may differ from what the authoritative nameserver would answer.

They may be intercepting DNS somewhere, but not here in Atlanta.

Re:Not happening to me

[hairyfeet]

I know you are probably just trying to troll Mr Coward but I don't think you've ever used OpenDNS. I admit my spelling is pretty bad and I have a tendency to bump adjacent keys when I am typing fast and I don't think I've seen the OpenDNS page twice in two years. They really do give it a "best effort" to try and figure out what you were looking for before giving up. Now compare that to the Comcast one where from what i understand if you get even one letter off you are going to be staring at their ad server.

I've found OpenDNS to be faster, safer, and more reliable than my local ISP. if the cost of that is seeing an ad page once a year when I type something so horribly bad that their DNS server goes "WTF?" then so be it and I'm guessing the above poster feels the same. So why not try OpenDNS for a week? It's free and you might like it.

Re:Not happening to me

[nschubach]

^
|
|
  \
    \
      \
        \
I clicked on that and all I got was a lousy web form.

Re:Not happening to me

[alta]

Comcast is using nearly off the shelf DHCP with really long expires times. When you get an IP, you'll have it for months, and usually don't loose it until those months have passed AND you reboot your equipment and get a new IP.

DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly. Unlike a direct link, PPPoE must renegotiate every time there's a momentary signal loss, just like dialup would do.

From what I've read, they use PPPoE because it's the easiest way to enable/disable users in real time via a RADIUS server. Comcast has to use more complicated methods to kill accounts (in some places, even send out a truck to put on a filter)

Re:Not happening to me

[number11]

DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly.

Depends on where you are. With Qwest (and a local third party ISP) I've had the same IP number since I got the service, maybe 10 years ago. That's regular consumer-grade (1.5M/1.0M) DSL. The reverse DNS lookup gives a name that has my ISP username embedded into it.

Re:Not happening to me

[Koby77]

When the DNS servers don't work at all, as the article complains, then no.

Not happening here

[jimmyhat3939]

I have several domains I run on a private DNS server that I access from my house using Comcast. I haven't experienced this. I'm in California if it matters.

I suppose users could tunnel DNS over some other port if they had to.

Re:Not happening here

[Shakrai]

I suppose users could tunnel DNS over some other port if they had to.

I route all of my DNS requests through a VPN to the DNS server at my office. Not everybody has this luxury though. I wonder if OpenDNS would be inclined to set up a VPN solution for people stuck with an ISP as arrogant as Comcast?

Re:Not happening here

[mcgrew]

I'm wondering how this post ever made it to the slashdot front page. I haven't RTFM, but as it's from the domain comcastfuckingwithyourport53traffic.wordpress.com I don't see any reason to lend it credence.

The comments to this story say a lot, almost as much as the domain the story links to. Somebody screwed up posting this.

Re:Not happening here

Somebody screwed up posting this.

Posted by kdawson on 02:11 PM -- Tuesday June 09 2009

Why am I not surprised.

Re:Not happening here

[harryandthehenderson]

Yep. His quota is "as many as possible".

Fuck `Em All

[Cpt_Kirks]

When Comcast took over from Time Warner here, I bailed.

I mean, Time Warner is evil. AT&T (who I switched to), is evil.

But Comcast is Motherfucking Sith Lord EVIL.

Scary fucking eeeeevil. Nazi evil. RIAA evil.

 

Re:Fuck `Em All

[Em+Emalb]

So what are you trying to say?

C'mon man, stop beating around the bush and get to your point.

Re:Fuck `Em All

[Itninja]

I think the parent was just using a bit of hyperbole there. Also, it appears he only has a limited understanding of what the word 'evil' means. And the word 'fuck'. And, well, he just don't appear to be that bright in general.

Re:Fuck `Em All

[CorporateSuit]

From your post, I don't think you're aware that Time Warner is actually one of the presiding members of the RIAA (and the MPAA).

Re:Fuck `Em All

[Trivial_Zeros]

It's not evil... It's Comcastic!

Re:Fuck `Em All

[bretticus]

Don't make fun of Poland.

Re:Fuck `Em All

[interkin3tic]

C'mon man, stop beating around the bush and get to your point.

It had something to do with star wars. The sith lord part tipped me off.

Re:Fuck `Em All

[Cpt_Kirks]

It's funny because Comcast has been the most reliable ISP I've ever had.

Well, Mussolini made the trains run on time.

(Next up, a Hirohito reference. Stay tuned!)

Re:Fuck `Em All

[RulerOf]

group sex with Oprah Winfrey, Rosie O'Donnell, Roseanne Barr and Chelsea Clinton

That's the absolute worst thing I've read in a long time.

Well done, sir.

Re:Fuck `Em All

[docbrody]

mod ^ funny, very funny

That's a negative

[jjb3rd]

I'm a comcast user and it works for me...perhaps his home network is the problem. A Linux user having a misconfigured network?!??! Oh wait this is Slashdot...nevermind.

I really am hoping this is NOT a gullibility test

[way2trivial]

My connection is comcast for biz-- go crazy- I took out my last subnet

The ICSI Netalyzr Beta
Introduction Analysis Results
Result Summary
74-92-106-XXX-Philadelphia.hfc.comcastbusiness.net / 74.92.106.XXX
Recorded at 14:15 EDT (18:15 UTC) on Tue, June 09 2009. Permalink. Transcript.
Noteworthy Events
Minor Aberrations

Certain protocols are blocked in outbound traffic
Address-based Tests
NAT detection: NAT Detected

Your global IP address is 74.92.106.XXX while your local one is 192.168.15.XX. You are behind a NAT. Your local address is in unroutable address space.

Your NAT renumbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis.

DNS-based host information: OK

You are not a Tor exit node for HTTP traffic.
You are not listed on any Spamhaus blacklists.
The SORBS DUHL believes you are using a statically assigned IP address.
Reachability Tests
General connectivity: Note

Basic UDP access is available.
Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
Direct TCP connections to remote FTP servers (port 21) failed.
This is commonly due to how a NAT or firewall handles FTP traffic, as FTP causes unique problems when developing NATs and firewalls.
Direct TCP access to remote SSH servers (port 22) is allowed.
Direct TCP access to remote SMTP servers (port 25) is allowed.
Direct TCP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote HTTP servers (port 80) is allowed.
Direct TCP access to remote POP servers (port 110) is allowed.
Direct TCP access to remote RPC servers (port 135) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote NetBIOS servers (port 139) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote IMAP servers (port 143) is allowed.
Direct TCP access to remote SNMP servers (port 161) is allowed.
Direct TCP access to remote HTTPS servers (port 443) is allowed.
Direct TCP access to remote SMB servers (port 445) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
Direct TCP access to remote secure IMAP servers (port 585) is allowed.
Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
Direct TCP access to remote POP/SSL servers (port 995) is allowed.
Direct TCP access to remote SIP servers (port 5060) is allowed.
Direct TCP access to remote BitTorrent servers (port 6881) is allowed.
Network Access Link Properties
Network latency measurements: Latency: 26ms Loss: 0.0%

The round-trip time (RTT) between your computer and our server is 26 msec, which is good.
We recorded no packet loss between your system and our server.
TCP connection setup latency: 29ms

The time it takes your computer to set up a TCP connection with our server is 29 msec, which is good.
Network bandwidth measurements: Upload 4.3 Mbit/sec, Download 7.1 Mbit/sec

Your Uplink: We measured your uplink's sending bandwidth at 4.3 Mbit/sec. This level of bandwidth works well for many users.
Your Downlink: We measured your downlink's receiving bandwidth at 7.1 Mbit/sec. This level of bandwidth works well for many users.
Network buffer measurements: Uplink 229 ms, Downlink 220 ms

We estimate your uplink as having 230 msec of buffering. This level may serve well for maximizing speed while minimizing the impact of large transfers on other traffic.
We estimate your

Re:Using OpenDNS on Comcast

[CompSci101]

Likewise in Southern New Jersey (and Philadelphia before this -- the very heart of Comcast darkness)

I get OpenDNS error pages for nonexistent domains.

DNS-Based Filtering

[Bicx]

So does this mean that my DNS-based filtering through OpenDNS would stop? If so, my kids could be stumbling onto porn, malware, and dangerous sites that I was trying to shield them from. Thanks Big Brother! That's just awesome. No, that's Comcastic!

Re:DNSSEC?

[ScytheBlade1]

DNSSEC is validated at the resolver level. However, even if you run your own local DNS resolver, DNSSEC wouldn't come into play -- Comcast can simply strip the KEY/RRSIG records entirely before sending them to you -- leaving your resolver thinking that the zone has no DNSSEC records at all (at which point, they are blindly accepted as valid).

I'd imagine that there is an option somewhere in bind to only accept signed records (and if not, there will be eventually I'm sure), but even if Comcast wasn't futzing with your dataz, you wouldn't have a functional internet.

(I'm on comcast, and am not seeing this redirection. I also run a local DNS resolver.)

Comcast results in Houston, TX

[macklin01]

Here are the ICSI results. Results are from a PC behind a bog-standard Linksys WRT-54g, for what it's worth.

Not my field, but I see Direct TCP access to remote DNS servers (port 53) is allowed. I'll leave it to the networking experts to pick through the rest of the report.

Netalyzer results

[MostAwesomeDude]

http://netalyzr.icsi.berkeley.edu/restore/id=ae8199f5-18807-f5eeee66-ce59-42a4-8803

Note that my DNS servers are Level3 servers (4.2.2.2, 4.2.2.4) since they are much faster than Comcast DNS.

Re:Confirmed.

[Presto+Vivace]

wow, it as if Comcast was trying to set a record of some sort for bad customer relations.

Damn! That may stop my plan......

[whoever57]

Last time I had some spare time in an airport, I found that the T-Mobile hotspot allowed 53/UDP traffic out, so I was thinking of setting up openvpn on port 53 (instead of its usual 1194) in order to access my home machines (without a T-Mobile login). If Comcast intercepts this traffic, my evil plan won't work!

Re:Damn! That may stop my plan......

[Guanix]

Have you heard of IP over DNS? The DNStunnel software sends IP packets as TXT records over a real DNS, the client sends data in the request itself. Since these are real resolvable DNS records, proxying port 53 won't work. When I tried this software, I could only get a single stream over the tunnel, so I ran SSH over the DNStunnel and used ssh to forward a TCP port that I then ran OpenVPN on. This actually works, but it is very slow. And I can imagine that people would eventually find out because the wifi provider's DNS cache will fill up with IP data.

OpenDNS

[Clipless]

A good friend of mine was using OpenDNS on Comcast and one day, without warning, his internet service was cut off.
When he called the phone rep said that Comcast had disabled his internet because he was not using their DNS server and that if he wanted to have Comcast as a provider he had no choice but to use DNS servers provided by DHCP!

Is this happening for ANYONE?

[Itninja]

Was the original poster a shill for some other ISP or what? An anonymous user submits a story decrying a great technical wrong by Comcast, that no one appears to be able to reproduce. So a little fact check action might in order here. Up next, "toyotasuxors@ford.com says: Toyota tracking all US drivers with a device hidden in the glove box!

Re:Is this happening for ANYONE?

[nweaver]

This is probably your NAT. We see such behavior among random visitors, but not those restricted to Comcast, and only a few Comcast-based visitors show this behavior.

Re:Just run BIND in your computer

[argent]

And your recursive DNS server performs its own lookups via requests on port 53 to the root servers, which get intercepted by Comcast, ...

Falsely advertising "Internet access"

[davidwr]

Are you buying "Internet access" or something else? If you bought "Internet access" and you aren't getting it that's breach of contract. Odds are you are buying "partial Internet access as spelled out by the terms and conditions" which is probably not "Internet access."

Are they advertising "Internet access" or something else? If they are advertising "Internet access" and not delivering, that's false advertising. Unfortunately, it takes either deep pockets or a friend in your friendly neighborhood Attorney General's office to fight this battle.

Of course, most major IPSs haven't delivered "Internet access" to home users for years. They routinely block port 25 and other widely-abused ports, and some throttle traffic in ways that are not non-discriminatory. Business users, especially big business users, usually can get real Internet access but they have to pay.

errmm...

[Tmack]

Most dns traffic uses UDP

TCP is generally only used for excessively large requests or zone transfers

Tm

Official Response

[ComcastBonnie]

Hey guys, I just caught this on Twitter, and I can confirm that we do not and have not hijacked any DNS traffic in our network and certainly not to 3rd party resolvers. 'nuff said. I spoke with our DNS engineering folks, and they have confirmed. If you would like to contact me, I'm @ComcastBonnie on Twitter.

Re:Official Response

[Linux_ho]

Even assuming you're a real Comcast representative, why should we believe anything any Comcast rep says, after witnessing the series of lies, stonewalling, and misdirection Comcast produced after being accused of interfering with BitTorrent traffic, and then again after being caught red-handed interfering with BitTorrent traffic?

As one of the authors of Netalyzr...

[nweaver]

We have not seen any redirection issues with Comcast user's DNS settings.

Questions on netalyzr itself will be answered in this thread.

Re:As one of the authors of Netalyzr...

[nweaver]

A colleague who knew about our launch told us we just got slashdotted.

We actually WANT to get slashdotted, because that helps us measure the network.

Re:As one of the authors of Netalyzr...

[wren337]

Looks like wowway is hijacking www.google.com, capturing the search and then doing a 302 to the actual search page (?)

http://netalyzr.icsi.berkeley.edu/restore/id=4b65aebb-24385-1985f52c-c397-4cc4-b780

So let me see if I have this straight...

[BaronHethorSamedi]

An anonymous reader submits a "story" linking to a random blog spouting off rumors about a nefarious scheme by Comcast to redirect port traffic. The "story" is then published under a headline asserting the rumor as fact, while the summary is actually a plea for the fact-checking on the story to be done by readers.

News for nerds, indeed.

Re:So let me see if I have this straight...

[Alzheimers]

Welcome to the new Media Democracy.

Re:Not surprised

[nomel]

No...it's anti-anyonebutnormalcustomer behavior. The people running dns servers are probably 0.000001% of internet users....the rest are probably just infected machines.

The question is *why* do they care about filtering DNS traffic? Do they offer this service as a paid service elsewhere, costing them *money*? Or is it simply to try to get a handle on worms and malware, which uses tons of bandwidth for a network as big as comcast, costing them *tons of money*.

They have a profit based mindset...it shouldn't be hard to figure out why they're doing it. If the cost from malware is more than the loss of a portion of a fairly insignificant customer base that in reality probably costs them what several regular users cost, then they'll choose to block the port!

At one point I called support and asked what kind of account I would need to legally (in terms of usage agreement: no servers allowed) run a website. They said I'd have to go elsewhere to a *hosting company*. That's probably what they'll tell you here.

I think as much as we complain, in the end, if you want a direct and unfiltered, higher risk, and more expensive to maintain connection to the internet, you'll have to...pay more....just like if you want to use 5x the bandwidth of a normal user, you'll have to pay more.

I like the idea of the internet being a standard connection, wide open and the same anywhere...but that's not going to happen without regulatory laws, cause it doesn't make much business sense.

Port 53 Rerouted in Seattle :|

[stacysmomsmokesabong]

I can verify this is happening in Lynnwood, WA - just north of Seattle - on my Comcast residential connection. First port 25 is blocked, now 53 is being rerouted? GD Comcast is a bunch of toolsheds.

My working third party server connected to the dummy DNS server just fine, while my home Comcast connected PCs couldn't. Tested in Windows 2008, Gentoo and Windows XP @ home - same results on all 3.

Webalyzer results: here

Re:Port 53 Rerouted in Seattle :|

[nweaver]

Your netalyzr results show no DNS issues in the link you posted, using a Comcast DNS server:

c-24-22-147-111.hsd1.wa.comcast.net / 24.22.147.111

Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.

The IP address of your ISP's DNS Resolver is 68.87.69.147,
which resolves to bvrt-cns01.beaverton.or.bverton.comcast.net.

Your ISP correctly leaves non-resolving names untouched.

Re:Confirmed.

[Plumber,+Programmer,]

Confirmed by an AC. Well, that's solid.

Test market?

[irving47]

I don't see anyone else mentioning this, but it seems they could be using a particular area to test this "policy"

"Official Response"

[rednip]

Wow it's nice to know that Comcast has both a twitter account and a brand new Slashdot account. Oh, it's most likely that you're an employee (maybe tech support), I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication? If so, I'd suggest a listing on the main corporate 'contacts' page, so that it'd be easy to verify it as 'official'. Also, the DNS team (or even the guy on duty) might not be complicit in the skulduggery, so your assessment might not be correct.

Re:"Official Response"

[fluxrad]

I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication?

Yes she is. She's handled one of my responses before. Recently corporations have started hiring "social networking" types to answer questions on places like twitter, facebook et al. It would Slashdot is another one of these venues.

Re:"Official Response"

[minerat]

Comcast has been using twitter for a while now, under the @ComcastCares account. Multiple Comcast employees monitor twitter streams for complaints and are empowered to take action to resolve issues. ComcastBonnie (as well as a few others) are authorized (cs? pr?) representatives for Comcast. Given that her twitter page says the same thing as her post, you can probably take it at face value.

Re:"Official Response"

[Armarius]

I can confirm that ComcastBonnie is an authorized Comcast rep. I've dealt with @comcastcares on Twitter (Frank Eliason) and Bonnie is part of that team. Frank helped me cut through some BS with my local Comcast office about a year ago. They look on the Internet for folks with complaints about Comcast, such as my blog post as year ago, and are pretty quick with the Twitter responses these days. And apparently Slashdot responses as well. @LibraryMonk

Re:"Official Response"

[bughunter]

Great, so now we can add "-1, Meatpuppet" to the list of needed moderation tags.

Re:"Official Response"

[TheSlashaway]

ComcastBonnie can be reached at comcast.bonnie@verizon.com...

Tweet

[Presto+Vivace]

Comcast denies that it is doing this http://twitter.com/ComcastBonnie/status/2092813922

Re:Not surprised

[Kadin2048]

The only way I can imagine they'd profit from this is by blocking access to alternative DNS servers like OpenDNS, or even just putting in well-known public DNS servers like 4.2.2.2, so that they can intercept unknown requests and return ad-laden pages instead. Basically typosquatting.

Various ISPs have gone down this road before. (Rogers Cable has tried, and so has Road Runner.) Unfortunately -- for the shady ISPs, anyway -- it's easy for annoyed users to get around these schemes; they can just configure their computer or NATing router to use a different DNS server besides the one supplied by the ISP via DHCP.

By transparently redirecting all DNS requests to their own servers, Comcast would eliminate this method of circumventing their advertising. They could also block sites at the DNS level much more easily than before.

A lot of censorship schemes (ab)use DNS in order to return a bogus result to a query; these schemes aren't very good, though, because any user with two brain cells to rub together and the tiniest bit of motivation can change their DNS configuration to use clean servers instead. By doing transparent redirection, you prevent this.

Those strike me as the two obvious reasons. The profit-motivated one (squatting on failed DNS queries) is annoying and causes many non-web applications to fail or behave improperly, but it's not nearly as bad as the censorship-motivated one is. However, the same technique that makes failed-lookup ads harder to avoid could easily be used as part of a censorship scheme if demanded by the government. It's important that even casual Internet users (who may not really care about returning a "page not found" web page instead of the normal browser message) understand why letting their ISP monkey with DNS lookups is a Really Bad Idea.

In both cases you can get around the hijacking by using a VPN and forcing DNS queries though it, but that's significantly harder than changing from automatically-assigned DNS servers to well-known ones like OpenDNS's or Verisign's.

Not blocking in NY

[grimace123_99]

Comcast DNS is working as expected in Upstate NY, I use OpenDNS from home (comcast cable service) and all is working as expected I can review my open dns logs and see that it is indeed serving me dns.

TWX is MPAA, but not RIAA or cable

[tepples]

From your post, I don't think you're aware that Time Warner is actually one of the presiding members of the RIAA (and the MPAA).

Time Warner is a member of the MPAA. It is not a major record label; it spun off Time-Life Records in 2003 and Warner Music Group in February 2004. It is not a cable company; it spun off Time Warner Cable in March 2009.

Disregard; ORSN is SK

[Kadin2048]

Apparently the ORSN project has been shut down, at least for the moment, due to lack of involvement and resources.

Some of the servers continue to operate, but it was officially discontinued as of 31 Dec 2008. Too bad.

Re:Not surprised

[delta98]

Was gonna type something snarky here but it's best to let thing's go for now.

try democracy

[emj]

having your own police helps.