Comcast Intercepts and Redirects Port 53 Traffic

← Back to Stories (view on slashdot.org)

Comcast Intercepts and Redirects Port 53 Traffic

Posted by kdawson on Tuesday June 9, 2009 @06:11AM from the why-we-need-ipv6 dept.

An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.

33 of 527 comments (clear)

Not happening to me by jimmyhat3939 · 2009-06-09 06:13 · Score: 5, Informative

I'm a Comcast user, and I run a DNS server for a few private domains that only I use. I have not experienced this, and I just verified that it's not currently happening. I'm in California if that matters.

--
Free Conference Call -- No Spam, High Quality
1. Re:Not happening to me by Shakrai · 2009-06-09 06:20 · Score: 5, Interesting
  
  I'm a Comcast user, and I run a DNS server for a few private domains that only I use
  Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP? If it's a business account than I would assume that they aren't redirecting those but could still be redirecting on consumer accounts.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
2. Re:Not happening to me by CodeBuster · 2009-06-09 06:26 · Score: 5, Interesting
  
  Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server (i.e. forging the response packets so that they appear to come from your server) then the only way to tell would be to place a deliberately wrong IP entry for a well known address on your server (i.e. something that Comcast wouldn't know about) and then run the query again to see if you get the wrong result (no redirection or impersonation) OR if you get the expected result (redirection or impersonation). Also, they might only be forwarding queries that they don't recognize to your server so that any custom or unusual queries hit your server but stuff like google.com is answered by their server(s).
3. Re:Not happening to me by whoever57 · 2009-06-09 06:37 · Score: 5, Informative
  
  Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server
  I'm certain. I sent a query to a DNS server that I control. I ran tcpdump on the DNS server and I could see the packets from my home IP address coming in with the query and the refusal going out (I asked the DNS server that I control to resolve yahoo.com, which it should refuse to do).
  
  --
  The real "Libtards" are the Libertarians!
4. Re:Not happening to me by EvilBudMan · 2009-06-09 06:38 · Score: 4, Informative
  
  They are blocking port 53 it appears here in Virginia.
  --UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
  The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
  The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--
  I don't know about them hijacking it though. I'm not sure what causing it yet.
  Look this way for more info:
  |
  |
  |
  \
  \
  V
5. Re:Not happening to me by EvilBudMan · 2009-06-09 06:47 · Score: 5, Interesting
  
  Funny,
  Here are the results from a static IP:
  --Knoxville.hfc.comcastbusiness.net --
  --UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
  The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
  The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--
  There might be some other issues here:
  http://www.auditmypc.com/port/udp-port-53.asp
6. Re:Not happening to me by mea37 · 2009-06-09 06:48 · Score: 5, Insightful
  
  Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server? (Since, you know, the ISP routers would never even see the traffic if it were?)
7. Re:Not happening to me by whoever57 · 2009-06-09 07:01 · Score: 5, Informative
  
  Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server?
  The machine from which I sent the request is connected to a Comcast residential Cable Internet connection. The server at the other end is a virtual machine in a colo facility somewhere -- not a Comcast facility. And before anyone asks, I tried both tcp and udp requests with the same result (no interception, no transparent proxy).
  
  --
  The real "Libtards" are the Libertarians!
8. Re:Not happening to me by The+Moof · 2009-06-09 07:06 · Score: 4, Insightful
  
  Isn't that the point of this outrage?
  More like intercepting traffic that isn't destined for Comcast as if it were. You're not attempting to contact Comcast in any way, but that's where the traffic is ending up.
  
  Let's say Comcast, for some reason, suddenly decides that your site should no longer be reachable (by name), they could start intercepting DNS requests for your site and returning domain not found. Or worse, redirecting you to a site they find more "suitable."
9. Re:Not happening to me by darthservo · 2009-06-09 07:26 · Score: 5, Funny
  
  Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server
  Thanks alot. Now I'm going to get slashdotted.
  
  --
  Prove it.
10. Re:Not happening to me by Zetta+Matrix · 2009-06-09 07:32 · Score: 5, Insightful
  
  Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?
  Actually, no. We've been outraged about that before. It's one thing if I use someone's server and it typojacks me due to a wildcard entry in the name tables. The alleged behavior we're discussing actually prevents* the user from using another nameserver outside of that ISP in order to sidestep the problem.
  * (well, makes more difficult, requiring tunneling or something like that)
  For quite awhile I've had the feeling that DNS will eventually be brokered through P2P/DHTs/etc with digitally signed payloads, and this type of behavior only makes that idea more appropriate.
11. Re:Not happening to me by __aasqbs9791 · 2009-06-09 08:41 · Score: 5, Funny
  
  Then that's even worse! It means Comcast must have hacked his server to falsify the logs! /s
12. Re:Not happening to me by alta · 2009-06-09 09:52 · Score: 4, Informative
  
  Comcast is using nearly off the shelf DHCP with really long expires times. When you get an IP, you'll have it for months, and usually don't loose it until those months have passed AND you reboot your equipment and get a new IP.
  DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly. Unlike a direct link, PPPoE must renegotiate every time there's a momentary signal loss, just like dialup would do.
  From what I've read, they use PPPoE because it's the easiest way to enable/disable users in real time via a RADIUS server. Comcast has to use more complicated methods to kill accounts (in some places, even send out a truck to put on a filter)
  
  --
  Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
Fuck `Em All by Cpt_Kirks · 2009-06-09 06:18 · Score: 5, Funny

When Comcast took over from Time Warner here, I bailed.
I mean, Time Warner is evil. AT&T (who I switched to), is evil.
But Comcast is Motherfucking Sith Lord EVIL.
Scary fucking eeeeevil. Nazi evil. RIAA evil.
1. Re:Fuck `Em All by Em+Emalb · 2009-06-09 06:20 · Score: 5, Funny
  
  So what are you trying to say?
  C'mon man, stop beating around the bush and get to your point.
  
  --
  Sent from your iPad.
2. Re:Fuck `Em All by Itninja · 2009-06-09 06:26 · Score: 4, Funny
  
  I think the parent was just using a bit of hyperbole there. Also, it appears he only has a limited understanding of what the word 'evil' means. And the word 'fuck'. And, well, he just don't appear to be that bright in general.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
3. Re:Fuck `Em All by bretticus · 2009-06-09 06:32 · Score: 5, Funny
  
  Don't make fun of Poland.
4. Re:Fuck `Em All by interkin3tic · 2009-06-09 06:36 · Score: 4, Funny
  
  C'mon man, stop beating around the bush and get to your point.
  It had something to do with star wars. The sith lord part tipped me off.
5. Re:Fuck `Em All by RulerOf · 2009-06-09 08:55 · Score: 4, Informative
  
  group sex with Oprah Winfrey, Rosie O'Donnell, Roseanne Barr and Chelsea Clinton
  
  That's the absolute worst thing I've read in a long time.
  
  Well done, sir.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
That's a negative by jjb3rd · 2009-06-09 06:18 · Score: 5, Funny

I'm a comcast user and it works for me...perhaps his home network is the problem. A Linux user having a misconfigured network?!??! Oh wait this is Slashdot...nevermind.
Re:Using OpenDNS on Comcast by CompSci101 · 2009-06-09 06:22 · Score: 4, Informative

Likewise in Southern New Jersey (and Philadelphia before this -- the very heart of Comcast darkness)
I get OpenDNS error pages for nonexistent domains.

--
The Sun is proof that we can't even do fire properly.
Re:Not happening here by mcgrew · 2009-06-09 06:25 · Score: 4, Interesting

I'm wondering how this post ever made it to the slashdot front page. I haven't RTFM, but as it's from the domain comcastfuckingwithyourport53traffic.wordpress.com I don't see any reason to lend it credence.
The comments to this story say a lot, almost as much as the domain the story links to. Somebody screwed up posting this.

--
Free Martian Whores!
Re:DNSSEC? by ScytheBlade1 · 2009-06-09 06:25 · Score: 4, Informative

DNSSEC is validated at the resolver level. However, even if you run your own local DNS resolver, DNSSEC wouldn't come into play -- Comcast can simply strip the KEY/RRSIG records entirely before sending them to you -- leaving your resolver thinking that the zone has no DNSSEC records at all (at which point, they are blindly accepted as valid).
I'd imagine that there is an option somewhere in bind to only accept signed records (and if not, there will be eventually I'm sure), but even if Comcast wasn't futzing with your dataz, you wouldn't have a functional internet.
(I'm on comcast, and am not seeing this redirection. I also run a local DNS resolver.)
Is this happening for ANYONE? by Itninja · 2009-06-09 06:34 · Score: 5, Insightful

Was the original poster a shill for some other ISP or what? An anonymous user submits a story decrying a great technical wrong by Comcast, that no one appears to be able to reproduce. So a little fact check action might in order here. Up next, "toyotasuxors@ford.com says: Toyota tracking all US drivers with a device hidden in the glove box!

--
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Official Response by ComcastBonnie · 2009-06-09 06:40 · Score: 4, Informative

Hey guys, I just caught this on Twitter, and I can confirm that we do not and have not hijacked any DNS traffic in our network and certainly not to 3rd party resolvers. 'nuff said. I spoke with our DNS engineering folks, and they have confirmed. If you would like to contact me, I'm @ComcastBonnie on Twitter.
1. Re:Official Response by Linux_ho · 2009-06-09 08:55 · Score: 4, Insightful
  
  Even assuming you're a real Comcast representative, why should we believe anything any Comcast rep says, after witnessing the series of lies, stonewalling, and misdirection Comcast produced after being accused of interfering with BitTorrent traffic, and then again after being caught red-handed interfering with BitTorrent traffic?
  
  --
  include $sig;
  1;
As one of the authors of Netalyzr... by nweaver · 2009-06-09 06:42 · Score: 5, Interesting

We have not seen any redirection issues with Comcast user's DNS settings.
Questions on netalyzr itself will be answered in this thread.

--
Test your net with Netalyzr
1. Re:As one of the authors of Netalyzr... by nweaver · 2009-06-09 07:57 · Score: 4, Informative
  
  A colleague who knew about our launch told us we just got slashdotted.
  We actually WANT to get slashdotted, because that helps us measure the network.
  
  --
  Test your net with Netalyzr
So let me see if I have this straight... by BaronHethorSamedi · 2009-06-09 06:43 · Score: 5, Informative

An anonymous reader submits a "story" linking to a random blog spouting off rumors about a nefarious scheme by Comcast to redirect port traffic. The "story" is then published under a headline asserting the rumor as fact, while the summary is actually a plea for the fact-checking on the story to be done by readers.

News for nerds, indeed.
1. Re:So let me see if I have this straight... by Alzheimers · 2009-06-09 06:56 · Score: 4, Insightful
  
  Welcome to the new Media Democracy.
"Official Response" by rednip · 2009-06-09 07:25 · Score: 4, Insightful

Wow it's nice to know that Comcast has both a twitter account and a brand new Slashdot account. Oh, it's most likely that you're an employee (maybe tech support), I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication? If so, I'd suggest a listing on the main corporate 'contacts' page, so that it'd be easy to verify it as 'official'. Also, the DNS team (or even the guy on duty) might not be complicit in the skulduggery, so your assessment might not be correct.

--
The force that blew the Big Bang continues to accelerate.
1. Re:"Official Response" by fluxrad · 2009-06-09 07:47 · Score: 4, Informative
  
  I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication?
  Yes she is. She's handled one of my responses before. Recently corporations have started hiring "social networking" types to answer questions on places like twitter, facebook et al. It would Slashdot is another one of these venues.
  
  --
  "It is seldom that liberty of any kind is lost all at once." -David Hume
Re:Not surprised by Kadin2048 · 2009-06-09 07:30 · Score: 4, Insightful

The only way I can imagine they'd profit from this is by blocking access to alternative DNS servers like OpenDNS, or even just putting in well-known public DNS servers like 4.2.2.2, so that they can intercept unknown requests and return ad-laden pages instead. Basically typosquatting.
Various ISPs have gone down this road before. (Rogers Cable has tried, and so has Road Runner.) Unfortunately -- for the shady ISPs, anyway -- it's easy for annoyed users to get around these schemes; they can just configure their computer or NATing router to use a different DNS server besides the one supplied by the ISP via DHCP.
By transparently redirecting all DNS requests to their own servers, Comcast would eliminate this method of circumventing their advertising. They could also block sites at the DNS level much more easily than before.
A lot of censorship schemes (ab)use DNS in order to return a bogus result to a query; these schemes aren't very good, though, because any user with two brain cells to rub together and the tiniest bit of motivation can change their DNS configuration to use clean servers instead. By doing transparent redirection, you prevent this.
Those strike me as the two obvious reasons. The profit-motivated one (squatting on failed DNS queries) is annoying and causes many non-web applications to fail or behave improperly, but it's not nearly as bad as the censorship-motivated one is. However, the same technique that makes failed-lookup ads harder to avoid could easily be used as part of a censorship scheme if demanded by the government. It's important that even casual Internet users (who may not really care about returning a "page not found" web page instead of the normal browser message) understand why letting their ISP monkey with DNS lookups is a Really Bad Idea.
In both cases you can get around the hijacking by using a VPN and forcing DNS queries though it, but that's significantly harder than changing from automatically-assigned DNS servers to well-known ones like OpenDNS's or Verisign's.

--
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."