Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Intercepts and Redirects Port 53 Traffic

Posted by kdawson on from the why-we-need-ipv6 dept.

An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.

17 of 527 comments (clear)

  1. Not happening to me by jimmyhat3939 · · Score: 5, Informative

    I'm a Comcast user, and I run a DNS server for a few private domains that only I use. I have not experienced this, and I just verified that it's not currently happening. I'm in California if that matters.

    --
    Free Conference Call -- No Spam, High Quality
    1. Re:Not happening to me by Shakrai · · Score: 5, Interesting

      I'm a Comcast user, and I run a DNS server for a few private domains that only I use

      Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP? If it's a business account than I would assume that they aren't redirecting those but could still be redirecting on consumer accounts.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    2. Re:Not happening to me by CodeBuster · · Score: 5, Interesting

      Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server (i.e. forging the response packets so that they appear to come from your server) then the only way to tell would be to place a deliberately wrong IP entry for a well known address on your server (i.e. something that Comcast wouldn't know about) and then run the query again to see if you get the wrong result (no redirection or impersonation) OR if you get the expected result (redirection or impersonation). Also, they might only be forwarding queries that they don't recognize to your server so that any custom or unusual queries hit your server but stuff like google.com is answered by their server(s).

    3. Re:Not happening to me by whoever57 · · Score: 5, Informative

      Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server

      I'm certain. I sent a query to a DNS server that I control. I ran tcpdump on the DNS server and I could see the packets from my home IP address coming in with the query and the refusal going out (I asked the DNS server that I control to resolve yahoo.com, which it should refuse to do).

      --
      The real "Libtards" are the Libertarians!
    4. Re:Not happening to me by EvilBudMan · · Score: 5, Interesting

      Funny,

      Here are the results from a static IP:

      --Knoxville.hfc.comcastbusiness.net --

      --UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
      The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
      The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

      There might be some other issues here:
      http://www.auditmypc.com/port/udp-port-53.asp

    5. Re:Not happening to me by mea37 · · Score: 5, Insightful

      Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server? (Since, you know, the ISP routers would never even see the traffic if it were?)

    6. Re:Not happening to me by whoever57 · · Score: 5, Informative

      Just to be clear about the parameters of this test... I assume the PC from which you sent the request isn't on the same local network as the DNS server?

      The machine from which I sent the request is connected to a Comcast residential Cable Internet connection. The server at the other end is a virtual machine in a colo facility somewhere -- not a Comcast facility. And before anyone asks, I tried both tcp and udp requests with the same result (no interception, no transparent proxy).

      --
      The real "Libtards" are the Libertarians!
    7. Re:Not happening to me by darthservo · · Score: 5, Funny

      Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server

      Thanks alot. Now I'm going to get slashdotted.

      --

      Prove it.

    8. Re:Not happening to me by Zetta+Matrix · · Score: 5, Insightful

      Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?

      Actually, no. We've been outraged about that before. It's one thing if I use someone's server and it typojacks me due to a wildcard entry in the name tables. The alleged behavior we're discussing actually prevents* the user from using another nameserver outside of that ISP in order to sidestep the problem.
      * (well, makes more difficult, requiring tunneling or something like that)

      For quite awhile I've had the feeling that DNS will eventually be brokered through P2P/DHTs/etc with digitally signed payloads, and this type of behavior only makes that idea more appropriate.

    9. Re:Not happening to me by __aasqbs9791 · · Score: 5, Funny

      Then that's even worse! It means Comcast must have hacked his server to falsify the logs! /s

  2. Fuck `Em All by Cpt_Kirks · · Score: 5, Funny

    When Comcast took over from Time Warner here, I bailed.

    I mean, Time Warner is evil. AT&T (who I switched to), is evil.

    But Comcast is Motherfucking Sith Lord EVIL.

    Scary fucking eeeeevil. Nazi evil. RIAA evil.

     

    1. Re:Fuck `Em All by Em+Emalb · · Score: 5, Funny

      So what are you trying to say?

      C'mon man, stop beating around the bush and get to your point.

      --
      Sent from your iPad.
    2. Re:Fuck `Em All by bretticus · · Score: 5, Funny

      Don't make fun of Poland.

  3. That's a negative by jjb3rd · · Score: 5, Funny

    I'm a comcast user and it works for me...perhaps his home network is the problem. A Linux user having a misconfigured network?!??! Oh wait this is Slashdot...nevermind.

  4. Is this happening for ANYONE? by Itninja · · Score: 5, Insightful

    Was the original poster a shill for some other ISP or what? An anonymous user submits a story decrying a great technical wrong by Comcast, that no one appears to be able to reproduce. So a little fact check action might in order here. Up next, "toyotasuxors@ford.com says: Toyota tracking all US drivers with a device hidden in the glove box!

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  5. As one of the authors of Netalyzr... by nweaver · · Score: 5, Interesting

    We have not seen any redirection issues with Comcast user's DNS settings.

    Questions on netalyzr itself will be answered in this thread.

    --
    Test your net with Netalyzr
  6. So let me see if I have this straight... by BaronHethorSamedi · · Score: 5, Informative

    An anonymous reader submits a "story" linking to a random blog spouting off rumors about a nefarious scheme by Comcast to redirect port traffic. The "story" is then published under a headline asserting the rumor as fact, while the summary is actually a plea for the fact-checking on the story to be done by readers.

    News for nerds, indeed.