Slashdot Mirror
Crowdsourcing Confirms: Websites Inaccessible on Comcast
My first clue came when a friend of mine set up the website http://www.helpmatt.org/ and asked her friends to donate. I said the website appeared to be down; they replied back that it was working fine for other people — and I narrowed it down to Comcast DNS servers not resolving the hostname www.helpmatt.org correctly. When I accessed the same website over my Frontier DSL connection, it worked. (I had recently signed up for Comcast cable Internet to save money over DSL, but I kept my DSL connection "just in case" something went wrong. At the time, I thought maybe I was being paranoid -- how hard could it be for a cable company to just run a straight Internet connection to my house and not screw anything up? Hollow laugh.)
I put out an informal survey to my Comcast-using friends, and a few of them said they couldn't access the website either. Still, I thought, this wasn't enough evidence that it was Comcast's fault; maybe the hostname was only resolving intermittently, and just by sheer coincidence it happened to be up when all of my non-Comcast-using friends tried it? I was about to do a more formal experiment, and recruit a larger sample of testers through Amazon Mechanical Turk to test whether the site was inaccessible to other Comcast users, when the problem spontaneously fixed itself and suddenly the website became accessible 100% of the time to everyone.
But, my curiosity had been piqued. Was there something wrong with Comcast's DNS servers -- whether deliberate or not -- that was causing other websites not to resolve correctly? I wrote a perl script to take a sample of websites -- part of the same list that I had used to find websites that were mis-blocked as 'pornography' by Smartfilter — and attempt to resolve them using both Comcast's main DNS server (75.75.75.75) and one of Google's public DNS servers (8.8.8.8). (You won't be able to do this experiment yourself unless you have a Comcast Internet connection, because while Google's DNS servers accept queries from anywhere, Comcast's DNS servers will refuse queries from any IP address not assigned to one of their customers.)
The script ran through a few hundred hostnames and flagged anything that failed to resolve on Comcast but resolved correctly on Google, although most of these were false positives caused by Comcast's DNS servers being temporarily unresponsive. But after running through the list of false-positives repeatedly, I found the first website that consistently failed to resolve on my Comcast Internet connection while resolving on Google: http://www.021yy.org/.
The website is for a second-hand furniture store in Shanghai; I have no idea what the domain "021yy.org" has to do with the business. (Perhaps the IP address that the domain name resolves to used to be occupied by a different website, and that IP address was inherited by the furniture store but the old hostname still points to it.) The hostname www.021yy.org resolves to the IP address 116.251.210.33 (for *ahem* non-Comcast users, that is), which according to the Asia Pacific Network Information Centre is part of a block of IP addresses assigned to a hosting company in Singapore. I'm not blocked from accessing the IP address of the website over Comcast; I can ping and send web requests to the IP address 116.251.210.33 with no problem. Only the hostname fails to resolve. (I can still access the site by using a VPN or a proxy server.)
So, I created a survey on Amazon Mechanical Turk, asking people three questions:
- Can you access the website http://www.021yy.org/?
- If you can't access the site, what error message does your browser give you?
- What provider are you using?
and offered 25 cents to every user who filled out the survey, up to a maximum of 50 people. Amazon Mechanical Turk, if you've never used it before, lets you create low-payment tasks and outsource them to a crowd of workers. Like any simple and powerful tool, it can be used for purposes that the original creators probably never imagined (presumably including this experiment), and someday I'd like to look into the most creative and bizarre things people have done with it. (Although, in this case, it seems like the site may not have done a great job of matching this task with available workers. Only 20 people filled out my survey in the 24 hours after I created it -- surely, out of all the available Mechanical Turk workers, there were more than 20 people who would have been interested in doing a simple website accessiblity check for 25 cents?)
20 unique users filled out the survey and reported:
- Out of the 14 non-Comcast users, 100% of them were able to access the site.
- Out of 6 Comcast users, 4 of them were blocked from accessing the site, and reported errors symptomatic of DNS failures ("Oops! Google Chrome could not find www.021yy.org" or "Server not found. Firefox can't find the server at www.021yy.org").
Even with such a small sample, that's enough to conclude that it's not a coincidence. (The real question is how two out of those six Comcast users were able to access the site at all. Maybe they're in a region of the country that's assigned different DNS servers. If I did the survey again, I'd ask people to include where they were living.)
So Comcast users -- at least some of them, probably most of them -- are blocked from accessing certain websites, which are perfectly accessible to users on other providers. I "only" had to test a few hundred domain names before finding one that would consistently fail to resolve on Comcast while resolving successfully on other companies' nameservers. With hundreds of millions of distinct websites "out there," if the same proportion holds, that would suggest that there about a million or more websites similarly affected. And that's not even counting all the other sites — like helpmatt.org, and also including some of the sites in my sample — which apparently resolve 100% of the time on other providers while sometimes failing to resolve on Comcast, but where the failure was not consistent enough to use them as a test case for the Mechanical Turk survey.
Unlike, say, the kerfuffle over Comcast threatening to de-prioritize content delivery from websites that don't pay them a fee, it's unlikely that Comcast is meddling with traffic intentionally here (especially since the sites' IP addresses are not blocked). It's more of a demonstration that if a company is sufficiently big and if it's sufficiently hard to prove that a problem is being caused on their end, the problem can exist for a long time without being solved. I called Comcast tech support after I discovered that sites were blocked on their network but not on other providers, and said that the problem really needed to be brought to the attention of the higher-ups, but tech support was adamant that it was impossible for a member of the public to reach anybody higher up than the call center.
Even if the number of affected sites is huge, at least it's only a small percentage of websites — I did have to run my script on a few hundred sites before I found one that appeared to be resolving on other DNS servers but not on Comcast. But that likely would have provided scant comfort to my friends who set up the helpmatt.org site, when they were urging people to visit the site and donate, and 25% of potential visitors were unable to reach the page. When it's your website, it's kind of a big deal.
Stop using your ISP's DNS
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Do not use comcast DNS... just use googles.
https://developers.google.com/...
---In a time of Chimpanzees I was a Monkey.
Maybe Comcast is blocking China. Have you *asked* Comcast WTF is happening?
My first step when reconfiguring a home router on Comcast is to put in Google's DNS servers. Comcast's have been flaky (non-responsive and/or erroneous) far too often.
I'm wondering if DNSSEC played a role?
Don't use Comcast DNS servers.
Nothing forces you to use Comcast DNS servers just because you use their internet service.
I stopped using comcast DNS servers years ago, and have avoided many an "outage".
I remember several large DNS outages on comcast that I was completely unaware of for hours or days, until some mention came up.
I have been using OpenDNS mostly, but I fall back to the google DNS servers if something there flubs up
208.67.222.222
208.67.220.220
Remember these numbers
Gasp! I can't access it through comcast? How ever will I buy office chairs in china without 021yy.org?!?! It's SO much better than those humps over at 022yy.org.
(In case the link gets slashdotted, it's a website for office furniture in Chinese. At least according to google translate.)
With hundreds of millions of distinct websites "out there," if the same proportion holds, that would suggest that there about a million or more websites similarly affected.
Why are you assuming that this scales linearly? Are you suggesting that this is a technical glitch? If the websites are blocked due to the nature of their content it most certainly won't scale in a linear fashion.
Or maybe there's a problem with 021yy.org's authoritative nameservers - maybe only /some/ of them, and whichever algorithm Comcast uses to choose one is picking the bad ones. Or maybe there's a temporary general problem with Comcast's own nameservers - which were your control sites, to make sure those would work? Or maybe Mechanical Turk workers know what you're up to and are trolling you.
Seems more likely that the Comcast users that succeeded in accessing the site are configured to use a different DNS resolver. Most likely OpenDNS.
Companies develop issues all the time. Sometime it is on the website end, sometimes on the ISP end.
Not much you can do about it.
excitingthingstodo.blogspot.com
comcrap does not need more power
6.2% of queries will end in failure at 119.167.195.12 (f1g1ns1.dnspod.net) - failed to resolve ns1.booen.com due to 119.167.195.12 - query timed out
6.2% of queries will end in failure at 119.167.195.12 (f1g1ns1.dnspod.net) - failed to resolve ns2.booen.com due to 119.167.195.12 - query timed out
87.5% of queries will be returned by 42.120.49.143 (ns1.booen.com) - answer was not authoritative
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
My ISP, who is not Comcast but another major American ISP, also blocks certain websites via DNS failures. Simply switching DNS to Google's DNS servers or FreeDNS resolved the problem.
So, if you do the DNS query from another provider's DNS, can you get to the website over Comcast? Seems like a basic troubleshooting step that was missed. At least not mentioned in the extended summary.
Learn to love Alaska
Interesting. I don't always want to be messing with my DNS setting every time I get a 404 not found.
What is needed is a quick way to temporarily try using a different DNS, to see whether that's the problem.
http://www.geoffreylandis.com
if you do a compare between two DNS servers then you are bound to also come up with differences that show how outdated one server is compared to the other... There has to be many new domains registered / re-registered and associated / re-accociated with a new IP every minute, if you run the script for long enough between two different snapshots you are bound to find one of these...
So my appropriately verbose question in response to your post is: how often do you think google and comcast update their DNS servers, and do you think they update at exactly the same time... I know ISPs like to filter stuff... just wondering if your method is sound.
DNS is a theoretically good system and one that we obviously all rely on every day. However, so many DNS implementations from the registrar level down to your cheap little wifi-router-all-in-one box that connects to your ISP are so totally broken. I think the way this is written is pretty trollish and should instead have focused on the wider question of how we can advance to where so many devices and programs that have to deal with name resolution will act more to-spec and consistently. Comcast should take some heat here for a partially broken DNS implementation, but without better evidence, I see no intentional evil in this particular story.
Hmm. I have BOTH Comcast residential and business class service. I wonder if the reponses are different.
In Liberty, Rene
Last time I had to talk to anyone in the company I had to explain to the tech how DOCSIS modems worked. You will never get an individual from that company on the phone who knows enough to give you a real answer. Turnover is too high in call centers, and people who know the answer are not on support phone detail.
I think he said he did in fact call them and ask for assistance.
Just because you use comcast's pipes doesn't mean you have to use their DNS.
8.8.8.8 and 8.8.4.4 are the addresses to use for DNS
Especially Comcast DNS. But Don't use DNS at all. The fact is you can skip DNS and use a /etc/hosts file. This isn't 1982 anymore, disks are huge and it only takes a couple hundred megabytes to host it. With a cron job to rsync it every hour you no longer need to worry about manually updating it either. (It's simple enough to pass the grandmother test!) For those rare cases where a name isn't in my hosts file, I just request the page using an email-to-web service.
Do you even lift?
These aren't the 'roids you're looking for.
The majority of issues I have had with any cable company were related to their DNS being shitty. For some reason, cable companies don't know how to operate DNS.
Let me understand this correctly. You found Comcast's DNS isn't perfect and doesn't resolve some names. It does not appear to be malicious in any way, as the two domains you find affected are a foreign furniture store, and your friend's brand new website. It's fairly obviously a bug.
So: you call Comcast Tech support, demand to talk to the Boss of Comcast, and then write a 10,000 word article (I didn't count) about it on Slashdot where you know 90% of the readers will take "Websites inaccessible on Comcast" as meaning "OUT OF CONTROL MEGACORP MONOPOLIST COMCAST IS CENSORING WEBSITES!!!"
This makes sense to you? This is what you do? Really? Really?
Just curious, but that time you got a duff cable modem and had to send it back, did you write a 60,000 article on how Comcast has banned you from the Internet, and did you demand to speak to the PRESIDENT OF THE INTERNET? When it rained that one time and you attempted to tune in the cable TV, only to find many of your channels were inaccessible, did you write a 75,000 word article on how COMCAST IS DROPPING CHANNELS and did you call tech support demanding to talk to THE LORD HIGH RULER OF TV?
I think I've found an article where the discussion would be likely improved for once if the Betoddlers spammed it with anti-Beta comments.
You are not alone. This is not normal. None of this is normal.
It seems there should be a minimum acceptable SLA defined in law for ISPs.
One requirement would be to provide reliable name resolution without any DNS hijacking for ads and crap.
The other comments in this thread so far are all folks who are saying, well just use a different DNS provider/host your own. I do host my own, but I think it is crap that ordinary folks are abused by their ISPs like this.
(oh, and good for you for investigating this!)
My kid couldn't reach www.turnitin.com to submit his homework the other night; tried from Mac and PC -- no go. He was in a panic. I flipped on the hotspot connection on my Verizon tablet, switch his PC's wireless connection over to it, and he hit turnitin with no problems.
Admittedly, I didn't think about DNS; I just figured I'd tried the "other pipe" we had available at that instant.
This sounds like a very poorly-configured DNS server. There are other server issues as well. Some are slow. Others like to return their own special pages when you mistype a domain name. I've been using DNS Benchmark to determine the best set of DNS servers to use for a home network. It's a neat tool that provides a lot of information succinctly - be sure to read the walkthrough to understand what it's showing you.
I'm a leaf on the wind. Watch how I soar.
Those are the possibilities, in decreasing order of probability.
As much as I despise Comcast, they are unlikely to deliberately block random DNS lookups.
To a Lisp hacker, XML is S-expressions in drag.
" Comcast threatening to de-prioritize content delivery from websites that don't pay them a fee,"
last i heard...wasn't Nexflix *trying* to pay them a fee for better delivery?
i think its an important distinction. with all the kerfluffle about net neutrality, shouldn't we make sure the players are well identified?
never bring a twinkie to a food fight.
No mention of how long this "experiment" ran. How long was it that these sites were inaccessible from Comcast? What types of sites are they? Who is their DNS through? This could easily have been a problem with a hosting service. As much as we all love hating on Comcast, a few more details would be helpful.
This sucks almost as bad as Slashdot Beta.
1) The author has managed to uncover a conspiracy by Comcast to hold the good people at http://021yy.org/ down by denying the no doubt millions of potential customers that would be flocking to the domain otherwise. After all, that domain name rolls right off the tongue.
or
2) Comcast doesn't have an entry in it's DNS servers for the site because it is a Chinese domain that looks like spam that no customer of theirs has tried to access before now.
Have you considered that Comcast's DNS servers are just caching the records and recent changes to these records are not being reflected correctly?
It sounds to me that Comcast's DNS servers are ignoring TTL values for A records. It's not unheard of for ISPs to do this. If these records are being "over-cached" by Comcast's DNS, then it would seem to the average Comcast user that site is being "blocked", when in fact they're just getting an outdated DNS record. If you run this test again, you'll most likely get completely opposite results, assuming the records have not changed again.
Also, if as a Comcast user you can access these sites while using Google's DNS severs, it's very misleading to declare that Comcast is "blocking" these sites. By your own description you are able to access these site WHILE you are connected to the Internet through Comcast. The DNS servers you choose to use are NOT your Internet connection.
Works for me.
Comcast Internet, SF Bay Area, California.
Sorry, maybe you've skipped a salient point in the article, but the sites are not inaccessible. It seems plausible that there are some shannigans going on the Comcast DNS, just switch to a public DNS server for heaven's sakes. This is a really dumb post, sorry.
to Comcast. That is who actually control them. The Republicans have fought against competition for years, and Comcast must do what they are told to do, or the Republicans will take away their monopoly. They are ruled 100% by Republicans, and censorship like this is what all of those CONservatives do. They are the reason. You'll be more likely to get the block removed if you write a letter to your GOPper ruler than you will by contacting their minion Comcast.
Comcast has a DNSSEC enabled resolvers. The problem lies with the websites/their NS.
http://dnssec-debugger.verisignlabs.com/www.helpmatt.org
How does Comcast's DNS look like when tested by namebench?
Does it find the same problem?
put everything in your HOSTS file, it's the only way to be sure...
Oh wait...
I have dual broadband providers, Comcast and a local DSL. Checked "www.021yy.org" against both connections' DNS. Comcast returns SERVFAIL consistently, other provider returns a valid record consistently, Google returns a valid record consistently. There are some weird things about that record:
Could it be that the nameserver's provider is blocking packets from Comcast?
Not that I'm satisfied with Comcast; when it works it's plenty fast, but when it's down I can't even get through to the helpdesk.
Just about every single Comcast customer I have ever met, myself included, would tell you how terrible their service is, AND how few other options they have for high-speed internet.
We frequently seem to have problems with Comcast's business-class DNS, but the sample size for this experiment is one tiny business in China. Not exactly comprehensive.
China has more Internet users than the United States, and their service is pretty good. I'm a heavy user of the Chinese Internet, and I rarely have problems traversing their networks. But at the same time, malware is common there due to software piracy. Careful, temporary, targeted blocks of Chinese malware hosts can and do happen. Perhaps this one entity was swept up unfairly [or fairly].
The DNS for 021yy.org is rather fishy looking. The .org servers have NS records pointing to ns1.booen.com and ns2.booen.com, which have a 20 second time to live (vs. a normal 1 day TTL), which is common in botnet command & control networks. Also, the ns1/2.booen.com servers give answers to 021yy.org A lookups, but return NXDOMAIN for NS lookups (which is completely bogus; NXDOMAIN means that 021yy.org does not exist, not that it doesn't have NS records, which would still be bogus).
The NXDOMAIN for NS records would cause many caching servers to cache NXDOMAIN for all records (not just NS), which would cause the domain to not resolve (depending on the order things were looked up). Basically, I don't see this as a Comcast problem, but rather a problem with the DNS servers for 021yy.org. This may be accidental (although AFAIK no normal DNS server would reply with A records but return NXDOMAIN for NS records), but looks possibly like it is intentional and possibly part of a botnet C&C. There's a lot of that going on lately.
You can use downforeveryoneorjustme.com, though it will use its own DNS and routing so it will still require you to figure out which of those is the problem.
Say, that's a nice site. Wish I had mod points, I'd moderate you "informative".
http://www.geoffreylandis.com
I've been doing it for years with Comcast. Their DNS has always sucked.
Doesn't work for me.
Comcast Internet, Central NH/VT area.
I noticed something similar on Cox internet last week. I was trying to visit the Russian news site interfax.ru, to look for stories on the Ukrainian crisis, but mysteriously the host name would not resolve after clicking a link via a google search result. I then verified cox dns servers could not locate an ip for interfax.ru. I tried visiting the site by my mobile phone via AT & T's mobile wireless network, no problem accessing at all, site came right up. So I switched to google's dns server on my cox connection, now I can get an IP address for the site, but still cannot connect. Doing a traceroute to the interfax.ru ip address, my route dies the first ip out of cox network, which geolocates to Virginia, very strange.
Wish I had mod points, I'd moderate you "informative".
You would if you made more interesting remarks than this.
Try out the Gibson research DNS benchmark that will id fastest DNS for you. Double check (google) that your not picking a troublesome DNS provider (DNS redirectors, etc) https://www.grc.com/dns/benchm...
Every comment to "just change your DNS" is missing the point.
Resolving it for yourself is not the same thing as resolving it for every affected Comcast customer. For most of that target audience, "Just change your DNS" may as well be "Just change your car's O2 sensor." The steps involved are familiar to a specific audience but requires significant effort for everyone else.
It may be heavy handed, but using the power of the slashdot audience to troubleshoot or perhaps even resolve the issue by reaching the actual people responsible is an effective tool.
...and had no issues getting to http://www.021yy.org/. Shanghai office furniture recycling and Shanghai recycling of used office furniture used office furniture Jonway, here I come!
Comcast better not be doing this. It has to be illegal.
If someone asked me to "go check a website" and the site URL looked like some random malware host, I'd probably not choose his 25 cent task either. What is this guy smoking?
Have you looked at whether a faulty interaction with DNSSEC could be at fault?
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Wish I had mod points, I'd moderate you "informative".
You would if you made more interesting remarks than this.
Wish I had mod points, I'd moderate you "insightful".
Turns out that for some reason, their DNS servers were making a query for the name of my nameservers as listed in the registrar database. When those failed, it dropped any caching of the address like a hot potato, thus resulting in very spotty name resolution. Using Google's DNS worked just fine, if a bit slower due to the lack of multi-hosting.
So basically, if the registrar has example.com's nameservers listed as foo.example.com = 10.1.1.1 and bar.example.com = 10.1.1.2, AT&T's DNS will query 10.1.1.1 to look for foo.example.com. If that DNS server lists itself as ns1.example.com, but does not resolve foo.example.com, AT&T's nameserver will think something is fishy and decide you don't exist at all.
This was a pain in the ass to figure out, but everything has been fine since I fixed that. I would still like to find a place where this behavior is documented, because I was only able to discover it by turning debug logging on for my nameserver. I also found out that someone in Germany had been using it as their primary DNS for who knows how long, so I shut off recursive searches from outside my LAN.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
This was probably just a negative cache entry. Someone on Comcast (possibly you) probably tried to look up helpmatt.org before it was propogated to all the root servers, and 75.75.75.75 got a lookup failure and cached it. Negative caching is part of proper DNS operation and it can last a while. DNS is full of delays like this.
FYI... It's working just fine now.
root@atomrouter:~# host helpmatt.org 75.75.75.75
Using domain server:
Name: 75.75.75.75
Address: 75.75.75.75#53
Aliases:
helpmatt.org has address 192.155.89.14
helpmatt.org mail is handled by 20 alt1.aspmx.l.google.com.
helpmatt.org mail is handled by 30 aspmx3.googlemail.com.
helpmatt.org mail is handled by 30 aspmx2.googlemail.com.
helpmatt.org mail is handled by 20 alt2.aspmx.l.google.com.
helpmatt.org mail is handled by 10 aspmx.l.google.com.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
If you're running Windows, run the command IPCONFIG /FLUSHDNS in-between assigning static DNS entries on the NIC. Or, just reboot the bloody machine!
Wish I had mod points, I'd moderate you "informative".
You would if you made more interesting remarks than this.
Wish I had mod points, I'd moderate you "insightful".
I wish I had mod points, I'd moderate you "Underrated". Your comment has a je ne sais quoi.
I worked at an ISP that technically no longer exists do to merging multiple times. But when I worked there we had a reoccuring issue with the DNS servers and navy.gov. They had set their expiration really low, probably to help in moving the servers, and after a while something would happen to the DNS servers and they'd refuse to hand out the record. If it was a nobody site no one would have cared, but because it was the Navy it ended up causing some backlash. The issue was made worse because we had over a dozen servers accost the country, and only some of them were affected on any given day. What's worse is the people in direct charge of the servers had no clue what was causing the problem and only knew that rebooting them would fix it. Ultimately the solution was to upgrade the DNS servers and go with a more centralized solution. It's much easier to setup when it's all behind one or two addresses instead of a dozen anyways. I still don't know why the servers refused to give back any credentials or even an error since I didn't directly administer any of them, but I accept they were probably just failing, and needed some serious repair or replace since we did go with the replace option. Comcast is probably in the same boat.
Hanlon's Razor: Never attribute to malice that which is adequately explained by stupidity.
People are often careless, lazy, stupid, or some combination thereof so someone may have fucked up a DNS server or 3 by accident. And, seeing as it works in some locations, I wouldn't be surprised if that was the case.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
I do PC support on the side. I had three customers who were having issues checking mail, where it would intermittently - but frequently - error out while checking mail. All three had contacted their ISP first, and been told that it was an issue with their computer (thus they paid ~$100 for a computer tech to fix the issue).
Telnet to the ISP's mailserver, and it randomly returns a "BAD MAILBOX" when checking mail. DEFINITELY not an issue with the client machine or mail client.
Talk to the ISP techs about it.
First response from ISP tech: Oh, it's your computer
Me: Actually it's not MY computer. I'm the tech hired by the owner to fix the computer. I'm a professional. I checked it and YOUR mailserver is returning errors
ISP Tech: Oh... well we're doing some upgrades on the mailservers lately so that's probably why
Me: My first client with this issue was 6 months ago. How long has this "upgrade" been going on.
ISP Tech: Oh... yeah about that long
Me: So when do you plan on having it complete
ISP Tech: uhhhhhn
Many ISP's/providers will LIE through their teeth and complete avoid dealing with or logging an issue. I've had similar issues with cellular corps (one where a whole region always got a busy when dialing any 1-8xx number), who claim "it's your phone. You're not using our provided phone? Too bad we can't help you"
Knowing that the ISP has an issue is useful knowledge for tech folk.
p.s. The internet ISP with mailserver issues was "Telus" in Canada, and the phone provider with 800 issues was "Fido" (that latter one happened twice).
Or maybe they (like you, like me) use Comcast with third-party DNS...
I have my home router issue OpenDNS as its default DNS servers, with OpenDNS set up to block various sites (quick-and-dirty web filtering for the kid, default web filtering for visitors, such as kid's friends,) and with Google's DNS as the manually-specified on my and my wife's machines.
So if I had been one of your Mechanical Turk participants, I would have said "Yes, i can get to it; I'm on Comcast."
Admittedly, 2 out of 6 seems high for such a scenario, but Turk participants aren't exactly likely to be technology noobs.
Fine by me.
Have gnu, will travel.
I use a small ISP in Canada called Teksavvy that runs on the Bell DSL network. I have static IPs and run my own recursive DNS server for internal use.
Last week in the middle of the day I suddenly couldn't access my employers website, email server, VPN, etc. I phoned the office and the admin remotely accessed a server in another city and confirmed that he could access these services over the Internet. I could access any other website I tried to access, so I phoned the ISP. The support people said that they could access the website even though I couldn't! After several hours it started working again. I suspect Bell had something to do with it.
In November 2013 Bell quietly launched their "relevant ads" program that is esesstially a domestic surveilance system on their mobile network. I wonder if they're starting to roll this out to the rest of their network now.
Forgot to mention that it was not a DNS issue. I couldn't even access the services directly using an IP address.
Is that Bennett is an attention whore.
Comcast's DNS has been broken since 2002.
LOOK IT UP. It's like a ten second Google search to show that they've had exactly the same problem they've got now since 2002. There are hundreds of complaints online.
My company uses Comcast Business and our employees who have Comcast Home Internet service cannot resolve our public facing names, which are over ten years old and resolve everywhere else in the world. I have outstanding tickets with them, I have sent dozens of emails, I have called them several times. We've had the same IP block for around 20 years, I got these numbers from Jon Postel.
But Comcast does not respond. You can force their drones to take your complaint, but then they don't do anything. They don't call you back, they don't do anything.
Currently Comcast's DNS servers at 75.75.75.75 and 75.75.76.76 drop 20% to 50% of their traffic, when tested on our Comcast Business 60meg connection. Consistently. And they do not resolve our any of our corporate names, ever.
And yes, Comcast support told us to use Google's DNS servers instead. They are purposely driving traffic to Google, to try to reduce the load on their own horribly broken DNS. This seems less likely to be malice than incompetence on a truly global scale....
Hi - Jason from Comcast's DNS team here. First off, we have a nifty website @ http://dns.comcast.net/ where you can check our cache and find a form to contact us directly. Let's breakdown the issues with www.021yy.org. 1 - Sub-optimal TTL: The DNS admin is not doing themselves any favors; the TTL for www.021yy.org seems to be set to 60 seconds. That will cause recursion every 60 seconds or less from US-based DNS servers to authoritative servers in China. I recommend a more industry standard TTL to enhance cacheability of these records and minimize global recursions at this frequency. I would suggest no less that 5 minutes (300 seconds in the DNS record) or even as much as 1 hour which is usually fine (3600). 2 - Auth servers seem to be in China? If you expect many users of www.021yy.org in the US, you may want to add at least one authoritative name server in the US so that when recursion does need to occur that it is faster than US-to-China transit time. 3 - Are the auth servers responsive? I get NXDOMAIN responses when asking several recursive servers, such as Google's. Macintosh-3:~ jason$ dig @8.8.8.8 021yy.org ns ; > DiG 9.8.3-P1 > @8.8.8.8 021yy.org ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER> DiG 9.8.3-P1 > @8.8.8.8 slashdot.org ns
; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER- opcode: QUERY, status: NOERROR, id: 26387 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;slashdot.org. IN NS ;; ANSWER SECTION:
slashdot.org. 19088 IN NS ns2.p03.dynect.net.
slashdot.org. 19088 IN NS ns4.p03.dynect.net.
slashdot.org. 19088 IN NS ns1.p03.dynect.net.
slashdot.org. 19088 IN NS ns3.p03.dynect.net. ;; Query time: 17 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Mar 11 17:42:38 2014 ;; MSG SIZE rcvd: 116
In any case, we're flushing our cache right now just in case but I am not sure that will solve a deeper DNS issue with the authoritative DNS service for this domain.
Comcast's DNS is very fast, but it only answers 50 to 80 percent of actual queries, and it fails to resolve literally thousands of valid host names.
Speed, though, it's got lots of speed.
Good luck getting a complex issue like DNS resolved by them. Let me give you an example of my recent experience with Comcast/Xfinity's support.
One Saturday night I start having issues with my Internet service, since we already had plans and it was Saturday night, I just choked it up to some maintenance they were performing and didn't stress about it. Well the next day the problem persisted and had actually gotten worse. (I was pinging the first hop outside of my home router and receiving response times in excess of 8 seconds and having consistent packet loss in the 25 percentage range.) So I called support and spent the next hour "troubleshooting with them", with no service scheduled- because they said their scheduler was down and that they would call me back. Needless to say, I never was called back.
After two more call backs on the subsequent days, that Monday they insisted the scheduler was still down and they couldn't send a technician without scheduling the appointment and once again never called me back, I finally was able to get a technician out to look at my location. The total time it took to get this was 4 days from the initial service degredation, for those of you keeping track.
The on-site technician showed up on the scheduled date, two days later. I demonstrated to him that I was having latency spikes in the second times, but he only cared that, at that time, I could stream movies. When I insisted that latency times in the seconds was not acceptable, he called someone from Comcast who insisted that he should use a different website to ping- nevermind the fact that I was using their router for the ping test. He informed me that he had done all he could do and that if any further help was needed, he would need to schedule a follow-up to include his supervisor. He never did so.
That day, I called them again and said that my service was still degraded to the point of being unusable. I informed them that I had already been through all the troubleshooting steps and that resetting the modem would not fix my issue- as it had already been reset at least 10 times at this point. They then transferred me to someone that was supposed to be in level two support, but when I told him that latency to my house was terrible, he seemed not to care or know what I was even talking about.
Eventually that night, following a very negative review of the service I had received, I received a call from one of their account representatives. He never informed me what changed, but since then I've not had the same latency issues.
Honestly, the more I think about it, I would expect them to foul something like DNS up, considering the support I received for latency issues.
But of course that's what we do.
It's every slashdotter's god-given right to vent in huge volume and blow things out of proportion.
Honestly, I wouldn't be surprised that Comcast blocks some of it because it was hosted on a competitor's infrastructure.
Obviously you have a Comcast fetish and must do everything in your power to try and disprove any wrongdoing.
My hosts have been at the same addresses for over a decade, on fully portable IANA addresses, no NAT crap.
Comcast hasn't resolved them in years. They used to resolve, back around, oh, 2005 or so. And they still resolve just fine anywhere in the world but Comcast DNS. You can see us from sub-Saharan Africa, we've got RIPE-181 stuff in the RADB and everything, we can even sign our zones.
Perhaps you are the one who doesn't understand what he's talking about? Everyone actually in the business knows Comcast's DNS has been broken for years. They are grossly incompetent.
This is not news. Anyone who uses Comcast's DNS is a moron.
downforeveryoneorjustme.com is free and uses many servers in different geographic locations.
Alex P. Keaton ...?? ....
I've noticed that Chrome would directly reach out to 8.8.8.8 even though my home network has DNS servers defined, and 8.8.8.8 isn't part of it. Very curious...
Really, thanks OP for your pursuit of the truth here. This is part of the technical excellence that I came to expect of the Slashdot of the days of old. Good job.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Unlike the rest of you syrup-swilling fifth column canadian invaders in my fair USA, I do have mod points. You've all been moderated "Overrated" and I have no intention of apologizing.
Let me tell you a secret. Don't use comcast DNS, you don't have to. Use google's 8.8.8.8 and 8.8.4.4 I am on comcast and don't have any problem like that. The setup is pretty simple, I have comcast's motorola modem and I have my own router with dd-wrt. IP addresses on the local network are served from the router (usual DHCP, same as any other router has) and I have specifically set google's public dns instead of comcast.
You kind of need an SOA to be a proper domain, so it's not surprising that it works for some resolvers and not others.
The guy writes perl scripts and has never used "nslookup" before.
Only the State obtains its revenue by coercion. - Murray Rothbard
use something like OpenDNS or the aforementioned Google DNS at 8.8.8.8 or 4.4.4.4
if this is supposed to be a new economy, how come they still want my old fashioned money?
That last italicized bit was unnecessary. You already indicated you were American. :-/
Wish I had mod points, I'd moderate you "informative".
You would if you made more interesting remarks than this.
Wish I had mod points, I'd moderate you "insightful".
I wish I had mod points, I'd moderate you "Underrated". Your comment has a je ne sais quoi.
I do have mod points and I would of modded you Funny, but I posted instead!
Be seeing you...
Whoever runs downforeveryoneorjustme.com should upgrade it to truly see if it's down for EVERYONE by having connections with each ISP and start doing data about what sites are blocked by which ISPs. That's going to be a needed service it seems.
----------
Trying to fix or change something only guarantees and perpetuates it's existence
So you'll have to pay more to get your internet. It sets precedent. You didn't pay so they are throttling your request to 'last'.
what, like "HOSTS" ? for windows? gee, yeah, if only there was such a file available...
Log into your Comcast, go to "Account Settings", "Internet security" then unclick "filter E-beggars".
Hey Slashdot, I think my website is being blocked on the DNS level by Comcast. It's at http://www.giveananonymouscowardsomemoney.com. Please put an article on the front page so people can crowdsource their opinion on whether or not it works on Comcast. I think the Paypal transaction is being blocked by Comcast when you send more than 100 dollars via the donate button. Please test that part of my website as well.
That would be another reason to ditch your ISP's DNS and use the community setup DNSCrypt. I mean at some point Comcast will notice you're not using their DNS and start modifying responses from other DNS servers. In order to prevent that you should encrypt DNS queries. Use http://dnscrypt.org/ Feel free to chat me up on the topic. I run one DNSCrypt server in europe.
Just this past week I've had the same problem with the http://www.tzonedigital.com/ domain, which remained unaccesible if you use our ISP's (Telefonica) DNS servers (80.58.61.250 and 80.58.61.254). But using google's DNS (8.8.8.8) servers it is accesible, tested with some others with random results.
Telefonica DNS administrators told me tzonedigital.com's DNS zone is misconfigured and directed me to http://www.intodns.com/tzonedi... and the problems it reports. From the misconfiguration and the fact that DNS servers are queried in a random order, you get non-deterministic errors.
Looks like http://www.intodns.com/021yy.o... is misconfigured too, so it well may be that the problem lies not with Comcast but with 021yy.org.
Just my 2c.
Your comment has a je ne sais quoi.
No, I am je ne sais quoi. His comment had none of me, I assure you.
Gentlemen! You can't fight in here, this is the war room!
Verizon Residential DSL in my area has at various times done redirected DNS, using a DNS server in Arkansas. I know this because it crapped out one day and was returning its own IP address and hostname for all queries, which let me research it (I forgot to record it for later reference, though). Verizon was redirecting all queries on port 53 to it (even those to Google's DNS on 8.8.8.8).
They either aren't doing it now, or have gotten better at it and I can't tell anymore.
I got around it at the time by getting DNS over a VPN from my office's DNS server. It was very annoying though. I can't imagine how ordinary people manage.
First, I'd like to know the domain registrars for the sites - are there a few, or many? If a few, that's a bigger problem.
Second, remember that you can always manually add another nameserver, like one of google's, to your resolv.conf, and fix it so that it's not rewritten (or automatically replace it every time you log into your computer).
Third, thanks for another reason, among many, to not ever want to switch to Comcast.
mark
I am a COMCAST Business Internet customer. I can verify that COMCAST's DNS is not resolving your Chinese furniture store FQDNS name. I was able to access it though on my SPRINT based iPhone. I changed my notebook's DNS to lookup using GOOGLE and not things work better. I have noticed over the last week or so that I have trouble that is new with a number of web sites. I was thinking it might have to do with Kaspersky Internet Security for the Mac. I haven't been able to research that yet. My thanks to the original poster for bringing this to our attention.
Over the years I have been both a Comcast and Time Warner Internet customer in way more than 3 different cities. Avoid them if possible. No fun paying $10 more for more bandwidth and not seeing your bandwidth increase. Thanks to DD-WRT you see your actual bandwidth in real time.
Everyone should learn how to access websites they deem critical via that websites IP address alone. Its simple enough if you know the IP address, which can be discovered via the commands nslookup, dig and traceroute (tracert for you windows users). To learn more, google any of those commands and learn. Once you know the IP address using this in your browser's Location Bar (some browser installations turn off the browser's location bar, but you can turn it back on...if not use a better browser):
http://xxx.xxx.xxx.xxx/ where xxx.xxx.xxx.xxx is the IP address of the website you want to reach.
If they (cable company) will not provide you with only a cable modem, go with another provider. You want it to be nothing but a simple modem. No Wifi, no firewall, no router. Then add your own firewall/router that you control 100%.
Since they are going to throttle your cable connection anyway, see if DSL is available. It will be cheaper per month also. Go with DSL if you can not get FTTH. Funny how cable companies only offer you more when they are forced too.
If you must use cable:
Cable Modem (no Wifi, no DNS) + DD-WRT enabled firewall/router ~ is your best option.
The FCC use to define broadband as sustained bandwidth speeds above 768Kbps, that page has since been removed, wonder why? If a cable provider throttles service to below 768Kbps, at any time, should it be allowed to be called Broadband? I think NOT.
If your broadband is symmetrical, not an up to bandwidth lie, there is no business incentive to restrict, limit, throttle and reduce a customer's bandwidth perpetuating the scarcity myth lie related to Internet access. There are less than 30 FTTH communities in the USA where a residential customer can purchase symmetrical Internet bandwidth today. Thankfully more are being planned. Except in the 14 states where the Cable companies have gotten politicians to enact laws preventing competition and FTTH.
To learn more about nslookup, dig and configuring your DNSsee this Google Developer's web page. There are command examples on that page, enjoy.
You can escalate an issue to Comcast via the email address we_can_help (at) cable.comcast.com
http://dns.comcast.net/index.p...
apk kicked your lame troll asses again http://tech.slashdot.org/comments.pl?sid=4885825&cid=46474817
See subject-line: For the very reason you noted...
(Seeing as how you're rated "funny", again: FUNNY hosts would do the job nicely...)
APK
P.S.=> The BEST & EASIEST way to create a custom hosts file (that keeps your favorite sites you tell it to @ the TOP of the file for speed) that gives added security, speed, reliability, & even anonymity (vs. DNS request logs OR like what appears to be happening here possibly in DNSBL allowing you to reach the sites you like that are blocked in it)? Right here (with data from 12 reputable & reliable sites in the security community) APK Hosts File Engine 9.0++ 32/64-Bit: -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
Funny YOU always "Run, Forrest: RUN!!!" when I challenge you to disprove my points on hosts files value http://yro.slashdot.org/comments.pl?sid=4176879&cid=44789325 in added speed, security, reliability, & even anonymity added... isn't it? Not - you're nothing but a TROLLING WASTE OF LIFE (& you know it, I know it - heck, anyone reading with 1/2 a brain does too).
APK
P.S.=> Why don't you do everyone a favor, and do something USEFUL with your life, instead of being the worst form of life online: A bogus little troll, whom I have made utter mincemeat out of before? Proof of that's the link above, "Forrest" (where you RAN)... apk