Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Networking The Internet Your Rights Online

Comcast Intercepts and Redirects Port 53 Traffic 527

Posted by kdawson
from the why-we-need-ipv6 dept.
An anonymous reader writes "An interesting (and profane) writeup of one frustrated user's discovery that Comcast is actually intercepting DNS requests bound for non-Comcast DNS servers and redirecting them to their own servers. I had obviously heard of the DNS hijacking for nonexistent domains, but I had no idea they'd actually prevent people from directly contacting their own DNS servers." If true, this is a pretty serious escalation in the Net Neutrality wars. Someone using Comcast, please replicate the simple experiment spelled out in the article and confirm or deny the truth of it. Also, it would be useful if someone using Comcast ran the ICSI Netalyzr and posted the resulting permalink in the comments.
This discussion has been archived. No new comments can be posted.

Comcast Intercepts and Redirects Port 53 Traffic

Comments Filter:
  • Not happening to me (Score:5, Informative)

    by jimmyhat3939 (931746) on Tuesday June 09, 2009 @01:13PM (#28269017) Homepage

    I'm a Comcast user, and I run a DNS server for a few private domains that only I use. I have not experienced this, and I just verified that it's not currently happening. I'm in California if that matters.

    • by Shakrai (717556) on Tuesday June 09, 2009 @01:20PM (#28269131) Journal

      I'm a Comcast user, and I run a DNS server for a few private domains that only I use

      Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP? If it's a business account than I would assume that they aren't redirecting those but could still be redirecting on consumer accounts.

      • I don't have Comcast (anymore) but when I was living in CT I was privileged (/s) enough to have them as my only choice. This was at the time when they first started filtering BT traffic; I never had an issue so it might be a subsection of their consumer base.

        Also, I have road runner now and I don't have a static IP. I just have a dyndns.org hostname I use coupled with their IP update tool that keeps my IP updated. they have free accounts as long as they stay updated. ie. deleted after 30 days without an
        • by Shakrai (717556)

          Also, I have road runner now and I don't have a static IP. I just have a dyndns.org hostname I use coupled with their IP update tool that keeps my IP updated. they have free accounts as long as they stay updated. ie. deleted after 30 days without an update but I get nice emails reminding me 5 days in advance. He might be doing the same?

          Not if he's using his nameserver as an authoritative nameserver for one or more domains. You can't list those by hostnames, you have to list them by IP address. That said, I don't know how Comcast works but my Roadrunner IP hasn't changed in over a year. That's one of the nice things about them vs. Verizon DSL, where it seems to change on a almost daily basis.

          • by alta (1263) on Tuesday June 09, 2009 @04:52PM (#28272197) Homepage Journal

            Comcast is using nearly off the shelf DHCP with really long expires times. When you get an IP, you'll have it for months, and usually don't loose it until those months have passed AND you reboot your equipment and get a new IP.

            DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly. Unlike a direct link, PPPoE must renegotiate every time there's a momentary signal loss, just like dialup would do.

            From what I've read, they use PPPoE because it's the easiest way to enable/disable users in real time via a RADIUS server. Comcast has to use more complicated methods to kill accounts (in some places, even send out a truck to put on a filter)

            • Re: (Score:3, Informative)

              by number11 (129686)

              DSL on the other hand is using PPPoE (PPP over ethernet.) Every time it starts a new session it gets a new IP, completely independant of what it had before. And from my experience with ATT/Bellsouth it's not daily, it's hourly.

              Depends on where you are. With Qwest (and a local third party ISP) I've had the same IP number since I got the service, maybe 10 years ago. That's regular consumer-grade (1.5M/1.0M) DSL. The reverse DNS lookup gives a name that has my ISP username embedded into it.

      • by EvilBudMan (588716) on Tuesday June 09, 2009 @01:47PM (#28269637) Journal

        Funny,

        Here are the results from a static IP:

        --Knoxville.hfc.comcastbusiness.net --

        --UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
        The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
        The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

        There might be some other issues here:
        http://www.auditmypc.com/port/udp-port-53.asp [auditmypc.com]

      • Re: (Score:3, Informative)

        by falconwolf (725481)

        I'm a Comcast user, and I run a DNS server for a few private domains that only I use

        Are you running that and hoping that your dynamic IP address doesn't change or do you have a business account with a fixed IP?

        My access is through Comcast, though like TFA's writer I get it from Earthlink, and I have a static IP with a consumer not a business account.

        Falcon

    • by whoever57 (658626) on Tuesday June 09, 2009 @01:24PM (#28269215) Journal

      I just verified that it's not currently happening. I'm in California if that matters.

      Me too. I'm also in CA and it is not curently happening.

    • by CodeBuster (516420) on Tuesday June 09, 2009 @01:26PM (#28269251)
      Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server (i.e. forging the response packets so that they appear to come from your server) then the only way to tell would be to place a deliberately wrong IP entry for a well known address on your server (i.e. something that Comcast wouldn't know about) and then run the query again to see if you get the wrong result (no redirection or impersonation) OR if you get the expected result (redirection or impersonation). Also, they might only be forwarding queries that they don't recognize to your server so that any custom or unusual queries hit your server but stuff like google.com is answered by their server(s).
      • by jeffmeden (135043) on Tuesday June 09, 2009 @01:37PM (#28269473) Homepage Journal
        Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server (which is presumably above any such hijacking) and see if the request gets hijacked. Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?
        • by The Moof (859402) on Tuesday June 09, 2009 @02:06PM (#28269887)

          Isn't that the point of this outrage?

          More like intercepting traffic that isn't destined for Comcast as if it were. You're not attempting to contact Comcast in any way, but that's where the traffic is ending up.

          Let's say Comcast, for some reason, suddenly decides that your site should no longer be reachable (by name), they could start intercepting DNS requests for your site and returning domain not found. Or worse, redirecting you to a site they find more "suitable."

        • by darthservo (942083) on Tuesday June 09, 2009 @02:26PM (#28270209)

          Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com) against your server

          Thanks alot. Now I'm going to get slashdotted.

        • by Zoxed (676559) on Tuesday June 09, 2009 @02:29PM (#28270261) Homepage

          > Or, more simply, query something you know doesn't exist (like asdfdsafdsafhdsds.com)

          1) Quickly registered non-existing domain mentioned on Slashdot and put up an ad-serving site.
          2) Wait for bored Slashdotters to try the link.
          3) Profit.

          Thanks Slashdot :-)

        • by Zetta Matrix (245803) on Tuesday June 09, 2009 @02:32PM (#28270321)

          Isn't that the point of this outrage? Getting typojacked when you try to go to a genuinely invalid URL?

          Actually, no. We've been outraged about that before. It's one thing if I use someone's server and it typojacks me due to a wildcard entry in the name tables. The alleged behavior we're discussing actually prevents* the user from using another nameserver outside of that ISP in order to sidestep the problem.
          * (well, makes more difficult, requiring tunneling or something like that)

          For quite awhile I've had the feeling that DNS will eventually be brokered through P2P/DHTs/etc with digitally signed payloads, and this type of behavior only makes that idea more appropriate.

      • by whoever57 (658626) on Tuesday June 09, 2009 @01:37PM (#28269481) Journal

        Are you certain? If they are redirecting the traffic in their network so that one of their DNS servers responds to the query as if it was your DNS server

        I'm certain. I sent a query to a DNS server that I control. I ran tcpdump on the DNS server and I could see the packets from my home IP address coming in with the query and the refusal going out (I asked the DNS server that I control to resolve yahoo.com, which it should refuse to do).

    • by EvilBudMan (588716) on Tuesday June 09, 2009 @01:38PM (#28269495) Journal

      They are blocking port 53 it appears here in Virginia.

      --UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy.
      The applet was unable to transmit an arbitrary request on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy or firewall intercepted and blocked the deliberately invalid request.
      The applet was unable to directly request a large DNS response. This suggests that a proxy or firewall is unable to handle large extended DNS requests or fragmented UDP traffic.--

      I don't know about them hijacking it though. I'm not sure what causing it yet.

      Look this way for more info:
      |
      |
      |
        \
            \
            V

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Why are people suddenly so obsessed with pointing to the reply button?

    • Re: (Score:3, Informative)

      by chundo (587998)
      Works for me in Chicago. I'm guessing it's his broadband router that's doing this, intercepting port 53 traffic and forwarding to the DNS servers it got from DHCP.
    • by cprincipe (100684) on Tuesday June 09, 2009 @03:15PM (#28270899) Homepage

      This is retarded.

      I point my router's DNS to OpenDNS.org and everything works great. If I type a BS domain I get the OpenDNS search page.

      One idiot's Wordpress blog is enough to make it to the front page? I mean, I think Comcast is the devil incarnate, but there are plenty of legitimate reasons to hate them without making up BS stories.

    • Re: (Score:3, Informative)

      by sjames (1099)

      Same here. I routinely test work DNS servers from home (on Comcast). They include non-public domains that will not resolve anywhere else. Other zones may differ from what the authoritative nameserver would answer.

      They may be intercepting DNS somewhere, but not here in Atlanta.

  • Not happening here (Score:2, Informative)

    by jimmyhat3939 (931746)

    I have several domains I run on a private DNS server that I access from my house using Comcast. I haven't experienced this. I'm in California if it matters.

    I suppose users could tunnel DNS over some other port if they had to.

    • by Shakrai (717556) on Tuesday June 09, 2009 @01:18PM (#28269095) Journal

      I suppose users could tunnel DNS over some other port if they had to.

      I route all of my DNS requests through a VPN to the DNS server at my office. Not everybody has this luxury though. I wonder if OpenDNS would be inclined to set up a VPN solution for people stuck with an ISP as arrogant as Comcast?

    • by mcgrew (92797) on Tuesday June 09, 2009 @01:25PM (#28269229) Homepage Journal

      I'm wondering how this post ever made it to the slashdot front page. I haven't RTFM, but as it's from the domain comcastfuckingwithyourport53traffic.wordpress.com I don't see any reason to lend it credence.

      The comments to this story say a lot, almost as much as the domain the story links to. Somebody screwed up posting this.

      • I'm wondering how this post ever made it to the slashdot front page.

        kdawson hadn't met his daily quota for posting FUD articles yet?

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Somebody screwed up posting this.

        Posted by kdawson on 02:11 PM -- Tuesday June 09 2009

        Why am I not surprised.

  • How does this affect DNS with DNSSEC applied? Wouldn't there be a mismatch in the signing keys?
    • Re:DNSSEC? (Score:5, Informative)

      by ScytheBlade1 (772156) <scytheblade1&averageurl,com> on Tuesday June 09, 2009 @01:25PM (#28269233) Homepage Journal

      DNSSEC is validated at the resolver level. However, even if you run your own local DNS resolver, DNSSEC wouldn't come into play -- Comcast can simply strip the KEY/RRSIG records entirely before sending them to you -- leaving your resolver thinking that the zone has no DNSSEC records at all (at which point, they are blindly accepted as valid).

      I'd imagine that there is an option somewhere in bind to only accept signed records (and if not, there will be eventually I'm sure), but even if Comcast wasn't futzing with your dataz, you wouldn't have a functional internet.

      (I'm on comcast, and am not seeing this redirection. I also run a local DNS resolver.)

  • by Cpt_Kirks (37296) on Tuesday June 09, 2009 @01:18PM (#28269091)

    When Comcast took over from Time Warner here, I bailed.

    I mean, Time Warner is evil. AT&T (who I switched to), is evil.

    But Comcast is Motherfucking Sith Lord EVIL.

    Scary fucking eeeeevil. Nazi evil. RIAA evil.

     

  • by jjb3rd (1138577) on Tuesday June 09, 2009 @01:18PM (#28269093)
    I'm a comcast user and it works for me...perhaps his home network is the problem. A Linux user having a misconfigured network?!??! Oh wait this is Slashdot...nevermind.
  • My connection is comcast for biz-- go crazy- I took out my last subnet

    The ICSI Netalyzr Beta
    Introduction Analysis Results
    Result Summary
    74-92-106-XXX-Philadelphia.hfc.comcastbusiness.net / 74.92.106.XXX
    Recorded at 14:15 EDT (18:15 UTC) on Tue, June 09 2009. Permalink. Transcript.
    Noteworthy Events
    Minor Aberrations

    Certain protocols are blocked in outbound traffic
    Address-based Tests
    NAT detection: NAT Detected

    Your global IP address is 74.92.106.XXX while your local one is 192.168.15.XX. You are behind a NAT. Y

  • I use Sprint Mobile Broadband at home and the last time I checked (several months ago), they were still intercepting and redirecting port 53 traffic.

  • with comcast in NJ.

    Thn again I don't get advertising page IPs in response to non-existant names either.

  • DNS-Based Filtering (Score:2, Interesting)

    by Bicx (1042846)
    So does this mean that my DNS-based filtering through OpenDNS would stop? If so, my kids could be stumbling onto porn, malware, and dangerous sites that I was trying to shield them from. Thanks Big Brother! That's just awesome. No, that's Comcastic!
  • Take a look at the packet loss on their Augusta, GA servers. Regularly, from 10 PM to 1 AM (or later), 50%+ packet loss.

    I know because a buddy's radio show keeps crapping out, and it goes through there. But when I rebroadcast the show as a test (and don't go through that server), the issues don't happen.

    But their L1 and L2 techs can't figure out the problem.

  • by macklin01 (760841) on Tuesday June 09, 2009 @01:27PM (#28269269) Homepage

    Here are the ICSI results [berkeley.edu]. Results are from a PC behind a bog-standard Linksys WRT-54g, for what it's worth.

    Not my field, but I see Direct TCP access to remote DNS servers (port 53) is allowed. I'll leave it to the networking experts to pick through the rest of the report.

    • errmm... (Score:3, Informative)

      by Tmack (593755)
      Most dns traffic uses UDP

      TCP is generally only used for excessively large requests or zone transfers

      Tm

  • Interesting side-note. Time Warner's DNS servers stopped working recently for my Playstation 3. I switched to OpenDNS and all is well, but does anyone have an idea what's going on here? I thought DNS was DNS.

  • If true, this is a pretty serious escalation in the Net Neutrality wars.

    It's not just an escalation in the NN wars (I didn't know we were fighting a war, anyway. I thought it was just a 'security detachment' or 'police action').

    This represents a fundamental shift in how the internet works. If you can't use your own DNS servers, or at least send requests to an outside DNS server, then the internet loses some of its ability to route around damage (again, using the convention that 'damage' includes shit lik

  • This practice effectively prohibits the use of alternative DNS roots, such as OpenNIC. In other words, it gives ICANN even stronger dominance over internet naming.

  • Comcast customer in Colorado, just outside of Boulder. Not happening here; I use OpenDNS and am definitely hitting their servers.

  • Netalyzer results (Score:3, Interesting)

    by MostAwesomeDude (980382) on Tuesday June 09, 2009 @01:30PM (#28269323) Homepage

    http://netalyzr.icsi.berkeley.edu/restore/id=ae8199f5-18807-f5eeee66-ce59-42a4-8803 [berkeley.edu]

    Note that my DNS servers are Level3 servers (4.2.2.2, 4.2.2.4) since they are much faster than Comcast DNS.

  • by whoever57 (658626) on Tuesday June 09, 2009 @01:31PM (#28269365) Journal
    Last time I had some spare time in an airport, I found that the T-Mobile hotspot allowed 53/UDP traffic out, so I was thinking of setting up openvpn on port 53 (instead of its usual 1194) in order to access my home machines (without a T-Mobile login). If Comcast intercepts this traffic, my evil plan won't work!
    • by Guanix (16477) on Tuesday June 09, 2009 @02:43PM (#28270469) Homepage

      Have you heard of IP over DNS? The DNStunnel software sends IP packets as TXT records over a real DNS, the client sends data in the request itself. Since these are real resolvable DNS records, proxying port 53 won't work. When I tried this software, I could only get a single stream over the tunnel, so I ran SSH over the DNStunnel and used ssh to forward a TCP port that I then ran OpenVPN on. This actually works, but it is very slow. And I can imagine that people would eventually find out because the wifi provider's DNS cache will fill up with IP data.

  • Here are my ICSI results [berkeley.edu].

    Direct UDP access to remote DNS servers (port 53) is allowed.
    Direct TCP access to remote DNS servers (port 53) is allowed.


    My office is just outside of Philadelphia, so southeastern PA, for regional results.
  • OpenDNS (Score:2, Interesting)

    by Clipless (1432977)

    A good friend of mine was using OpenDNS on Comcast and one day, without warning, his internet service was cut off.
    When he called the phone rep said that Comcast had disabled his internet because he was not using their DNS server and that if he wanted to have Comcast as a provider he had no choice but to use DNS servers provided by DHCP!

  • by Itninja (937614) on Tuesday June 09, 2009 @01:34PM (#28269435) Homepage
    Was the original poster a shill for some other ISP or what? An anonymous user submits a story decrying a great technical wrong by Comcast, that no one appears to be able to reproduce. So a little fact check action might in order here. Up next, "toyotasuxors@ford.com says: Toyota tracking all US drivers with a device hidden in the glove box!
  • Are you buying "Internet access" or something else? If you bought "Internet access" and you aren't getting it that's breach of contract. Odds are you are buying "partial Internet access as spelled out by the terms and conditions" which is probably not "Internet access."

    Are they advertising "Internet access" or something else? If they are advertising "Internet access" and not delivering, that's false advertising. Unfortunately, it takes either deep pockets or a friend in your friendly neighborhood Attorn

  • [machine]:~ [user]$ nslookup comcast.sucks.com testserv.mydomain.com
    ;; connection timed out; no servers could be reached

    This was tested on testserv.mydomain.com (doesn't exist) because I knew it wouldn't respond. I don't have an outside box to test it with, so while not 100% conclusive, according to this test I should still get a DNS response if Comcast is intercepting. ICSI Netalyzr shows the following:

    Basic UDP access is available.
    Direct UDP access to remote DNS servers (port 53) is allowed. The applet

  • Was mostly a couple years ago, but even still, I had to keep a note of alternative DNS servers just in case Comcast's went on a fritz. Crazy annoying, and try explaining it to laymen!

  • Official Response (Score:4, Informative)

    by ComcastBonnie (1449629) on Tuesday June 09, 2009 @01:40PM (#28269531)
    Hey guys, I just caught this on Twitter, and I can confirm that we do not and have not hijacked any DNS traffic in our network and certainly not to 3rd party resolvers. 'nuff said. I spoke with our DNS engineering folks, and they have confirmed. If you would like to contact me, I'm @ComcastBonnie on Twitter.
    • by rednip (186217) <{rednip} {at} {gmail.com}> on Tuesday June 09, 2009 @02:25PM (#28270179) Journal
      Wow it's nice to know that Comcast has both a twitter account and a brand new Slashdot account. Oh, it's most likely that you're an employee (maybe tech support), I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication? If so, I'd suggest a listing on the main corporate 'contacts' page, so that it'd be easy to verify it as 'official'. Also, the DNS team (or even the guy on duty) might not be complicit in the skulduggery, so your assessment might not be correct.
      • by fluxrad (125130) on Tuesday June 09, 2009 @02:47PM (#28270555) Homepage

        I'd watch what you call an 'Official Response' as many corporations have very strict rules about talking to the press, or making any binding claims to a general audience. Are you authorized for such communication?

        Yes she is. She's handled one of my responses before. Recently corporations have started hiring "social networking" types to answer questions on places like twitter, facebook et al. It would Slashdot is another one of these venues.

      • Re: (Score:3, Informative)

        by minerat (678240)
        Comcast has been using twitter for a while now, under the @ComcastCares account. Multiple Comcast employees monitor twitter streams for complaints and are empowered to take action to resolve issues. ComcastBonnie (as well as a few others) are authorized (cs? pr?) representatives for Comcast. Given that her twitter page says the same thing as her post, you can probably take it at face value.
    • by Linux_ho (205887) on Tuesday June 09, 2009 @03:55PM (#28271463) Homepage
      Even assuming you're a real Comcast representative, why should we believe anything any Comcast rep says, after witnessing the series of lies, stonewalling, and misdirection Comcast produced after being accused of interfering with BitTorrent traffic, and then again after being caught red-handed interfering with BitTorrent traffic?
  • by nweaver (113078) on Tuesday June 09, 2009 @01:42PM (#28269563) Homepage

    We have not seen any redirection issues with Comcast user's DNS settings.

    Questions on netalyzr itself will be answered in this thread.

  • by BaronHethorSamedi (970820) <thebaronsamedi@gmail.com> on Tuesday June 09, 2009 @01:43PM (#28269573)
    An anonymous reader submits a "story" linking to a random blog spouting off rumors about a nefarious scheme by Comcast to redirect port traffic. The "story" is then published under a headline asserting the rumor as fact, while the summary is actually a plea for the fact-checking on the story to be done by readers.

    News for nerds, indeed.
  • Test market? (Score:4, Interesting)

    by irving47 (73147) on Tuesday June 09, 2009 @02:01PM (#28269829) Homepage

    I don't see anyone else mentioning this, but it seems they could be using a particular area to test this "policy"

Chemist who falls in acid is absorbed in work.

Working...