[ NNSquad ] [dave@farber.net: [IP] Comcast is f***g with DNS and reply from COMCAST]

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] [dave@farber.net: [IP] Comcast is f***g with DNS and reply from COMCAST]

To: nnsquad@nnsquad.org
Subject: [ NNSquad ] [dave@farber.net: [IP] Comcast is f***g with DNS and reply from COMCAST]
From: Lauren Weinstein <lauren@vortex.com>
Date: Thu, 9 Dec 2010 15:04:17 -0800

Be sure to read both messages.

--Lauren--
NNSquad Moderator

----- Forwarded message from David Farber <dave@farber.net> -----

Date: Thu, 9 Dec 2010 17:44:05 -0500
From: David Farber <dave@farber.net>
Subject: [IP] Comcast is f***g with DNS and reply from COMCAST
Reply-To: dave@farber.net
To: ip <ip@listbox.com>

Begin forwarded message:

From: Karl Auerbach <karl@cavebear.com>
Date: December 9, 2010 5:25:09 PM EST
To: dave@farber.net
Subject: Comcast is f***g with DNS
Reply-To: karl@cavebear.com

(For IP if you wish)

Last night my DirectTV box went on the fritz.

So I ran some tests.

It said "can not connect to the internet".  That intrigued me.

So I set up some hubs (not switches) and Wiresharks to watch what was going on.

Lo and behold I see that my network provider, Comcast, is changing DNS responses so that all queries for seemingly any name end up pointing to a Comcast IP address on which is a Comcast web server that will promiscously answer any web URL with an "Xfinity, Oops! Activation Incomplete" web page.

Of course this means that my Directv box went into the weeds when it went to what it expected to be its own web server and, instead, got Comcast's.

This hadn't affected the rest of my machines because I have my own DNS servers that don't fabricate answers.

I bet that if this isn't localized that this kind of non-neutral ISP (Comcast) behavior is causing a lot of support calls, and real $$ expended, on third parties, such as DirecTV.

	--karl--

Begin forwarded message:

From: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
Date: December 9, 2010 5:36:33 PM EST
To: Dave Farber <dave@farber.net>, "Waz, Joe" <Joe_Waz@Comcast.com>, "karl@cavebear.com" <karl@cavebear.com>
Subject: Re: Comcast is f***g with DNS

Hi Karl – I assume you are referring to NXDOMAIN redirection? If so, you may want to check out the following:

http://www.dnssec.comcast.net/faq.htm#faq7
What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?
    * We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
    * Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
    * The production network DNSSEC servers do not have Comcast Domain Helper's DNS redirect functionality enabled.
    * We recently updated our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this.

and 
http://tools.ietf.org/html/draft-livingood-dns-redirect-03#section-4
"It is critically important that service providers understand that adoption of DNSSEC is technically incompatible with DNS redirect.  As such, in order to properly implement DNSSEC and maintain a valid chain of trust, DNS redirect MUST NOT be used any longer."

If you are referring to something else, please tell me how I can help!

Regards
Jason

> 

-------------------------------------------

----- End forwarded message -----

Prev by Date: [ NNSquad ] DNS Provider Mistakenly Caught in WikiLeaks Saga Now Supports the Group
Next by Date: [ NNSquad ] Wikileaks and Provenance
Previous by thread: [ NNSquad ] DNS Provider Mistakenly Caught in WikiLeaks Saga Now Supports the Group
Next by thread: [ NNSquad ] Wikileaks and Provenance
Index(es):
- Date
- Thread