tor provided me first warning of corrupted ISP name servers

Scott Bennett bennett at cs.niu.edu
Sun Aug 24 15:47:26 UTC 2008 

     Yesterday my tor server logged a message advising me of name server
problem at the Comcast name servers whose addresses are given via DHCP to
my computer upon connection to the Comcast network:

Aug 23 17:11:32.227 [notice] Your DNS provider gave an answer for "y75smsh5mk7ggb.test", which is not supposed to exist.  Apparently they are hijacking DNS failures. Trying to correct for this.  We've noticed 1 possibly bad addresses so far.

     During the night and wee morning hours, I encountered other problems
that were due to bad data being returned by one or the other of the two
Comcast name servers that are assigned by DHCP, such as "connection rejected"
messages from PuTTY when the destination was given as a host+domainname, while
good connections resulted when the same destination was given as an IP address.
The two servers in question are at 68.87.64.140 and 68.87.66.135.  Feel free
to query them yourselves.  If they haven't been restarted, they will almost
certainly answer any request for an A RR with 68.87.64.132, an address on the
Comcast network.  I also tried making my test queries from a system at the
nearby university, which is not on Comcast's network, directing the test
queries to each of the corrupted name servers.  The results were the same.
     This morning tor has logged more messages, including a notice that it
has stopped being an exit due to the corrupted name servers. :-(

Aug 24 09:48:48.821 [notice] Your DNS provider has given "68.87.64.132" as an answer for 11 different invalid addresses. Apparently they are hijacking DNS failures. I'll try to correct for this by treating future occurrences of "68.87.64.132" as 'not found'.
Aug 24 09:49:18.828 [notice] Your DNS provider tried to redirect "www.google.com" to a junk address.  It has done this with 3 test addresses so far.  I'm going to stop being an exit node for now, since our DNS seems so broken.

     An attempt to deal with Comcast by phone was fruitless.  The customer
"service" "technical" support representative who took my call was not
competent to understand the evidence I provided him, told me that the only
DNS query tool that he was allowed to use did not provide any way to direct
the queries to specific name servers, and said the procedure he was required
to follow several pointless steps of an official procedure first, the next
step of which involved rebooting *my* computer, rather than finding someone
there who could check and confirm or refute the evidence I provided *unless*
his call center received similar complaints from a large number of users.
     I next tried to report the problem by email to dnsadmin at comcast.net,
the address listed in the comcast.net. SOA RR.  That report, which contained
all the necessary evidence to prove that the two name servers in question
were, in fact, dishing out bad data, bounced with an error message claiming
that the bounce was happening because the message was not sent by a Comcast
customer.  (That was false, of course, but I sent it from this account at
the university here, and mail filters arne't smart enough to handle such
things correctly.)
     Finally, I sent a note complaining about the bounce and including a
copy of the original message to ccs_arin at cable.comcast.com, which I got
from the WHOIS data base at whois.arin.net.  Thus far it hasn't bounced,
but thus far I have no evidence that anyone ever looks at messages sent
to that address.
     So.  If your tor server is on a Comcast link to the wider Internet,
check to make sure that those two DNS server addresses, 68.87.64.140 and
68.87.66.135, are not ones being used for any name resolution.
     Also, if anyone reading this knows of a way to get information in past
Comcast's peoplewall to the appropriate network and/or system adminstrator,
I would very much appreciate such person(s) letting me know how to do it.
     Thanks for any help or information you can provide.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-talk mailing list