Comcast DNS servers returning bogus information

Scott Bennett bennett at cs.niu.edu
Sun Aug 24 19:04:55 UTC 2008 

     On Sun, 24 Aug 2008 12:30:10 -0600 "Kasimir Gabert" <kasimir.g at gmail.com>
wrote:
>On Sun, Aug 24, 2008 at 12:23 PM, Scott Bennett <bennett at cs.niu.edu> wrote:
>>     On Sun, 24 Aug 2008 12:10:27 -0500 Drake Wilson <drake at begriffli.ch>
>> wrote:
>>>Quoth Scott Bennett <bennett at cs.niu.edu>, on 2008-08-24 12:03:13 -0500:
>>>>      The only problem is that that explanation doesn't explain why their
>>>> name servers give out the identically wrong information to computers
>>>> elsewhere on the Internet.
>>>
>>>Those name servers may only be shown by DHCP to users who are placed
>>>in this bogus state; other users may be directed to other nameservers.
>>
>>     Yes, I understood your point the first time.  The problem is that
>> that explanation doesn't cover the responses to queries coming from
>> elsewhere.
>>
>>>Possibly nobody should or would be querying those ones normally, and
>>>those ones (and only those ones) are configured to always respond that
>>>way.
>>>
>>     I guess I don't understand.  The name server data are supposed to
>> be accurate in order for the Internet to function properly.  I found that
>> the two servers in question respond with the same address for every A RR
>> that is requested, without regard to whether the name and domain should
>> resolve to a Comcast IP address, an NIU IP address, or a UW Madison IP
>> address.  Further, they both give out that same wrong IP address on the
>> Comcast net for each of those queries, and they give them out that way
>> without regard to the source address of the query.  If they didn't want
>> to respond to such queries, they should do that by either forwarding the
>> query to an appropriate server for the domain queried or returning a no
>> answer response.
>
>Hello Scott,
>
>I believe that you might have missed Drake's second explanation: that
>your DNS servers are the default bad servers for Comcast, and that
>when your DNS servers were delivered to your router via DHCP, the DNS
>servers changed from being the correct ones to being the incorrect
>ones.  Of course, this is only possible if you use DHCP (or something
>similar), and can easily be checked if you remember your previous DNS
>settings, or if this occurred after initiating a new DHCP session, or
>by asking a neighbor using Comcast what their DNS values are and
>assuming that they would be the same for that area.

     Okay, this is my fault, I guess.  I neglected to mention that when
Comcast was here last week to hook up a modem and get me started, I wrote
down on paper the contents of the resolv.conf file after the DHCP client
had done its thing.  The two name server addresses given by DHCP then
are the same two given by DHCP now.  There hasn't been a change.  The IP
address assigned to my computer is also unchanged since it was originally
connected.
>
>Hopefully this will clear things up!

     Ah, if only.  But no, and if I hadn't left the above info out of
the earlier messages, he probably wouldn't have suggested that there had
been a substitution.  My apologies to Drake and to all others concerned.
     Now, I suppose Comcast might somehow have altered routing tables
somewhere to misdirect traffic for those name server IP addresses to some
substitute server, but it might be difficult to do that in a way that would
be safe for the rest of their operations.
     Anyway, it looks like tor will not resume advertising exit service
until Comcast admits to itself, if not publicly, that those two name
servers are corrupted, shuts them down, deletes their cache files, and
restarts them.  If the bad data have spread to any more of their name
servers, then they'll need to do the same thing to those.
     Meanwhile my server still seems to be doing a reasonably good business
as a middleman, so I'm going to get some sleep.  Later I may investigate
using the web-based email account they set up for me to see whether the
hostadmin address in the comcast.net. SOA RR will accept mail from there
instead of bouncing it when it comes from an outside (i.e., non-Comcast)
address, a behavior that clearly should be policed by the NIC but just as
clearly isn't policed by anyone.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-talk mailing list