dslreports logo
site
spacer

spacer
 
   
spc
story category
Comcast Finishes DNSSEC Rollout
Network More Secure, DNS Redirection Goes Kaput
by Karl Bode 10:23AM Wednesday Jan 11 2012 Tipped by FFH5 See Profile
Not only is Comcast taking the lead on IPv6 deployment, as we've noted in the past they're also taking the lead on DNSSEC upgrades. The security improvements allow both sites and providers to validate domain names to make sure they're correct and not tampered with, in turn helping to combat things like DNS cache "poisoning" and phishing scams. According to a new blog post by Comcast the company says they're the first large ISP to have completed DNSSEC deployment. Comcast's Jason Livingood, a Broadband Reports forum regular, has this to say about the accomplishment:
quote:
As of today, over 17.8M residential customers of our Xfinity Internet service are using DNSSEC-validating DNS servers. In addition, all of the domain names owned by Comcast, numbering over 5,000, have been cryptographically signed. All of our servers, both the ones that customers use and the ones authoritative for our domain names, also fully support IPv6.
One change (which will be considered a positive if these services annoy you) is that Comcast has had to shut off DNS redirection ads because they don't play nice with the DNSSEC upgrades. DNS redirection, adopted now by most ISPs, offer users ad-laden search portals should they mistype or enter an nonexistent domain. It's a way for a carrier to make additional revenue, but it sometimes came at the expense of breaking certain network diagnostic tools.

view:
topics flat nest 

cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

SOPA

Hope you can undo all those changes Comcast if/when SOPA is passed.
funny0

join:2010-12-22

Re: SOPA

said by cdru:

Hope you can undo all those changes Comcast if/when SOPA is passed.

no worries they got the fbi/hs/cia working with them to screw anyone they want later on and its nto about consumers its about control...

vpoko
Premium
join:2003-07-03
Boston, MA
Would SOPA disallow this?
miscDude

join:2005-03-24
Kissimmee, FL

Re: SOPA

said by vpoko:

Would SOPA disallow this?

SOPA's requirements for blocking domains and basically redirecting you to a "this domain has been seized" site (or blackhole) would by it's very nature be an incorrect DNS resolution.

Since you are basically going to be intentionally poisoning the DNS server's response, its from a technical standpoint no different than a 3rd party poisoning those DNS results for any other reason. For the exact same reason the ad-portal redirection doesn't play nice with DNSSEC, the court ordered site blocking wouldn't play nice either.

(From DNSSEC's standpoint, it doesn't care if your motives are Additional ISP Revenue, Court Order, or some other scam/nefarious purpose. You are all doing the exact same thing and that is returning unvalidated and therefore incorrect DNS lookup results.)

So, While SOPA doesn't specifically call out and say "DNSSEC is not allowed", it's requirements for each ISP to block a domain name from resolving would make it impossible to utilize DNSSEC while still meeting the requirements to law imposes on them.

vpoko
Premium
join:2003-07-03
Boston, MA

Re: SOPA

Couldn't they do it at the IP-routing level? Something like client makes a DNS request, gets the valid IP address as a reply, attempts to connect to the resolved IP address, ISP substitutes their own response instead of routing the request.

This is pretty off topic, but I'm surprised they want to implement SOPA at the domain level. People can and will learn to use IP addresses directly.

DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Re: SOPA

Well doing it at the IP level would be more difficult and would require that the IP be in the US

and then the Host might get mad that some of their valuable IP addresses are now unusable and claim damages

unlike IP's domain names are not as few

PapaMidnight

join:2009-01-13
Baltimore, MD
Correct me if I'm wrong but doesn't IPv6 inherently defeat SOPA at the implementation level?
lestat99

join:2000-08-04
Piscataway, NJ

Re: SOPA

You are wrong. There is nothing in IPv6 which would prevent SOPA. If you are thinking about IPSec. IPSec is no different in IPv6 than IPv4. Further, you aren't going to use IPsec when browsing the public internet.

FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5
said by miscDude:

So, While SOPA doesn't specifically call out and say "DNSSEC is not allowed", it's requirements for each ISP to block a domain name from resolving would make it impossible to utilize DNSSEC while still meeting the requirements to law imposes on them.

It wouldn't prohibit DNSSEC. It would just mean that the ISP would be knowingly breaking the IEEE std and would generate confusing msgs to the customers.

»www.techdirt.com/articles/201201···ec.shtml
--
The nine most terrifying words in the English language are, I'm from the government and I'm here to help.
»www.politico.com/2012-election/

lestat99

join:2000-08-04
Piscataway, NJ

Re: SOPA

Nit pick. The IEEE does have anything to do with DNS standards. You are thinking of the IETF

NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
You are mistaken about that. SOPA does not require that an ISP use DNS to block any specific sites, it only requires that they make an effort to block access to the site, and DNS filtering is only one way to do so.

You are probably basing your assumption on your own experiences with a local hosts file, or with a DNS blocking service such as OpenDNS, but that is not the only (or even the best) way to block access to selected sites.

The easiest way (and the way I do it on my network) is to directly block access by domain, hostname, and/or IP address of the specific sites. I have multiple resi/soho grade routers that can do that job (and certainly the enterprise grade routers used by ISPs can do it), while leaving the DNS results untouched.

Here is an example of blocking access to facebook while leaving the DNS results untouched:




C:\>nslookup www.facebook.com
Server:  dcs-srv.dcs-net
Address:  192.168.9.2
 
Non-authoritative answer:
Name:    www.facebook.com
Address:  66.220.158.47
 
 

FYI, since facebook uses load balancing, you may or may not get the same IP address if you do a dns query, but the IP address above is definitely one used by facebook.com, and yet access to facebook.com is blocked.

This blocking method works with imbedded iframes as well as for entire sites:




So, as you can see, should Comcast (or any ISP) be required to block access to a given site, they would not really need to use corrupted DNS to do so.

--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower

cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

Re: SOPA

said by NetFixer:

You are mistaken about that. SOPA does not require that an ISP use DNS to block any specific sites, it only requires that they make an effort to block access to the site, and DNS filtering is only one way to do so.

I had my bills mixed up. It's not SOPA that specifies it specifically, it's PIPA, specifically Section 3d2(a).

quote:
Section 3d-2(A) OPERATORS-
(i) IN GENERAL- An operator of a nonauthoritative domain name system server shall take the least burdensome technically feasible and reasonable measures designed to prevent the domain name described in the order from resolving to that domain name’s Internet protocol address, except that--
(I) such operator shall not be required--
(aa) other than as directed under this subparagraph, to modify its network, software, systems, or facilities;
(bb) to take any measures with respect to domain name lookups not performed by its own domain name server or domain name system servers located outside the United States; or
(cc) to continue to prevent access to a domain name to which access has been effectively disable by other means; and
(II) nothing in this subparagraph shall affect the limitation on the liability of such an operator under section 512 of title 17, United States Code.
(ii) TEXT OF NOTICE- The Attorney General shall prescribe the text of the notice displayed to users or customers of an operator taking an action pursuant to this subparagraph. Such text shall specify that the action is being taken pursuant to a court order obtained by the Attorney General.

I bolded a few key words that pretty much explicitly refer to the DNS system in specific legalese. Now there are exceptions and if the ISP has implemented or is implementing DNSSEC they would be exempt. It's just silly though that one had of ISPs and the government is pushing to secure the DNS system, and on the other hand the content producers (and in some cases also ISPs) and government try to make ISPs to specifically break that DNSSEC. And I'll guarantee if/when SOPA and PIPA are passed that exceptions will be pushed to be removed.

The easiest way (and the way I do it on my network) is to directly block access by domain, hostname, and/or IP address of the specific sites. I have multiple resi/soho grade routers that can do that job (and certainly the enterprise grade routers used by ISPs can do it), while leaving the DNS results untouched.

How does your system filter against secure requests? Or if the blocked service changes IP? Or through a proxy?

It's a whack-a-mole problem that isn't going to be fixed by blocks or redirects without abuse and collateral damage along the way.

NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

Re: SOPA

said by cdru:

How does your system filter against secure requests? Or if the blocked service changes IP? Or through a proxy?

My in-house blocking is primarily a simple defense against drive-by attacks in imbedded iframes, and those are seldom encased in SSL. I have ways to block proxy usage, but I don't really have a need to do so since only adults use my network, and my blocks are primarily malware defenses rather than proactive content blocking (anyone who wants to watch porn or Oprah reruns is free to do so).

said by cdru:

It's a whack-a-mole problem that isn't going to be fixed by blocks or redirects without abuse and collateral damage along the way.

I agree 110% with that assessment. I never said that I approved of government mandated censoring, only that DNS mangling was not the only way to (attempt to) do it. The end result of prohibition, and the current "war on drugs" (the increased power of organized crime) should be enough proof that such prohibitions don't work, and have disastrous unintended results.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
miscDude

join:2005-03-24
Kissimmee, FL

1 recommendation

said by cdru:

The easiest way (and the way I do it on my network) is to directly block access by domain, hostname, and/or IP address of the specific sites. I have multiple resi/soho grade routers that can do that job (and certainly the enterprise grade routers used by ISPs can do it), while leaving the DNS results untouched.

How does your system filter against secure requests? Or if the blocked service changes IP? Or through a proxy?

It's a whack-a-mole problem that isn't going to be fixed by blocks or redirects without abuse and collateral damage along the way.

Besides a whack-a-mole problem, you also run into a big issue with shared servers and/or CDN services.

If you block by IP, if you have a site that is required to be blocked but is located on a shared server, You could knock out several other perfectly legitimate sites. You are looking at a nightmare for hosting companies and products because it's likely that a good number of sites that would be labeled "rogue" by these bills are ones that wouldn't be paying the premium pricing to be on a dedicated server. (let's see.... do I spend $30/mo for a site that may be taken down for infringing links? or do i spend $300/mo for a site that may be taken down for infringing links? )

Then you have the sites that may actually use some form of CDN or cloud type service. Not only are you talking about a ton of different IP's the domain may be using located off different networks for load balancing and end user proximity purposes, but those IP's again may utilize a common gateway into a shared CDN site that then uses NAT or other means to direct your request to the specific servers within the farm that can serve your request.

IP based filtering can also quickly lead to degraded network performance Since you'd be talking about blocking several individual IP's (and not entire network blocks), it wouldn't take long for those blacklist configs to grow into a large size. Your ISP routers would then have a much larger config file that it would need to process each packet request thru. yes, It may be doable on your home network or office network, but you also aren't going to be processing as many packets as the core routers used on ISP networks.

And that also doesn't touch upon the nightmare of maintaining those router configs. Most core network router don't have their configs updated on a regular basis due to the potential for service interruptions. Imagine the nightmare for the larger ISPs in needing to constantly update every single router config on a regular basis (say weekly?) in order to keep their blacklist up to date. If they went with a more automated process such as broadcasting phony network routes, There is then a very real chance of a simple typo of oversight causing incorrect network advertising broadcasts being sent into the wild. (We've seen in the past incidents in other countries were sites like Google/Facebook/something big ended up being impacted because of an incorrect network advertising being sent upstream when those countries were attempting to implement their own internal blacklist.)
dj_eric

join:2004-11-19
Kennett Square, PA
said by NetFixer:

So, as you can see, should Comcast (or any ISP) be required to block access to a given site, they would not really need to use corrupted DNS to do so.

You are correct, but that would require Deep Packet Inspection of every packet going across the Internet, and this could even violate some privacy laws and legal requirements for some industries. (Remember the backlash from Comcast blocking BitTorrent.) The Firewalls/Snoopers are also very costly when looking at a getting devices that can handle 10GBbps connections at line rate. If your interested in the price, I would give Sandvine or Narus a call and ask.

kapil
The Kapil

join:2000-04-26
Chicago, IL

Go Comcast

I think DNS security risks are overblown but in general one can never be too cautious about these things so kudos to Comcast for taking the lead on DNSSEC. That it resulted in shutting down the DNS redirection "feature" is also a plus.

Over the years, no one has had harsher words for this company 'round these parts than yours truly but ever since they hired good ol' @ComcastCares, they really do seem to have had a change of heart and of corporate culture.

@ComcastCares may be long gone but Comcast seems to be sticking by some of what he believed in. The service is still overpriced but customer service seems to be better and more responsive. The company is transparent when it comes to overages and usage limitations etc.

Don't get me wrong, Comcast still has a long way to go...but any progress is good, no?
--
»www.kapilville.com
funny0

join:2010-12-22

Re: Go Comcast

said by kapil:

I think DNS security risks are overblown but in general one can never be too cautious about these things so kudos to Comcast for taking the lead on DNSSEC. That it resulted in shutting down the DNS redirection "feature" is also a plus.

Over the years, no one has had harsher words for this company 'round these parts than yours truly but ever since they hired good ol' @ComcastCares, they really do seem to have had a change of heart and of corporate culture.

@ComcastCares may be long gone but Comcast seems to be sticking by some of what he believed in. The service is still overpriced but customer service seems to be better and more responsive. The company is transparent when it comes to overages and usage limitations etc.

Don't get me wrong, Comcast still has a long way to go...but any progress is good, no?

lol change a heart no look at what domain redirection can do if say i had a dns server point them to me and then i can point the domains any where i want....with that any hosted comcast domain has only the options to do what they want.
NOT WHAT I WANT.I also think they dont allow home based websites if im not mistaken....
dj_eric

join:2004-11-19
Kennett Square, PA
said by kapil:

I think DNS security risks are overblown but in general one can never be too cautious about these things so kudos to Comcast for taking the lead on DNSSEC. That it resulted in shutting down the DNS redirection "feature" is also a plus.

It wasn't very long ago that a massive DNS cache poisoning scheme in Brazil went down. I do believe it was November of last year. Here's a ZDNet article on the issue:»www.zdnet.com/blog/security/mass···are/9780
funny0

join:2010-12-22

false title

THIS is more about them and here ability to control your domains . DOMAIN redirection is useful especially if i have a few and want to point them to friends servers who may also once in a while move or go elsewhere it takes my ability to do stuff away.

ON the poisoning front sure that is an issue but they could do it a different way....anyhow my 2 cents worth form a home website owner that sees this more about corporates trying to get more control.

ctg1701a
VIP
join:2008-08-07
Media, PA

Re: false title

said by funny0:

THIS is more about them and here ability to control your domains . DOMAIN redirection is useful especially if i have a few and want to point them to friends servers who may also once in a while move or go elsewhere it takes my ability to do stuff away.

ON the poisoning front sure that is an issue but they could do it a different way....anyhow my 2 cents worth form a home website owner that sees this more about corporates trying to get more control.

DNSSEC does not give any additional control at the caching server level of domains to ISPs, we in fact lose the ability to manipulate items like NXDOMAIN in those domains. In does gives the domain owner more control to ensure that end users that use validating caching servers will get the correct response and not be redirected.

Thanks
Chris
Comcast

vpoko
Premium
join:2003-07-03
Boston, MA
How does this take away your control? Since you control the key used to sign the DNS record, you can point the domain anywhere you want. Someone else can't spoof your domain record, though.

Wait, you're not one of those irrationally paranoid or pessimistic people, are you?
Bill_F

join:2010-02-09
Huntsville, AL

Next time Comcast rolls out a DNS upgrade...

... You should go ahead and mention on the front page article that there will probably be an outage, especially for static IP customers.

»[Business] Business Class Down starting around 7-8AM?

Removing the ability to communicate is very effective security though. It doesn't really get any more secure than that. (except the tornadoes last year knocking the power offline to all of the CMTS systems in the county...)

NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

Re: Next time Comcast rolls out a DNS upgrade...

said by Bill_F:

... You should go ahead and mention on the front page article that there will probably be an outage, especially for static IP customers.

»[Business] Business Class Down starting around 7-8AM?

Removing the ability to communicate is very effective security though. It doesn't really get any more secure than that. (except the tornadoes last year knocking the power offline to all of the CMTS systems in the county...)

said by Bill_F:

I can't access or ping any external IPs

I can empathize with your out of service problem, but exactly what did your outage have to do with Comcast's DNSSEC upgrades? Your own description of the outage symptoms (quoted above) pretty much ruled out DNS being the cause. Aside from that, Comcast has been using DNSSEC as the default for business class customers for quite some time (if as a business customer you were actually using Comcast's default servers, and not your own), and yesterday's public announcement would be entirely coincidental to any outage you experienced today (even if you had actually had a Comcast DNS outage).
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
rseiler

join:2001-11-01

Working?

I went to Comcast's FAQ and found this URL, which they say I should not be able to reach (my being on Comcast with the appropriate DNS of 75.75.75.75). I can always reach it. Why?
»www.dnssec-failed.org