Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Crowdsourcing Confirms: Websites Inaccessible on Comcast

timothy posted about 5 months ago | from the have-your-friends-drop-the-dime-on-your-non-friends dept.

The Internet 349

Bennett Haselton writes with a bit of online detective work done with a little help from some (internet-distributed) friends: "A website that was temporarily inaccessible on my Comcast Internet connection (but accessible to my friends on other providers) led me to investigate further. Using a perl script, I found a sampling of websites that were inaccessible on Comcast (hostnames not resolving on DNS) but were working on other networks. Then I used Amazon Mechanical Turk to pay volunteers 25 cents apiece to check if they could access the website, and confirmed that (most) Comcast users were blocked from accessing it while users on other providers were not. The number of individual websites similarly inaccessible on Comcast could potentially be in the millions." Read on for the details.

My first clue came when a friend of mine set up the website http://www.helpmatt.org/ and asked her friends to donate. I said the website appeared to be down; they replied back that it was working fine for other people — and I narrowed it down to Comcast DNS servers not resolving the hostname www.helpmatt.org correctly. When I accessed the same website over my Frontier DSL connection, it worked. (I had recently signed up for Comcast cable Internet to save money over DSL, but I kept my DSL connection "just in case" something went wrong. At the time, I thought maybe I was being paranoid -- how hard could it be for a cable company to just run a straight Internet connection to my house and not screw anything up? Hollow laugh.)

I put out an informal survey to my Comcast-using friends, and a few of them said they couldn't access the website either. Still, I thought, this wasn't enough evidence that it was Comcast's fault; maybe the hostname was only resolving intermittently, and just by sheer coincidence it happened to be up when all of my non-Comcast-using friends tried it? I was about to do a more formal experiment, and recruit a larger sample of testers through Amazon Mechanical Turk to test whether the site was inaccessible to other Comcast users, when the problem spontaneously fixed itself and suddenly the website became accessible 100% of the time to everyone.

But, my curiosity had been piqued. Was there something wrong with Comcast's DNS servers -- whether deliberate or not -- that was causing other websites not to resolve correctly? I wrote a perl script to take a sample of websites -- part of the same list that I had used to find websites that were mis-blocked as 'pornography' by Smartfilter — and attempt to resolve them using both Comcast's main DNS server (75.75.75.75) and one of Google's public DNS servers (8.8.8.8). (You won't be able to do this experiment yourself unless you have a Comcast Internet connection, because while Google's DNS servers accept queries from anywhere, Comcast's DNS servers will refuse queries from any IP address not assigned to one of their customers.)

The script ran through a few hundred hostnames and flagged anything that failed to resolve on Comcast but resolved correctly on Google, although most of these were false positives caused by Comcast's DNS servers being temporarily unresponsive. But after running through the list of false-positives repeatedly, I found the first website that consistently failed to resolve on my Comcast Internet connection while resolving on Google: http://www.021yy.org/.

The website is for a second-hand furniture store in Shanghai; I have no idea what the domain "021yy.org" has to do with the business. (Perhaps the IP address that the domain name resolves to used to be occupied by a different website, and that IP address was inherited by the furniture store but the old hostname still points to it.) The hostname www.021yy.org resolves to the IP address 116.251.210.33 (for *ahem* non-Comcast users, that is), which according to the Asia Pacific Network Information Centre is part of a block of IP addresses assigned to a hosting company in Singapore. I'm not blocked from accessing the IP address of the website over Comcast; I can ping and send web requests to the IP address 116.251.210.33 with no problem. Only the hostname fails to resolve. (I can still access the site by using a VPN or a proxy server.)

So, I created a survey on Amazon Mechanical Turk, asking people three questions:

  1. Can you access the website http://www.021yy.org/?
  2. If you can't access the site, what error message does your browser give you?
  3. What provider are you using?

and offered 25 cents to every user who filled out the survey, up to a maximum of 50 people. Amazon Mechanical Turk, if you've never used it before, lets you create low-payment tasks and outsource them to a crowd of workers. Like any simple and powerful tool, it can be used for purposes that the original creators probably never imagined (presumably including this experiment), and someday I'd like to look into the most creative and bizarre things people have done with it. (Although, in this case, it seems like the site may not have done a great job of matching this task with available workers. Only 20 people filled out my survey in the 24 hours after I created it -- surely, out of all the available Mechanical Turk workers, there were more than 20 people who would have been interested in doing a simple website accessiblity check for 25 cents?)

20 unique users filled out the survey and reported:

  • Out of the 14 non-Comcast users, 100% of them were able to access the site.
  • Out of 6 Comcast users, 4 of them were blocked from accessing the site, and reported errors symptomatic of DNS failures ("Oops! Google Chrome could not find www.021yy.org" or "Server not found. Firefox can't find the server at www.021yy.org").

Even with such a small sample, that's enough to conclude that it's not a coincidence. (The real question is how two out of those six Comcast users were able to access the site at all. Maybe they're in a region of the country that's assigned different DNS servers. If I did the survey again, I'd ask people to include where they were living.)

So Comcast users -- at least some of them, probably most of them -- are blocked from accessing certain websites, which are perfectly accessible to users on other providers. I "only" had to test a few hundred domain names before finding one that would consistently fail to resolve on Comcast while resolving successfully on other companies' nameservers. With hundreds of millions of distinct websites "out there," if the same proportion holds, that would suggest that there about a million or more websites similarly affected. And that's not even counting all the other sites — like helpmatt.org, and also including some of the sites in my sample — which apparently resolve 100% of the time on other providers while sometimes failing to resolve on Comcast, but where the failure was not consistent enough to use them as a test case for the Mechanical Turk survey.

Unlike, say, the kerfuffle over Comcast threatening to de-prioritize content delivery from websites that don't pay them a fee, it's unlikely that Comcast is meddling with traffic intentionally here (especially since the sites' IP addresses are not blocked). It's more of a demonstration that if a company is sufficiently big and if it's sufficiently hard to prove that a problem is being caused on their end, the problem can exist for a long time without being solved. I called Comcast tech support after I discovered that sites were blocked on their network but not on other providers, and said that the problem really needed to be brought to the attention of the higher-ups, but tech support was adamant that it was impossible for a member of the public to reach anybody higher up than the call center.

Even if the number of affected sites is huge, at least it's only a small percentage of websites — I did have to run my script on a few hundred sites before I found one that appeared to be resolving on other DNS servers but not on Comcast. But that likely would have provided scant comfort to my friends who set up the helpmatt.org site, when they were urging people to visit the site and donate, and 25% of potential visitors were unable to reach the page. When it's your website, it's kind of a big deal.

cancel ×

349 comments

frosty (-1, Offtopic)

Hognoxious (631665) | about 5 months ago | (#46456451)

Remember kids, never tell a cop anything unless your lawyer OKs it.

Oh no it's Bennett! (-1)

Anonymous Coward | about 5 months ago | (#46456453)

Oh no it's Bennett!

Stop (5, Insightful)

TheRealMindChild (743925) | about 5 months ago | (#46456467)

Stop using your ISP's DNS

Re:Stop (5, Insightful)

Anonymous Coward | about 5 months ago | (#46456537)

Thats good for people who know how to change it, let alone know what DNS is. 99% of the population doesn't which means this does have ramifications for accessibility of a site. Though admittedly, it appears to be a decently small problem.

Quick change needed [Re:Stop] (2)

Geoffrey.landis (926948) | about 5 months ago | (#46456577)

Interesting. I don't always want to be messing with my DNS setting every time I get a 404 not found.

What is needed is a quick way to temporarily try using a different DNS, to see whether that's the problem.

Re:Quick change needed [Re:Stop] (1)

beatle42 (643102) | about 5 months ago | (#46456655)

Well, you could always try nslookup from a shell to see if it resolves with different servers

Re:Quick change needed [Re:Stop] (2)

beatle42 (643102) | about 5 months ago | (#46456675)

Oops, htmled myself, I mean nslookup [host] [server]

Re:Quick change needed [Re:Stop] (5, Informative)

PrimaryConsult (1546585) | about 5 months ago | (#46456833)

You can use downforeveryoneorjustme.com, though it will use its own DNS and routing so it will still require you to figure out which of those is the problem.

Re:Stop (1)

houstonbofh (602064) | about 5 months ago | (#46456615)

Totally agree here. Comcast has always had DNS problems, and I never recommend using them for DNS.

However, now that both Comcast and ATT are forcing you to use their router, and their router does not allow you to change DNS, this is much more of a problem.

Re:Stop (1)

geminidomino (614729) | about 5 months ago | (#46456695)

How so? Just about every modern OS (can't speak for OSX from experience, but I'll call it an educated guess) lets you set the computer's DNS instead of having it assigned via DHCP from the router.

Re:Stop (0)

Anonymous Coward | about 5 months ago | (#46456795)

How so? Just about every modern OS (can't speak for OSX from experience, but I'll call it an educated guess) lets you set the computer's DNS instead of having it assigned via DHCP from the router.

Which is great if you don't want to do any name resolution on computers in your home network.

Re:Stop (3, Funny)

lgw (121541) | about 5 months ago | (#46456875)

If only there were some file on your PC in which you could define IP-hostname pairs to avoid needing DNS for that handful of boxes. I'd name that file, but it would summon APK.

Re:Stop (1)

cbhacking (979169) | about 5 months ago | (#46456901)

Uh... you do know you can set multiple DNS servers, right? The OS will try them, in the order listed, until it gets a match or exhausts the list.

Re:Stop (5, Informative)

Anonymous Coward | about 5 months ago | (#46456893)

I wish kids with no experience would stop running their mouths. That is BS, and even you would understand it if you would think about it. On many of their routers, Comcast redirects port 53 to 75.75.75.75. It doesn't matter what DNS server you set the clients to because Comcast will transparently proxy to their server. As an example with our new IP block from Comcast that isn't yet setup on their DNS server to allow access:

$ nslookup aol.com 75.75.75.75
Server: 75.75.75.75
Address: 75.75.75.75#53

** server can't find aol.com: REFUSED

$ nslookup aol.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find aol.com: REFUSED

$ nslookup aol.com 208.67.222.222
Server: 208.67.222.222
Address: 208.67.222.222#53

** server can't find aol.com: REFUSED

That shows they're intercepting traffic to both OpenDNS and Google's DNS. We're currently using a modem owned by Comcast, but last week when I swapped in an older modem for testing, I could use DNS on both OpenDNS and Google.

Re:Stop (1)

WilliamGeorge (816305) | about 5 months ago | (#46456715)

Forcing you to use their router? Is this a Comcast-wide policy, or something local to your area? I have never used their router... and for that matter, I even use my own (owned, not rented) modem. I also have a different DNS set up, one that blocks a large amount of potentially objectionable websites (OpenDNS Family Shield).

Re:Stop (3, Interesting)

jythie (914043) | about 5 months ago | (#46456835)

Comcast bought up hundreds if not thousands of smaller local ISPs and cobbled their networks together. so hardware policies are highly dependent on where you are and what the history of the local connection is. Even if it is over broadband that Comcast laid down, the back end could be any number of fragments of previous companies.

Re:Stop (3, Informative)

ichthus (72442) | about 5 months ago | (#46456727)

However, now that both Comcast and ATT are forcing you to use their router...

Eh? I have Comcast and use my own cable modem and router. Whatchu talking 'bout, Willis?

Re:Stop (2)

TheGratefulNet (143330) | about 5 months ago | (#46456771)

comcast is not forcing the use of their router. I don't own their router, I bought mine at a store a year ago and its been working fine the last year with my comcast 'blast' service (which does give me a pretty consistent 50meg down and 10meg up).

the router never needs dns, anyway. hosts need dns. and hosts can use any dns they want; you can break dhcp apart so that you get ip and netmask and default gw from them but you can ignore their 'suggested' dns resolver.

Re:Stop (5, Informative)

N_Piper (940061) | about 5 months ago | (#46456787)

Fun Fact: Comcast home networking support are trained to use 8.8.8.8 as part of the trouble shooting protocol.

Re:Stop (1)

jaymz666 (34050) | about 5 months ago | (#46456861)

I use my own modem and my own router on Comcast, what's this about them forcing you to use their router?

Re:Stop (3, Informative)

invictusvoyd (3546069) | about 5 months ago | (#46456825)

www.opendns.org 208.67.222.222 208.67.220.220

Fairly simple solution (0)

Foo2rama (755806) | about 5 months ago | (#46456477)

Do not use comcast DNS... just use googles.

https://developers.google.com/... [google.com]

Re:Fairly simple solution (4, Insightful)

Scutter (18425) | about 5 months ago | (#46456555)

That's not a solution, that's a workaround. The author is clearly trying to define the actual problem and make a supposition as to the cause, not just find a way to make the symptoms stop happening.

Re:Fairly simple solution (1)

ichthus (72442) | about 5 months ago | (#46456763)

Problem: Comcast's DNS servers suck.
Likely cause: They don't update often enough
Other possible cause: They choose to "block" specific sites.
Solution: Unless you can convince them to update their servers like everyone else, use a different name server.

Re: Fairly simple solution (1)

Anonymous Coward | about 5 months ago | (#46456885)

The article admits that some comcast users were able to resolve. It sounds more like their dns sucks, is overloaded, and their regional clusters aren't synching or updating properly.
The author also admits the ip's are not blocked but keeps saying comcast is "blocking". They aren't blocking they're just crap.

ISP's don't like to admit people can use third party DNS because doing so will bypass any CDN / Web caching they have running. They use cache servers to reduce edge bandwith and cut down on latency for popular URL's. Some also redirect nxdomain lookups, which bugs some people so use a third party like google to avoid that.

Re:Fairly simple solution (-1)

Anonymous Coward | about 5 months ago | (#46456565)

or OpenDNS: http://www.opendns.com/opendns-ip-addresses/

Re:Fairly simple solution (4, Interesting)

EvanED (569694) | about 5 months ago | (#46456657)

OpenDNS hijackes NXDOMAIN failures, which is one of the big reasons to drop many ISP's DNS in the first place. I don't want to get into evaluation of motivation and such, but the effect is the same.

Re:Fairly simple solution (3, Funny)

hawguy (1600213) | about 5 months ago | (#46456571)

Do not use comcast DNS... just use googles.

https://developers.google.com/... [google.com]

Good idea -- otherwise, Google might miss out on some of your browsing activity if you're using another browser, use their DNS to make sure they can capture all of your activity.

Re:Fairly simple solution (1)

houstonbofh (602064) | about 5 months ago | (#46456625)

If you can. The new routers they are forcing you to use do not allow you to change DNS.

Re:Fairly simple solution (3, Informative)

Scutter (18425) | about 5 months ago | (#46456645)

You can set any DNS you want on your computer. You don't have to use the one handed out by the ISP's modem or router.

Re:Fairly simple solution (4, Informative)

jcwayne (995747) | about 5 months ago | (#46456831)

I don't know if this is an issues with Comcast, but there are ISPs who force all DNS traffic to use their servers. It was a constant frustration when I was stuck with Excede (a US satellite internet provider).

Re:Fairly simple solution (2)

nerdonamotorcycle (710980) | about 5 months ago | (#46456741)

I started Comcast service about a year ago, and supplied my own modem and router. They have not done anything like forcing me to use their internet hardware.

Maybe they are blocking China? (0)

Anonymous Coward | about 5 months ago | (#46456479)

Maybe Comcast is blocking China. Have you *asked* Comcast WTF is happening?

Ask Comcast? That's rich (3, Insightful)

caution live frogs (1196367) | about 5 months ago | (#46456597)

Last time I had to talk to anyone in the company I had to explain to the tech how DOCSIS modems worked. You will never get an individual from that company on the phone who knows enough to give you a real answer. Turnover is too high in call centers, and people who know the answer are not on support phone detail.

Well... (0)

Anonymous Coward | about 5 months ago | (#46456621)

I think he said he did in fact call them and ask for assistance.

Comcast's DNS has been spotty for a while (1)

Anonymous Coward | about 5 months ago | (#46456481)

My first step when reconfiguring a home router on Comcast is to put in Google's DNS servers. Comcast's have been flaky (non-responsive and/or erroneous) far too often.

Re:Comcast's DNS has been spotty for a while (1)

the eric conspiracy (20178) | about 5 months ago | (#46456521)

I do the same thing on Cablevison. In fact I run my own caching DNS server because I find having something in house improves performance of a number of pieces of software I use including spam filters.

ISP DNS servers quite often suck.

I'd tend to apply Hanlon's Razor to this situation.

Re:Comcast's DNS has been spotty for a while (2)

TechyImmigrant (175943) | about 5 months ago | (#46456549)

It's not just Comcast. No ISP I have used has ever run a reliable DNS service. 8.8.8.8, 8.8.4.4 is your friend.

Re:Comcast's DNS has been spotty for a while (1)

alen (225700) | about 5 months ago | (#46456613)

only downside is that some streaming services use your DNS IP for location info and decide where to stream content from. this might result in slow streaming speeds since the content might be coming from far away instead of a closer server

Re:Comcast's DNS has been spotty for a while (1)

TechyImmigrant (175943) | about 5 months ago | (#46456633)

Er no. They use my IP to determine my location. Who I consult to get their IP is none of their business.

Re:Comcast's DNS has been spotty for a while (2)

alen (225700) | about 5 months ago | (#46456749)

not akamai

there was an issue with itunes and google dns years ago. apple uses akamai for their CDN and people using google dns when they rented movies on apple tv would stream from 3000 miles away instead of a local copy because google's DNS IP's are virtual IP's and the true IP passed to who ever you are trying to access may be any server around the world

Re:Comcast's DNS has been spotty for a while (3, Interesting)

FuegoFuerte (247200) | about 5 months ago | (#46456907)

Actually, there are a few major GTM (Global Traffic Management) schemes that do use the IP address of your DNS server, rather than your actual IP. They basically abuse the DNS system with super-short TTLs and give a different response to the DNS query based on the IP of the downstream DNS server. So, if you use a DNS server located on the east coast of the US when you're on the west coast, you'll get an east coast server even if that service has a west coast datacenter available.

This is done primarily to free companies from the burden of having to design proper geolocation into their app/service, turning it into a more plug-n-play solution while breaking several of the finer points of DNS (like proper caching). This type of traffic management could easily be contributing to Comcast's DNS troubles, as it drastically increases load on the entire DNS infrastructure. Paul Vixie did a good detailed write-up about this type of traffic management a few years back. Unfortunately it's probably here to stay, and is used by some very major corporations and online services.

If you want the most reliable DNS service, and want to be directed to the closest servers for the services you use, your only real option is to run your own recursive name server. A simple caching name server isn't enough, and will curse you with many of the same problems you see from your upstream. Fortunately, recursive name servers are pretty simple to set up, in both the *nix and Windows worlds.

Re:Comcast's DNS has been spotty for a while (1)

bobbied (2522392) | about 5 months ago | (#46456877)

Um, no, not really. They might hand out their authoritative DNS records differently based on the perceived location of the DNS server making the query, but I think that they are going to decide the streaming location based upon the IP address making the request. They will have zero real insight into how or what DNS server converted the host name into an IP address.

The technique you describe to break up by geographic location based on DNS queries isn't very useful beyond segregation on some fairly large geographic areas, like a country or perhaps down to a state. Even then, it's not going to be all that useful because many of us are not using our ISP's DNS servers anyway.

Re:Comcast's DNS has been spotty for a while (1)

DaHat (247651) | about 5 months ago | (#46456765)

That assumes you put much trust in Google vs your ISP... I do not trust either.

Re:Comcast's DNS has been spotty for a while (1)

houghi (78078) | about 5 months ago | (#46456803)

It might be a like a bigger brother, but not really a friend. http://public-dns.tk/ [public-dns.tk] has a list of servers. Even many not from the US

Re:Comcast's DNS has been spotty for a while (0)

Anonymous Coward | about 5 months ago | (#46456599)

I had forgotten about this. About 3 years ago I got Comcast business class internet at home. I couldn't access Slashdot. At least, not the main page. I could get to subdomains, yro.slashdot.org, games.slashdot.org, etc. I didn't notice it much since I mostly browsed slashdot at work. Finally I deceided to really loot at it and realized my cable modem had grabbed Comcast DNS servers. I changed them to Google DNS servers and haven't had a problem since. This was really the only website I had an issue with, and the fact that subdomains were accessible makes me skeptical that it was simply an error.

DNSSEC? (0)

Anonymous Coward | about 5 months ago | (#46456493)

I'm wondering if DNSSEC played a role?

Doctor that hurts (0)

Anonymous Coward | about 5 months ago | (#46456497)

Don't use Comcast DNS servers.

So, don't use comcast DNS (0)

Anonymous Coward | about 5 months ago | (#46456507)

Nothing forces you to use Comcast DNS servers just because you use their internet service.

Re:So, don't use comcast DNS (1)

Pinkfud (781828) | about 5 months ago | (#46456733)

Yes, I recently installed a new router and just let it make its own connection. Soon I had DNS problems, which reminded me that I had switched to Google DNS on the old router for that very reason. A quick fix solved the problem. My ISP is Cox, not Comcast, but they also seem to have a very flaky DNS service.

Which is why I use OpenDNS, or Google, or (4, Informative)

jaymz666 (34050) | about 5 months ago | (#46456513)

I stopped using comcast DNS servers years ago, and have avoided many an "outage".
I remember several large DNS outages on comcast that I was completely unaware of for hours or days, until some mention came up.
I have been using OpenDNS mostly, but I fall back to the google DNS servers if something there flubs up

        208.67.222.222
        208.67.220.220

Remember these numbers

Re:Which is why I use OpenDNS, or Google, or (2)

AK Marc (707885) | about 5 months ago | (#46456639)

Bah, I've been using 198.6.1.3 since that was the main DNS server for the largest ISP on the planet (by volume of traffic, not subscribers). Unfortunately, MCI bought them out and went under, but the DNS server is still up.

oh no I dinndnt'!!! (0)

Anonymous Coward | about 5 months ago | (#46456897)

put everything in your HOSTS file, it's the only way to be sure...

Re:Which is why I use OpenDNS, or Google, or (1)

TubeSteak (669689) | about 5 months ago | (#46456865)

Is OpenDNS still doing re-directions and other weird stuff?
I haven't thought about them since the mess with google redirects in 2007 or 2008.

Re:Which is why I use OpenDNS, or Google, or (1)

jaymz666 (34050) | about 5 months ago | (#46456915)

If you create an account they don't do the redirects

www.021yy.org (2, Funny)

interkin3tic (1469267) | about 5 months ago | (#46456517)

Gasp! I can't access it through comcast? How ever will I buy office chairs in china without 021yy.org?!?! It's SO much better than those humps over at 022yy.org.

(In case the link gets slashdotted, it's a website for office furniture in Chinese. At least according to google translate.)

Re:www.021yy.org (1)

camperdave (969942) | about 5 months ago | (#46456857)

If Comcast is blocking that, then what's stopping them from blocking Hula, Netflix, PirateBay, or any of its competitors or detractors?

I hate Comcast just as much but (3, Interesting)

krkhan (1071096) | about 5 months ago | (#46456519)

With hundreds of millions of distinct websites "out there," if the same proportion holds, that would suggest that there about a million or more websites similarly affected.

Why are you assuming that this scales linearly? Are you suggesting that this is a technical glitch? If the websites are blocked due to the nature of their content it most certainly won't scale in a linear fashion.

Re:I hate Comcast just as much but (1)

AK Marc (707885) | about 5 months ago | (#46456609)

They will scale in a linear faction, so long as the initial ones were nearly random. If you find playboy.com and then try penthouse.com, and hustler.com, the results wouldn't scale linearly, as the test sites were very non-random. If you actually had a random list of sites on the Internet, and tried 10, there's no reason to assume that the next 1,000,000 wouldn't scale linearly.

Re:I hate Comcast just as much but (0)

Anonymous Coward | about 5 months ago | (#46456887)

You have a point. As long as the sampling is fairly non-biased, it "should" scale linearly. Nevertheless, the scaling factor (or slope coefficient, or whatever you want to call it) will be horribly estimated if you just have 1 data point.

In order to attempt to follow a statistically-sound methodology, the guy should have at least collected a handful of data points (i dunno... keep testing until he reaches four or five websites that are "blocked" by Comcast). Otherwise, he's doing the equivalent of performing a linear/affine regression with a _single_ data point (and forcing a zero intercept)... which is enough to make any statistician cringe.

Re:I hate Comcast just as much but (1)

duranaki (776224) | about 5 months ago | (#46456665)

Probably because he only had one data point? Since the example site was selling furniture, I doubt his argument was that the blocking was due to content restrictions. And what scale would *you* expect even if it was due to content? You sound very sure that there's no linear correlation, but we don't even know how he selected the domains he tried (random vs. alphabetic vs. ip order). He at least used the phrase "if the same proportion holds", while you assert that "certainly" wouldn't be the case. So I guess I'm more curious why you are so sure it can't be linear.

At the very least, I take from his argument that comcast doesn't do a good job with it's DNS service (intermittent failures + missing records) and provides no recourse for small businesses who are being excluded for whatever reason from being easily reachable on the internet. I'm going to go on continuing to hate them, without the but.

Re:I hate Comcast just as much but (0)

Anonymous Coward | about 5 months ago | (#46456827)

Why are you assuming that this scales linearly? Are you suggesting that this is a technical glitch? If the websites are blocked due to the nature of their content it most certainly won't scale in a linear fashion.

Why would you assume that a furniture store in Shanghai would have enough US traffic that Comcrap would sent them a pay-up-or-get-blocked threat?

They are probably using every RIAA/MPAA "copyright violating" website blocker available and they don't work all the time because they were incompetently applied.

Eh, science. (1)

Anonymous Coward | about 5 months ago | (#46456527)

Or maybe there's a problem with 021yy.org's authoritative nameservers - maybe only /some/ of them, and whichever algorithm Comcast uses to choose one is picking the bad ones. Or maybe there's a temporary general problem with Comcast's own nameservers - which were your control sites, to make sure those would work? Or maybe Mechanical Turk workers know what you're up to and are trolling you.

Re:Eh, science. (1)

hawguy (1600213) | about 5 months ago | (#46456653)

Or maybe there's a problem with 021yy.org's authoritative nameservers - maybe only /some/ of them, and whichever algorithm Comcast uses to choose one is picking the bad ones. Or maybe there's a temporary general problem with Comcast's own nameservers - which were your control sites, to make sure those would work? Or maybe Mechanical Turk workers know what you're up to and are trolling you.

The 022yy.org Nameserver configs look fine to me, repeated requests to both of their nameservers work fine, I checked a half dozen recursive nameservers at various ISP's and they all resolve the name, but Comcast still says NXDOMAIN.

Crappy Comcast (0)

Anonymous Coward | about 5 months ago | (#46456535)

Seems more likely that the Comcast users that succeeded in accessing the site are configured to use a different DNS resolver. Most likely OpenDNS.

Common problem (1)

gurps_npc (621217) | about 5 months ago | (#46456541)

I routinely come across websites that I can see, but for some reason my Verizon account refuses to stream the video for. I wait a day, and boom, they can stream again.

Companies develop issues all the time. Sometime it is on the website end, sometimes on the ISP end.

Not much you can do about it.

SAY NO TO THE TWC TAKEOVER (0)

Joe_Dragon (2206452) | about 5 months ago | (#46456545)

comcrap does not need more power

Erm. Is the "DNS problem" a DNS problem? (0)

Anonymous Coward | about 5 months ago | (#46456551)

6.2% of queries will end in failure at 119.167.195.12 (f1g1ns1.dnspod.net) - failed to resolve ns1.booen.com due to 119.167.195.12 - query timed out

6.2% of queries will end in failure at 119.167.195.12 (f1g1ns1.dnspod.net) - failed to resolve ns2.booen.com due to 119.167.195.12 - query timed out

87.5% of queries will be returned by 42.120.49.143 (ns1.booen.com) - answer was not authoritative

www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33
www.021yy.org. 60 IN A 116.251.210.33

Re:Erm. Is the "DNS problem" a DNS problem? (2)

TheCarp (96830) | about 5 months ago | (#46456663)

That is interesting. When I read the article.... and I am ready to hate on comcast at any time, they are my provider for various reasons (including me being lazy yes) but I am not a huge fan of them.

That said, I couldn't help but think... that is an odd domain name, and its not like it makes any sense that it would be blocked. It looks like the kind of randomly named domain a phisher might use, which makes me wonder... maybe this domain was blocked due to being part of some botnet or equivalent and then later became owned by the current owners? (not cleaning up things like that is hardly a new or unique issue)

Now I see your post and I think.... you may be on to something. I think that unless someone can find rhyme or reason for bans, then we should probably assume incompetence rather than malice. I mean, its not like there is a pattern of blocking based on content or ownership, they are not even competitors of comcast unless they have some diversification plans that I wouldn't have ever expected.

This happens with other ISPs (2)

Zontar_Thing_From_Ve (949321) | about 5 months ago | (#46456567)

My ISP, who is not Comcast but another major American ISP, also blocks certain websites via DNS failures. Simply switching DNS to Google's DNS servers or FreeDNS resolved the problem.

When did DNS errors become "website down"? (2)

AK Marc (707885) | about 5 months ago | (#46456575)

So, if you do the DNS query from another provider's DNS, can you get to the website over Comcast? Seems like a basic troubleshooting step that was missed. At least not mentioned in the extended summary.

Re:When did DNS errors become "website down"? (1)

armanox (826486) | about 5 months ago | (#46456667)

Sure it was - and yes, he could get there.

The website is for a second-hand furniture store in Shanghai; I have no idea what the domain "021yy.org" has to do with the business. (Perhaps the IP address that the domain name resolves to used to be occupied by a different website, and that IP address was inherited by the furniture store but the old hostname still points to it.) The hostname www.021yy.org resolves to the IP address 116.251.210.33 (for *ahem* non-Comcast users, that is), which according to the Asia Pacific Network Information Centre is part of a block of IP addresses assigned to a hosting company in Singapore. I'm not blocked from accessing the IP address of the website over Comcast; I can ping and send web requests to the IP address 116.251.210.33 with no problem. Only the hostname fails to resolve. (I can still access the site by using a VPN or a proxy server.)

Old DNS cache? (2)

tomxor (2379126) | about 5 months ago | (#46456581)

if you do a compare between two DNS servers then you are bound to also come up with differences that show how outdated one server is compared to the other... There has to be many new domains registered / re-registered and associated / re-accociated with a new IP every minute, if you run the script for long enough between two different snapshots you are bound to find one of these...

So my appropriately verbose question in response to your post is: how often do you think google and comcast update their DNS servers, and do you think they update at exactly the same time... I know ISPs like to filter stuff... just wondering if your method is sound.

For once, I doubt Comcast to be purely evil. (2)

astro (20275) | about 5 months ago | (#46456583)

DNS is a theoretically good system and one that we obviously all rely on every day. However, so many DNS implementations from the registrar level down to your cheap little wifi-router-all-in-one box that connects to your ISP are so totally broken. I think the way this is written is pretty trollish and should instead have focused on the wider question of how we can advance to where so many devices and programs that have to deal with name resolution will act more to-spec and consistently. Comcast should take some heat here for a partially broken DNS implementation, but without better evidence, I see no intentional evil in this particular story.

God (-1, Flamebait)

TempleOS (3394245) | about 5 months ago | (#46456589)

1739 zealously left Better filleth involved mistaken separated 64-6221541 prophecy enacteth sand vast envying commiserate faith feels attempt bulk recorded foreign disalloweth feverishness Africa horses Nevertheless dissent only createth rude In Simplicianus Trillion including goading wishes subversion Hierius GRATIAS vulgar killest earnestly imaginations innocence soothed centre For

Biz AND Residential connections (1)

Rene S. Hollan (1943) | about 5 months ago | (#46456593)

Hmm. I have BOTH Comcast residential and business class service. I wonder if the reponses are different.

Use google's DNS (1)

bdsesq (515351) | about 5 months ago | (#46456623)

Just because you use comcast's pipes doesn't mean you have to use their DNS.
8.8.8.8 and 8.8.4.4 are the addresses to use for DNS

Re:Use google's DNS (1)

theArtificial (613980) | about 5 months ago | (#46456711)

I wrote a perl script to take a sample of websites -- part of the same list that I had used to find websites that were mis-blocked as 'pornography' by Smartfilter — and attempt to resolve them using both Comcast's main DNS server (75.75.75.75) and one of Google's public DNS servers (8.8.8.8). (You won't be able to do this experiment yourself unless you have a Comcast Internet connection, because while Google's DNS servers accept queries from anywhere, Comcast's DNS servers will refuse queries from any IP address not assigned to one of their customers.)

The script ran through a few hundred hostnames and flagged anything that failed to resolve on Comcast but resolved correctly on Google , although most of these were false positives caused by Comcast's DNS servers being temporarily unresponsive. But after running through the list of false-positives repeatedly, I found the first website that consistently failed to resolve on my Comcast Internet connection while resolving on Google: http://www.021yy.org/ [021yy.org] .

Don't use DNS (1, Funny)

larry bagina (561269) | about 5 months ago | (#46456635)

Especially Comcast DNS. But Don't use DNS at all. The fact is you can skip DNS and use a /etc/hosts file. This isn't 1982 anymore, disks are huge and it only takes a couple hundred megabytes to host it. With a cron job to rsync it every hour you no longer need to worry about manually updating it either. (It's simple enough to pass the grandmother test!) For those rare cases where a name isn't in my hosts file, I just request the page using an email-to-web service.

Incompetence or malice? (1)

Max Threshold (540114) | about 5 months ago | (#46456659)

The majority of issues I have had with any cable company were related to their DNS being shitty. For some reason, cable companies don't know how to operate DNS.

So... (4, Interesting)

squiggleslash (241428) | about 5 months ago | (#46456677)

Let me understand this correctly. You found Comcast's DNS isn't perfect and doesn't resolve some names. It does not appear to be malicious in any way, as the two domains you find affected are a foreign furniture store, and your friend's brand new website. It's fairly obviously a bug.

So: you call Comcast Tech support, demand to talk to the Boss of Comcast, and then write a 10,000 word article (I didn't count) about it on Slashdot where you know 90% of the readers will take "Websites inaccessible on Comcast" as meaning "OUT OF CONTROL MEGACORP MONOPOLIST COMCAST IS CENSORING WEBSITES!!!"

This makes sense to you? This is what you do? Really? Really?

Just curious, but that time you got a duff cable modem and had to send it back, did you write a 60,000 article on how Comcast has banned you from the Internet, and did you demand to speak to the PRESIDENT OF THE INTERNET? When it rained that one time and you attempted to tune in the cable TV, only to find many of your channels were inaccessible, did you write a 75,000 word article on how COMCAST IS DROPPING CHANNELS and did you call tech support demanding to talk to THE LORD HIGH RULER OF TV?

I think I've found an article where the discussion would be likely improved for once if the Betoddlers spammed it with anti-Beta comments.

SLA? (0)

Anonymous Coward | about 5 months ago | (#46456687)

It seems there should be a minimum acceptable SLA defined in law for ISPs.

One requirement would be to provide reliable name resolution without any DNS hijacking for ads and crap.

The other comments in this thread so far are all folks who are saying, well just use a different DNS provider/host your own. I do host my own, but I think it is crap that ordinary folks are abused by their ISPs like this.

(oh, and good for you for investigating this!)

Anecdote from 3/9 (0)

Anonymous Coward | about 5 months ago | (#46456689)

My kid couldn't reach www.turnitin.com to submit his homework the other night; tried from Mac and PC -- no go. He was in a panic. I flipped on the hotspot connection on my Verizon tablet, switch his PC's wireless connection over to it, and he hit turnitin with no problems.

Admittedly, I didn't think about DNS; I just figured I'd tried the "other pipe" we had available at that instant.

Re: Anecdote from 3/9 (1)

rlbgator (73682) | about 5 months ago | (#46456737)

...and I did not mean to post this anonymously. C'est moi.

DNS Benchmark (1)

bgarcia (33222) | about 5 months ago | (#46456707)

This sounds like a very poorly-configured DNS server. There are other server issues as well. Some are slow. Others like to return their own special pages when you mistype a domain name. I've been using DNS Benchmark [grc.com] to determine the best set of DNS servers to use for a home network. It's a neat tool that provides a lot of information succinctly - be sure to read the walkthrough [grc.com] to understand what it's showing you.

DNS flaky, Comcast incompetence, Comcast malice (1)

alispguru (72689) | about 5 months ago | (#46456709)

Those are the possibilities, in decreasing order of probability.

As much as I despise Comcast, they are unlikely to deliberately block random DNS lookups.

backwards... (1)

Connie_Lingus (317691) | about 5 months ago | (#46456725)

" Comcast threatening to de-prioritize content delivery from websites that don't pay them a fee,"

last i heard...wasn't Nexflix *trying* to pay them a fee for better delivery?

i think its an important distinction. with all the kerfluffle about net neutrality, shouldn't we make sure the players are well identified?

Details missing (1)

dysmal (3361085) | about 5 months ago | (#46456753)

No mention of how long this "experiment" ran. How long was it that these sites were inaccessible from Comcast? What types of sites are they? Who is their DNS through? This could easily have been a problem with a hosting service. As much as we all love hating on Comcast, a few more details would be helpful.

Re:Details missing (1)

kannibal_klown (531544) | about 5 months ago | (#46456815)

No mention of how long this "experiment" ran. How long was it that these sites were inaccessible from Comcast? What types of sites are they? Who is their DNS through?

This could easily have been a problem with a hosting service.

As much as we all love hating on Comcast, a few more details would be helpful.

Agreed.

Time length in particular: maybe it was a short-tern Comcast glitch that just occurred for a few hours or even a few days. I would have the occasional short-term SNAFU with the Verizon FIOS DNS servers until I just decided to switch to Google's.

Then again, considering my past experience with Comcast and Verizon I wouldn't be surprised if this was a long-term issue. The problem is depending on who you get, it's a LONG time before you finally get routed to the correct person who actually knows more than "have you tried rebooting your router"

I see (0)

Anonymous Coward | about 5 months ago | (#46456757)

This sucks almost as bad as Slashdot Beta.

Two Possibilities (1)

FalleStar (847778) | about 5 months ago | (#46456759)

1) The author has managed to uncover a conspiracy by Comcast to hold the good people at http://021yy.org/ [021yy.org] down by denying the no doubt millions of potential customers that would be flocking to the domain otherwise. After all, that domain name rolls right off the tongue.

or

2) Comcast doesn't have an entry in it's DNS servers for the site because it is a Chinese domain that looks like spam that no customer of theirs has tried to access before now.

Comcast's DNS servers might be caching the records (1)

Anonymous Coward | about 5 months ago | (#46456767)

Have you considered that Comcast's DNS servers are just caching the records and recent changes to these records are not being reflected correctly?

It sounds to me that Comcast's DNS servers are ignoring TTL values for A records. It's not unheard of for ISPs to do this. If these records are being "over-cached" by Comcast's DNS, then it would seem to the average Comcast user that site is being "blocked", when in fact they're just getting an outdated DNS record. If you run this test again, you'll most likely get completely opposite results, assuming the records have not changed again.

Also, if as a Comcast user you can access these sites while using Google's DNS severs, it's very misleading to declare that Comcast is "blocking" these sites. By your own description you are able to access these site WHILE you are connected to the Internet through Comcast. The DNS servers you choose to use are NOT your Internet connection.

Works for me, Comcast Internet . (1)

IcyWolfy (514669) | about 5 months ago | (#46456777)

Works for me.
Comcast Internet, SF Bay Area, California.

Re:Works for me, Comcast Internet . (1)

Megahard (1053072) | about 5 months ago | (#46456879)

I have Comcast in Richmond, CA and can confirm the submitter's results:

> nslookup - 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> www.021yy.org
Non-authoritative answer:
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Name: www.021yy.org
Addresses: 116.251.210.33
                    116.251.210.33
                    116.251.210.33
                    116.251.210.33
                    116.251.210.33
                    116.251.210.33

> exit
> nslookup - 75.75.75.75
Default Server: cdns01.comcast.net
Address: 75.75.75.75

> www.021yy.org
*** cdns01.comcast.net can't find www.021yy.org: Server failed
Server: cdns01.comcast.net
Address: 75.75.75.75

Wrong . . . (1)

Kimomaru (2579489) | about 5 months ago | (#46456797)

Sorry, maybe you've skipped a salient point in the article, but the sites are not inaccessible. It seems plausible that there are some shannigans going on the Comcast DNS, just switch to a public DNS server for heaven's sakes. This is a really dumb post, sorry.

Re:Wrong . . . (1)

MobyDisk (75490) | about 5 months ago | (#46456891)

Perhaps they should put a message on the web site saying that if you can't access it you should change... your DNS server... settings... Oh wait... no, that won't work.

You have to remember who granted monopolies... (0)

Anonymous Coward | about 5 months ago | (#46456799)

to Comcast. That is who actually control them. The Republicans have fought against competition for years, and Comcast must do what they are told to do, or the Republicans will take away their monopoly. They are ruled 100% by Republicans, and censorship like this is what all of those CONservatives do. They are the reason. You'll be more likely to get the block removed if you write a letter to your GOPper ruler than you will by contacting their minion Comcast.

Broken DNSSEC (0)

Anonymous Coward | about 5 months ago | (#46456817)

Comcast has a DNSSEC enabled resolvers. The problem lies with the websites/their NS.

http://dnssec-debugger.verisignlabs.com/www.helpmatt.org

Re:Broken DNSSEC (1)

MobyDisk (75490) | about 5 months ago | (#46456867)

Mod this up! Someone actually found the root cause which is what the submitter was looking for.

Handy tool for testing your ISP's DNS (2)

Dusty (10872) | about 5 months ago | (#46456855)

How does Comcast's DNS look like when tested by namebench [google.com] ?

Does it find the same problem?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...