Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Comcast taking over DNS requests

    DHCP and DNS
    3
    9
    1077
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      illeatthat last edited by

      I have an unbound DNS Resolver setup to reach out to Verisign public DNS servers.

      Once I setup the Verisign DNS and DNSSEC, I never checked to make sure I was actually using Verisign.  I always assumed that I was on Verisign since DNSSEC was working and there are no leaks.
      I recently ran a tracepath and found that I am using Comcast servers for DNS, even though it is configured for Verisign.

      Any thoughts on what I've done wrong?

      Thanks!

      Attached is a screenshot of the General - DNS settings and the DNS Resolver settings.
      Also attached is a trace of showing that it is resolving at an IP address owned by Comcast.






      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        "I recently ran a tracepath and found that I am using Comcast servers for DNS"

        How did that tell you were using comcast for dns?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • I
          illeatthat last edited by

          The first hop after my firewall is a Comcast IP address.

          1 Reply Last reply Reply Quote 0
          • K
            kpa last edited by

            So your ISP is Comcast? Well it's kind of obvious why the first address in your traceroute/path belongs to Comcast  ::)

            Just because you set your DNS forwarders to Verisign doesn't magically change the path taken by the outgoing traffic, if you have only the WAN connection from Comcast then how else could the DNS traffic reach the Verisign forwarders?

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              As stated by kpa - wtf does that have to do where your dns requests are going?

              Why don't you just sniff your wan traffic for your dns queries and see where they go ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

              1 Reply Last reply Reply Quote 0
              • I
                illeatthat last edited by

                ahhh, well that was an oversight.

                So perhaps the trace route does not show DNS resolution, only the connection to the end host.
                Is that right?

                If so, that would explain why my trace shows my IP connecting to a series of Comcast IP address before it ends at the destination without hitting any Verisign servers.

                Thanks!

                1 Reply Last reply Reply Quote 0
                • K
                  kpa last edited by

                  Yes, traceroute is all about tracing the transit path (the chain of routers in other words) a connection would take to a given destination address. If you want to trace DNS resolution you should learn how to use the dig(1) tool with its +trace option. Couple of starting points:

                  https://ns1.com/articles/using-dig-trace

                  https://superuser.com/questions/715632/how-does-dig-trace-actually-work

                  Do note that the default Unbound set up on pfSense doesn't allow "snooping" from anywhere and 'dig +trace' will not work out of the box. You'll have to add an ACL to the Unbound configuration that allows snooping from localhost addresses 127.0.0.1 and ::1 (IPv6 if used).

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    dig +trace will just confuse him more ;)  Since it will talk to roots and not his verizon dns…

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa last edited by

                      Aah yea that's true, forgot that he is using Verison forwarders….

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post