Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Comcast taking over DNS requests

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      illeatthat
      last edited by

      I have an unbound DNS Resolver setup to reach out to Verisign public DNS servers.

      Once I setup the Verisign DNS and DNSSEC, I never checked to make sure I was actually using Verisign.  I always assumed that I was on Verisign since DNSSEC was working and there are no leaks.
      I recently ran a tracepath and found that I am using Comcast servers for DNS, even though it is configured for Verisign.

      Any thoughts on what I've done wrong?

      Thanks!

      Attached is a screenshot of the General - DNS settings and the DNS Resolver settings.
      Also attached is a trace of showing that it is resolving at an IP address owned by Comcast.

      trace.png
      trace.png_thumb
      DNS_General.png
      DNS_General.png_thumb
      DNS_Resolver.png
      DNS_Resolver.png_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "I recently ran a tracepath and found that I am using Comcast servers for DNS"

        How did that tell you were using comcast for dns?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • I
          illeatthat
          last edited by

          The first hop after my firewall is a Comcast IP address.

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            So your ISP is Comcast? Well it's kind of obvious why the first address in your traceroute/path belongs to Comcast  ::)

            Just because you set your DNS forwarders to Verisign doesn't magically change the path taken by the outgoing traffic, if you have only the WAN connection from Comcast then how else could the DNS traffic reach the Verisign forwarders?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              As stated by kpa - wtf does that have to do where your dns requests are going?

              Why don't you just sniff your wan traffic for your dns queries and see where they go ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • I
                illeatthat
                last edited by

                ahhh, well that was an oversight.

                So perhaps the trace route does not show DNS resolution, only the connection to the end host.
                Is that right?

                If so, that would explain why my trace shows my IP connecting to a series of Comcast IP address before it ends at the destination without hitting any Verisign servers.

                Thanks!

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  Yes, traceroute is all about tracing the transit path (the chain of routers in other words) a connection would take to a given destination address. If you want to trace DNS resolution you should learn how to use the dig(1) tool with its +trace option. Couple of starting points:

                  https://ns1.com/articles/using-dig-trace

                  https://superuser.com/questions/715632/how-does-dig-trace-actually-work

                  Do note that the default Unbound set up on pfSense doesn't allow "snooping" from anywhere and 'dig +trace' will not work out of the box. You'll have to add an ACL to the Unbound configuration that allows snooping from localhost addresses 127.0.0.1 and ::1 (IPv6 if used).

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    dig +trace will just confuse him more ;)  Since it will talk to roots and not his verizon dns…

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      Aah yea that's true, forgot that he is using Verison forwarders….

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.