Comcast taking over DNS requests

  • I have an unbound DNS Resolver setup to reach out to Verisign public DNS servers.

    Once I setup the Verisign DNS and DNSSEC, I never checked to make sure I was actually using Verisign.  I always assumed that I was on Verisign since DNSSEC was working and there are no leaks.
    I recently ran a tracepath and found that I am using Comcast servers for DNS, even though it is configured for Verisign.

    Any thoughts on what I've done wrong?


    Attached is a screenshot of the General - DNS settings and the DNS Resolver settings.
    Also attached is a trace of showing that it is resolving at an IP address owned by Comcast.

  • LAYER 8 Global Moderator

    "I recently ran a tracepath and found that I am using Comcast servers for DNS"

    How did that tell you were using comcast for dns?

  • The first hop after my firewall is a Comcast IP address.

  • So your ISP is Comcast? Well it's kind of obvious why the first address in your traceroute/path belongs to Comcast  ::)

    Just because you set your DNS forwarders to Verisign doesn't magically change the path taken by the outgoing traffic, if you have only the WAN connection from Comcast then how else could the DNS traffic reach the Verisign forwarders?

  • LAYER 8 Global Moderator

    As stated by kpa - wtf does that have to do where your dns requests are going?

    Why don't you just sniff your wan traffic for your dns queries and see where they go ;)

  • ahhh, well that was an oversight.

    So perhaps the trace route does not show DNS resolution, only the connection to the end host.
    Is that right?

    If so, that would explain why my trace shows my IP connecting to a series of Comcast IP address before it ends at the destination without hitting any Verisign servers.


  • Yes, traceroute is all about tracing the transit path (the chain of routers in other words) a connection would take to a given destination address. If you want to trace DNS resolution you should learn how to use the dig(1) tool with its +trace option. Couple of starting points:

    Do note that the default Unbound set up on pfSense doesn't allow "snooping" from anywhere and 'dig +trace' will not work out of the box. You'll have to add an ACL to the Unbound configuration that allows snooping from localhost addresses and ::1 (IPv6 if used).

  • LAYER 8 Global Moderator

    dig +trace will just confuse him more ;)  Since it will talk to roots and not his verizon dns…

  • Aah yea that's true, forgot that he is using Verison forwarders….

Log in to reply