Comcast DNS Redirection Launched In Trial Markets

An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."

malware

[sopssa]

Another great press release about how it will be helpful and a "service" for users, while the main purpose is just to gather extra advertisement revenue (while breaking internet standards). I mean, this is what malware do. Oh well, atleast these non-us ISP's dont do such dirty acts to their customers here. Time to voice your opinion maybe?

Who's providing a backdoor DNS service?

[argent]

Sounds like time to pick some semi-standard alternate port number and start setting up some alternate recursive DNS servers, something between alt.* and TOR.

The Sky isn't faling.

[TheRealJobe]

Before you go calling me a troll, just hear me out, this isn't that big of a deal. It doesnt redirect you to another 3rd party site owned by the NSA, it simply provides a web GUI that suggest sites on what the system thought you wanted to see. You dont have to go any sites you dont want to. The sky isnt falling.

Re:Who's providing a backdoor DNS service?

[644bd346996]

Why? It's not like Comcast is going to be intercepting all DNS traffic and routing it through their spammy DNS servers. Only the people who get their resolvers from DHCP (ie the people who don't know enough to care) will be affected.

Re:The Sky isn't faling.

[Anonymous Coward]

Don't you have a mass mail marketing webinar to attend somewhere? Get lost.

Re:So should...

[The End Of Days]

You can opt out, you know. It says so right in the summary.

Also please don't use "evil" to describe things that are merely inconvenient. It greatly diminishes the horror and suffering people have gone through at the hands of real, actual evil.

Keep trying till you succeed

[Lead Butthead]

When in doubt, keep trying. When rejected, keep trying. Enough people do this, it becomes the norm. Sad, but true.

Re:The Sky isn't faling.

[mdmkolbe]

Providing a nice GUI on a DNS lookup fail is the job of the web browser not the DNS server. DNS is infrastructure not user interface.

Re:malware

[jank1887]

modern corporate culture demands profit growth. not just continued profit, but growth of profits. how do you expect that to happen in a saturated market?

They shouldn't control it.

[Well-Fed Troll]

Why exactly does the ISP control DNS?
Given the shenanigans the ISPs and governmental authorities have been up to the last few years, I say we need to rethink TCP. You see, we've been assuming all along that ISPs are not malicious. We need to start assuming they are malicious. The new TCP protocol should only assume that all socket level data is sensitive and therefore must be encrypted as to both its contents AND its destination. This implies traffic shaping, onion routing and a public key based DNS

Re:So should...

[Anonymous Coward]

Real evil is like real beauty. Both are nothing more than opinion. Stop trying to make your emotions seem important.

Re:So should...

[Sir_Lewk]

No.

Knock this shit off and mods, wise the fuck up. Just because it has "open" in the name doesn't make it suddenly good and benevolent, They do the exact same fucking thing.

Anyone who's been on slashdot for more than a week or two probably has seen dozens of comments suggesting OpenDNS in cases like this, always modded up. Every single time people post corrections pointing out that they do the same thing. Does anyone ever listen?

Wise the fuck up

Re:malware

[MrMr]

Have the government outlaw your product?

Re:malware

[basementman]

How is this different from OpenDNS? OpenDNS shows ads if your page can't be found. That said I much prefer my ISPs ad free DNS service to OpenDNS.

I hate their tech support

[Anonymous Coward]

https://dns-opt-out.comcast.net/

That is where you go to opt out. I called tech support and no one even new what I was talking about until I directed them to their own announcement.

Re:The Sky isn't faling.

[SCHecklerX]

If a domain name does not exist, I want my systems to receive an error telling them so, not be redirected to a system that they were not expecting to be directed to.

Re:The Sky isn't faling.

[Tony Hoyle]

If you think it's OK to hijack DNS think about what happens if you mistype an email address, or what happens when your configured NTP server goes offline.

Re:malware

[Anonymous Coward]

OpenDNS redirects www.google.com, not google.com. Just in case somebody wants to verify it and finds that you're full of shit.

Re:I tried to circumvent this with OpenDNS...

[Anonymous Coward]

That's why I use the NoRedirect extension [mozilla.org] these days. Don't have to bother with the draconian (and often non-existent) opt-out policies, no matter whose network I'm using.

Re:I'm done. I'll be switching as soon as possible

[griffjon]

Me too.

Oh wait, Comcast doesn't have any competition for high-speed where I live.

Go go gadget free market!

Re:malware

[jtownatpunk.net]

Yeah, it's exactly the same thing. Except opendns is very clear about what they're doing and any computer or network using opendns must explicity configure their system to use the opends servers. Heck, I'm looking at an opendns redirect right now. It's hard to miss the big opendns logo. And the "Why am I here?" link. And the "did you mean" links. Yeah. Exactly the same "dirty trick".

I would find this acceptable if ...

[Skapare]

... in addition to their modem MAC based opt-out mechanism, they:

1. Provide alternative DNS cache servers that users can manually configure to bypass the redirection DNS cache servers. Support for this service can be limited to only informing the customer of the IP addresses of these DNS cache servers, such as on the tech support web page that tells customers how to opt-out. They do NOT have to support users on how to deploy this type of change.
2. Do NOT interfere with DNS queries sent to other DNS servers, whether with or without the recurse flag in the request. This is so that a user can run their own DNS cache server either on an internal network, or access a DNS cache server elsewhere on the internet (their own remote server, or a DNS caching/resolving service), without the need to set up a secure tunnel.
3. Do NOT interfere with any form of secure tunnel or other VLAN.
4. Do NOT intercept any UDP traffic, or TCP connections, or SCTP sessions, unless those are directed specifically to the provider's servers or services. For example the provider may offer HTTP caching services, media stream multipliers, IRC servers, etc., but must not affect users that want to bypass those services. ONE EXCEPTION: connections made to port 25 outside the provider's network SHOULD be intercepted unless the customer makes a "knowledgeable opt-out request" (for example, mentions "SMTP").
5. Do NOT do any other evil activity I don't have time to think about right now.

Anyone that knows what they are doing, or finds out via information from some source (the provider not being obligated to supply this information), should be able to use the internet exactly as it was originally intended.

Re:comcast and netflix

[Antique Geekmeister]

You are blatnatly mistaken, sir.

Because your DNS tells you what the real IP address is, and in many locations, that is not what this "redirect" DNS service will lead you to. That may be a much nearer, but more bandwidth expensive location than Comcast wants you to use, or may not go through their monitoring and proxies and load balancers and most importantly, their _streaming video choking_ services. Comcast has established their willingness to interfere with bandwidth intensive services such as Bittorrent via SYN packats and other abuses: there's no reason to expect that they will provide this service for their customer's advantage, but rather for their own to guide traffic to their desired services.