This is in response to the Slashdot article and the official blog post claiming that Comcast is transparently tinkering with TCP port 53 traffic.
Location: Mountain View, CA
Non-Comcast server: 72.20.106.4
Comcast connection: 98.248.46.159
There is an actual nameserver (BIND) running on 72.20.106.4 which per ACLs denies queries being made from non-permitted clients. The Comcast connection is not in the ACL list, so the nameserver should politely return REFUSED no matter what’s queried.
The Comcast connection is behind a router, so NAT is involved.
comcast# dig @72.20.106.4 comcast.sucks.com. a ; <<>> DiG 9.4.3-P2 <<>> @72.20.106.4 comcast.sucks.com. a ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49471 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;comcast.sucks.com. IN A ;; Query time: 12 msec ;; SERVER: 72.20.106.4#53(72.20.106.4) ;; WHEN: Tue Jun 9 12:48:57 2009 ;; MSG SIZE rcvd: 35
What the server saw:
server# tcpdump -v -p -i em0 -l -n -s 8192 "host 98.248.46.159 and not port 22 and not port 993"
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 8192 bytes
12:48:57.264897 IP (tos 0x20, ttl 54, id 48387, offset 0, flags [none], proto UDP (17), length 63) 98.248.46.159.52697 > 72.20.106.4.53: 49471+ A? comcast.sucks.com. (35)
12:48:57.265005 IP (tos 0x0, ttl 64, id 46332, offset 0, flags [none], proto UDP (17), length 63) 72.20.106.4.53 > 98.248.46.159.52697: 49471 Refused- 0/0/0 (35)
Now let’s try TCP:
comcast# dig @72.20.106.4 comcast.sucks.com. a +tcp ; <<>> DiG 9.4.3-P2 <<>> @72.20.106.4 comcast.sucks.com. a +tcp ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34286 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;comcast.sucks.com. IN A ;; Query time: 14 msec ;; SERVER: 72.20.106.4#53(72.20.106.4) ;; WHEN: Tue Jun 9 12:50:37 2009 ;; MSG SIZE rcvd: 35
And what the server saw:
server# tcpdump -v -p -i em0 -l -n -s 8192 "host 98.248.46.159 and not port 22 and not port 993"
12:50:37.675402 IP (tos 0x20, ttl 54, id 50693, offset 0, flags [DF], proto TCP (6), length 60) 98.248.46.159.57521 > 72.20.106.4.53: S, cksum 0xe098 (correct), 1964159373:1964159373(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 662893746 0>
12:50:37.675443 IP (tos 0x0, ttl 64, id 48248, offset 0, flags [DF], proto TCP (6), length 60) 72.20.106.4.53 > 98.248.46.159.57521: S, cksum 0x9124 (correct), 1547364460:1547364460(0) ack 1964159374 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 2908314978 662893746>
12:50:37.689896 IP (tos 0x20, ttl 54, id 50696, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: ., cksum 0x9f5a (correct), ack 1 win 8326 <nop,nop,timestamp 662893758 2908314978>
12:50:37.689927 IP (tos 0x20, ttl 54, id 50697, offset 0, flags [DF], proto TCP (6), length 89) 98.248.46.159.57521 > 72.20.106.4.53: P, cksum 0x6f5a (correct), 1:38(37) ack 1 win 8326 <nop,nop,timestamp 662893758 2908314978>34286+ A? comcast.sucks.com. (35)
12:50:37.690104 IP (tos 0x0, ttl 64, id 48250, offset 0, flags [DF], proto TCP (6), length 89) 72.20.106.4.53 > 98.248.46.159.57521: P, cksum 0xef20 (correct), 1:38(37) ack 38 win 8326 >nop,nop,timestamp 2908314993 662893758>34286 Refused- 0/0/0 (35)
12:50:37.701886 IP (tos 0x20, ttl 54, id 50704, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: F, cksum 0x9ef1 (correct), 38:38(0) ack 38 win 8326 <nop,nop,timestamp 662893773 2908314993>
12:50:37.701905 IP (tos 0x0, ttl 64, id 48251, offset 0, flags [DF], proto TCP (6), length 52) 72.20.106.4.53 > 98.248.46.159.57521: ., cksum 0x9ee5 (correct), ack 39 win 8326 <nop,nop,timestamp 2908315005 662893773>
12:50:37.701938 IP (tos 0x0, ttl 64, id 48252, offset 0, flags [DF], proto TCP (6), length 52) 72.20.106.4.53 > 98.248.46.159.57521: F, cksum 0x9ee4 (correct), 38:38(0) ack 39 win 8326 <nop,nop,timestamp 2908315005 662893773>
12:50:37.713879 IP (tos 0x20, ttl 54, id 50706, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: ., cksum 0x9ed9 (correct), ack 39 win 8325 <nop,nop,timestamp 662893785 2908315005>
Finally, my ICSI results for those who care.
Conclusion: nothing being modified here.
2009/06/11 at 04:45
thanks this post. I made some adjustments