Comcast isn’t messing with my port 53 traffic…

This is in response to the Slashdot article and the official blog post claiming that Comcast is transparently tinkering with TCP port 53 traffic.

Location: Mountain View, CA
Non-Comcast server: 72.20.106.4
Comcast connection: 98.248.46.159

There is an actual nameserver (BIND) running on 72.20.106.4 which per ACLs denies queries being made from non-permitted clients. The Comcast connection is not in the ACL list, so the nameserver should politely return REFUSED no matter what’s queried.

The Comcast connection is behind a router, so NAT is involved.

comcast# dig @72.20.106.4 comcast.sucks.com. a

; <<>> DiG 9.4.3-P2 <<>> @72.20.106.4 comcast.sucks.com. a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49471
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;comcast.sucks.com.             IN      A

;; Query time: 12 msec
;; SERVER: 72.20.106.4#53(72.20.106.4)
;; WHEN: Tue Jun  9 12:48:57 2009
;; MSG SIZE  rcvd: 35

What the server saw:

server# tcpdump -v -p -i em0 -l -n -s 8192 "host 98.248.46.159 and not port 22 and not port 993"
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 8192 bytes
12:48:57.264897 IP (tos 0x20, ttl 54, id 48387, offset 0, flags [none], proto UDP (17), length 63) 98.248.46.159.52697 > 72.20.106.4.53: 49471+ A? comcast.sucks.com. (35)
12:48:57.265005 IP (tos 0x0, ttl 64, id 46332, offset 0, flags [none], proto UDP (17), length 63) 72.20.106.4.53 > 98.248.46.159.52697: 49471 Refused- 0/0/0 (35)

Now let’s try TCP:

comcast# dig @72.20.106.4 comcast.sucks.com. a +tcp

; <<>> DiG 9.4.3-P2 <<>> @72.20.106.4 comcast.sucks.com. a +tcp
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34286
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;comcast.sucks.com.             IN      A

;; Query time: 14 msec
;; SERVER: 72.20.106.4#53(72.20.106.4)
;; WHEN: Tue Jun  9 12:50:37 2009
;; MSG SIZE  rcvd: 35

And what the server saw:

server# tcpdump -v -p -i em0 -l -n -s 8192 "host 98.248.46.159 and not port 22 and not port 993"
12:50:37.675402 IP (tos 0x20, ttl 54, id 50693, offset 0, flags [DF], proto TCP (6), length 60) 98.248.46.159.57521 > 72.20.106.4.53: S, cksum 0xe098 (correct), 1964159373:1964159373(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 662893746 0>
12:50:37.675443 IP (tos 0x0, ttl 64, id 48248, offset 0, flags [DF], proto TCP (6), length 60) 72.20.106.4.53 > 98.248.46.159.57521: S, cksum 0x9124 (correct), 1547364460:1547364460(0) ack 1964159374 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 2908314978 662893746>
12:50:37.689896 IP (tos 0x20, ttl 54, id 50696, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: ., cksum 0x9f5a (correct), ack 1 win 8326 <nop,nop,timestamp 662893758 2908314978>
12:50:37.689927 IP (tos 0x20, ttl 54, id 50697, offset 0, flags [DF], proto TCP (6), length 89) 98.248.46.159.57521 > 72.20.106.4.53: P, cksum 0x6f5a (correct), 1:38(37) ack 1 win 8326 <nop,nop,timestamp 662893758 2908314978>34286+ A? comcast.sucks.com. (35)
12:50:37.690104 IP (tos 0x0, ttl 64, id 48250, offset 0, flags [DF], proto TCP (6), length 89) 72.20.106.4.53 > 98.248.46.159.57521: P, cksum 0xef20 (correct), 1:38(37) ack 38 win 8326 <nop,nop,timestamp 2908314993 662893758>34286 Refused- 0/0/0 (35)
12:50:37.701886 IP (tos 0x20, ttl 54, id 50704, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: F, cksum 0x9ef1 (correct), 38:38(0) ack 38 win 8326 <nop,nop,timestamp 662893773 2908314993>
12:50:37.701905 IP (tos 0x0, ttl 64, id 48251, offset 0, flags [DF], proto TCP (6), length 52) 72.20.106.4.53 > 98.248.46.159.57521: ., cksum 0x9ee5 (correct), ack 39 win 8326 <nop,nop,timestamp 2908315005 662893773>
12:50:37.701938 IP (tos 0x0, ttl 64, id 48252, offset 0, flags [DF], proto TCP (6), length 52) 72.20.106.4.53 > 98.248.46.159.57521: F, cksum 0x9ee4 (correct), 38:38(0) ack 39 win 8326 <nop,nop,timestamp 2908315005 662893773>
12:50:37.713879 IP (tos 0x20, ttl 54, id 50706, offset 0, flags [DF], proto TCP (6), length 52) 98.248.46.159.57521 > 72.20.106.4.53: ., cksum 0x9ed9 (correct), ack 39 win 8325 <nop,nop,timestamp 662893785 2908315005>

Finally, my ICSI results for those who care.

Conclusion: nothing being modified here.