

If You Use Comcast DNS Servers, You Cannot Read This (try with www.) - diego
http://diegobasch.com/if-you-use-comcast-dns-servers-you-cannot-rea

======
mooism2
_> I believe that OS makers should give people an option to choose among
several DNS servers during the installation process, and explain why._

And most people won't have any idea which is the correct answer, will pick one
at random or pick the default, and then spend the rest of the install process
worrying that they picked the wrong answer. Why would any OS maker want to
inflict that on their users?

~~~
diego
You already pick a ton of defaults when installing an OS (English keyboard,
whatever). Same as when downloading something from a random mirror. People
don't think twice about these things.

~~~
pavel_lishin
My mother has never once downloaded anything from a mirror.

On the other hand, she has also never installed an operating system.

Perhaps there should be an "advanced" step during install, which would be
skipped by default.

------
cypherpunks01
Cloudflare's DNS editor warns with this when CNAME'ing a bare domain:

    
    
        Root domain CNAME records are not allowed by the DNS specification.
        Older recursors and mail programs may not follow this CNAME.
        You may want to change this record to an A record if you plan to
        use it as a MX or SRV target.

~~~
zred
I fell into this problem a while back with the domain I use for my mail.
Everything was set up nicely in Namecheap's DNS so that the MX records were
pointing at GMail and the root CNAME was pointing at my webhost. After a
couple days not getting mail, I figured out what the problem was.

Oddly enough, unlike the article, Comcast's DNS was working fine with my
domain fine on the root CNAME.

Most services like Heroku or Google's AppEngine (where you set up a CNAME for
your domain rather than an A record) recommend that you have your DNS provider
to a redirect to the "www." version. Namecheap's DNS will do this (a lot of
providers offer redirects in their DNS system which isn't really DNS, but is a
simple value-add for them to provide).

~~~
sixcorners
[http://support.google.com/a/bin/answer.py?hl=en&answer=2...](http://support.google.com/a/bin/answer.py?hl=en&answer=2518373)

You don't have to use a DNS provider to do redirection with AppEngine.

------
dchest
You can't do CNAME with the root domain record. That is all.

~~~
diego
<http://pzxc.com/cname-on-domain-root-does-work> begs to differ.

~~~
dchest
The _reality_ begs to agree.

~~~
diego
Yeah, I give up. I just changed it.

------
masnick
You're right that using an A record isn't great because your hosting provider
loses the flexibility of being able to change IP addresses. This article
explains it really well: [https://devcenter.heroku.com/articles/avoiding-
naked-domains...](https://devcenter.heroku.com/articles/avoiding-naked-
domains-dns-arecords)

My solution is to use CloudFlare for my DNS (it's free, why not?) and use
their "page rules" feature to do a 301 (permanent) redirect from domain.com/*
to www.domain.com/$1.

You can see what happens if you run `curl -I maxmasnick.com`.

dnsimple.com (another DNS provider) also lets you add a "URL" record, which
also is a 301 redirect.

One should be careful with 301 redirects because the are cached locally and
quite thus permanent (see:
[http://www.jacquesmattheij.com/301+redirects+-+a+dangerous+o...](http://www.jacquesmattheij.com/301+redirects+-+a+dangerous+one+way+street)).
But in this case I think this is what you want.

------
samarudge
Why naturally jump to the conclusion that Comcast (Who, while many will
criticize, probably know vaguely what they're doing) is broken before
researching /why/ it wasn't working? DNS isn't the most simple thing in the
world, and things like this can catch a lot of people out, particularly if
your DNS host doesn't tell you root level CNAMEs are not recommended, but
automatically assuming someone else must be doing something wrong, just
because you think it should be working, is frankly stupid. It's the sort of
thing I'd expect from TheDailyWTF or /r/talesfromtechsupport, not a reader of
Hacker News.

~~~
diego
I did research, what you're seeing is part of the research process :)

------
brokentone
Appreciate the discussion here. You all may have just solved an occasional and
annoying issue on my website. I'm a Dev at www.theblaze.com and we've had
varied reports over the past little while that the site is inaccessible on
Comcast. I use Comcast as well at home and I've noticed intermittent failures.
My first thought was DNSSEC errors like those that took NASA down a few months
back, but we don't use DNSSEC at all.

Just checked, and our root record is indeed CNAME'd.

One question though. Is there a single source to reference for the discussion
I'm starting with our host?

------
icebraining
_DNS in its current form is broken as well. It wasn't designed to be used by
the current internet. Furthermore, a particular ISP can decide to use its DNS
servers as a mechanism for censorship._

I think this is a little naive. Let's say you want to fix this, what could you
do? Well, you could sign the responses; that would prevent hijacking, but it
wouldn't stop the ISP from returning SERVFAIL, since the server could _really_
be unavailable.

Well, then you could use another DNS server, and encrypt the queries so that
the ISP has no idea what's being queried (and therefore can't do selective
censoring). But now you've replaced one single point of censorship for
another.

You could then send queries to multiple DNS servers simultaneously, so that no
single server can censor.

Now think of all the latency added by that system, and which is useless
because the ISP can wait for the DNS to resolve and then drop the HTTP request
to that host.

You could make the ISP a dumb pipe by using a VPN, but now you've gone back to
replacing an evil for another.

Eventually, to really fix the problem you'd need a Tor like system with
anonymity, dynamic routing and hash-based addresses, but that's extremely
inefficient and complete overblown for vast, vast majority of cases unless
you're in a dictatorship.

~~~
eurleif
>You could then send queries to multiple DNS servers simultaneously, so that
no single server can censor.

>Now think of all the latency added by that system

If you send the requests at the same time, the latency should be the same as
querying the slowest of the DNS servers individually (or the nth fastest
server, where n is the number required to establish a quorum, if you don't
require results from all the servers).

