Tell HN: Comcast/Xfinity is having a widespread DNS outage

[Doches]

According to https://downdetector.com/status/xfinity/ and r/comcast, looks like Comcast/Xfinity is having a DNS outage. Anyone have any insight into what's going on over there?

[oxygen_crisis]

I've got this list of public DNS servers I scraped together a while back.

I used it for benchmarking and checking propagation/filtering but I haven't tested them for a while, can't say they're all still working.

  Google                8.8.8.8          8.8.4.4          https://developers.google.com/speed/public-dns/
  Quad9                 9.9.9.9          149.112.112.112  https://www.quad9.net/
  Cloudflare            1.1.1.1          1.0.0.1          https://1.1.1.1/dns/
  AdGuard DNS           94.140.14.14     94.140.15.15     https://adguard-dns.io/en/public-dns.html
  Control D             76.76.2.0        76.76.10.0       https://controld.com/free-dns/
  OpenDNS Home          208.67.222.222   208.67.220.220   https://www.opendns.com/
  CleanBrowsing         185.228.168.9    185.228.169.9    https://cleanbrowsing.org/filters/
  Alternate DNS         76.76.19.19      76.223.122.150   https://alternate-dns.com/
  DNS.WATCH             84.200.69.80     84.200.70.40     https://dns.watch/index
  Comodo Secure DNS     8.26.56.26       8.20.247.20      https://www.comodo.com/secure-dns/switch/
  CenturyLink (Level3)  205.171.3.66     205.171.202.166  https://www.centurylink.com/home/help/internet/dns.html
  CIRA Canadian Shield  149.112.121.10   149.112.122.10   https://www.cira.ca/cybersecurity-services/canadian-shield
  OpenNIC               138.197.140.189  137.220.55.93    https://www.opennic.org/
  Dyn                   216.146.35.35    216.146.36.36    https://help.dyn.com/internet-guide-setup/
  Yandex DNS            77.88.8.8        77.88.8.1        https://dns.yandex.com/
  Hurricane Electric    74.82.42.42                       https://dns.he.net/
  Neustar               64.6.64.6        64.6.65.6        https://www.publicdns.neustar/
  DNS for Family        94.130.180.225   78.47.64.161     https://dnsforfamily.com/
  FlashStart            185.236.104.104  185.236.105.105  https://flashstart.com/filtering-dns/
  Freenom World         80.80.80.80      80.80.81.81      https://www.freenom.world/en/index.html

[madars]

Nice! Another alternative is to use a different protocol, i.e., instead of using DNS over 53/udp, use dnscrypt (ports 443 TCP/UDP) via something like dnscrypt-proxy. This has an additional benefit of not leaking your DNS queries to your ISP.

[oxygen_crisis]

I'm actually enforcing encrypted DNS and blocking destination port 53 outbound on my firewall at home, that's why I couldn't re-run the script I was using to test the current availability and response times on all these.

(It wouldn't be a lot of work to run the tests from one of my cloud servers or disable the firewall rule temporarily, but I figured someone on HN might tell me which ones stopped working and spare me the effort.)

[esafak]

Do you need another list of servers for that or can you use the one above?

[madars]

dnscrypt is a separate protocol so you'd need a different list of servers. But those are readily available and tagged with their filter (e.g. no malware or no adult domains) and privacy (e.g. no log, no edns-client-subnet, qname minimization) policies.

https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolver...

https://dnscrypt.info/public-servers/

[duskwuff]

Probably worth noting that:

1) Several of these, such as DNS for Family and (less obviously) Quad9, are filtered resolvers.

2) OpenNIC is an alternate root.

[doubled112]

Quad9 has an unsecured option, 9.9.9.10

https://www.quad9.net/service/service-addresses-and-features...

[tambre]

Would be nice to also include IPv6 variants for each.

[Doches]

I’m not a Comcast subscriber, but we first noticed this when a weirdly coordinated wave of our customers — first in Florida, then moving north up all the way through New England — started screaming into our support phones that our site was down and they were losing business as a result.

After last week’s AWS US-East-1 outage, this has not been a good couple of days to be dependent on someone else’s infrastructure, even something as fundamental as a customer’s ISP…

[TimMeade]

Was not just DNS. We are in South Florida and run internal DNS with next hops to 1.1.1.1 and 8.8.8.8. We had about 30% of sites not available even with DNS resolving. As of 1:00 EST all is working now.....

[zaroth]

You think this is bad - just wait until Google decides to retire 8.8.8.8!

[philwelch]

There will still be Cloudflare’s 1.1.1.1.

[belter]

Do Not Stress...

[sys_64738]

I couldn't get to Hacker News so was sad. But then when I couldn't get to Reddit I was happy. Go figure.

[growingentropy]

And oddly enough, I just canceled them today.

Hello, fiber. Goodbye unilaterally-decided bullshit data caps.

[sh34r]

I was having an issue connecting to Netflix earlier, until I used VPN. I momentarily wondered if Comcast was going back to their old practices of sabotaging streaming services from 10 years ago. DownDetector said Netflix was down, other sites worked, it makes sense that Comcast is up to no good, right?

But I don't use Comcast DNS. Netflix would be the only site I visited which has a peering agreement with Comcast. It makes more sense that the route between Comcast and Netflix is broken, regardless of my local DNS lookups being unaffected, than malfeasance on Comcast's part. The route from Comcast to VPN to Netflix, on the other hand, is unaffected.

[HybridCurve]

When comcast started redirecting my mistyped URLs to their own pages, I stopped using their DNS. No regrets.

[donutpepperoni]

I've also seen them hijack http streams.

https://blog.ryankearney.com/2013/01/comcast-caught-intercep...

[MiddleEndian]

I remember seeing that in the past (before switching to a different DNS). That should be illegal.

[KomoD]

Yikes... do they still do that now or have they stopped?

[joecool1029]

Not for many years but they have started trying to sell us a spyware 'security edge' appliance that we've noped out of that seems to break DNS for some people.

[kej]

Comcast is the only real option around here, and for years almost every time I had connection problems it ended up being their DNS. I've switched to 1.1.1.1 and haven't looked back.

[djbusby]

I run a local white list cache, so when Comcast fails, I've got a big local cache, but I upstream to 1.1.1.1 and 8.8.8.8 and root-DNS if needed.

[yjftsjthsd-h]

I know what a caching dns server is, but what's a whitelist cache?

[djbusby]

Only resolves names that are allowed. Basically, a reject-list is too hard to maintain - a growing list everyday! But a permit-list is small(er) and finite; easy to expand for a fews hours/days when needed.

It keeps my home network much quieter; blocks nearly all bullshit (ads, malware, etc) and is easier to maintain.

[yjftsjthsd-h]

So you only allow devices on your network to resolve domains on your predefined list? I'm surprised that that's easier to maintain than a reject-list, although I'll grant that it's safer.

[djbusby]

Correct. And it's trivial to add a new name, if I need to; just lookup a special name to add the other name.

[randallsquared]

Some routing issue, too: Neither 8.8.8.8 nor 1.1.1.1 solved things, though they both did... resolve things. So to speak. But turning on a VPN fixed everything immediately.

[kapilkaisare]

No idea, but the following sites were down for me: Fastmail, Github, Camunda.

[iaresee]

PiHole + unbound here and I didn't even notice it. Which, after the week I've had with Comcast service, is very surprising.

[HankB99]

8.8.8.8

0.0.0.0

Google or Cloudflare. Both have fewer outages (IME) than Comcast. It just depends on who you want to share your web history with. I've seen Comcast lose DNS in the past even though the underlying transport still worked. It's bad for someone not technically able to change their DNS settings.

[mcny]

> 0.0.0.0

did you mean 1.1.1.1?

https://en.wikipedia.org/wiki/0.0.0.0

[HankB99]

Yes - Thanks!

[csdvrx]

> 0.0.0.0

1.1.1.1

[bombcar]

Someone should buy 86.75.30.9 and make it a DNS server. Get 86.75.3.09 while you’re at it.

[Bender]

With the restriction the buyer must be named Jenny. [1]

[1] - https://www.youtube.com/watch?v=6WTdTwcmxyo [video][song stuck in my head]

[toast0]

I don't get the numeric reference? (oh, wait, I do now, thanks to the sibling post; didn't expect that in this context), but a french telecom owns those IPs (they're part of the same /12 allocation), I'm sure there's some way to convince them to let you borrow or buy the two /24s you'd need out of there.

[fredgrott]

It Depends on the local node, mine is Chicago IL which has no issues

[toomuchtodo]

Seems to be impacting Apple’s Private Relay service. Akamai issue?