Transparent DNS Interception?
Comcast Business appears to be enforcing SOA lookups on all DNS requests, regardless of chosen lookup server.
This has two impacts, one is much easier to work with than the other and has a smaller impact. The other has a much bigger impact but is more difficult to diagnose.
Issue 1) I am preparing to move DNS service from one server to another. Part of the process involves checking all public records i.e. the "live" records, against the soon-to-be live records on the destination name server. I expect the results to be identical, but the problem is Comcast Business is redirecting all queries to the live name server, invalidating the tests.
I ended up creating a record on the destination host that does not exist on the live name server, to make testing easier. This is not the domain name I am trying to move, it was modified for these tests but is functionally identical. For this query:
dig @mimi.ns.cloudflare.com existsoncloudflareonly.prichardpartners.com TXT
The answer should be:
; <<>> DiG 9.10.6 <<>> @mimi.ns.cloudflare.com existsoncloudflareonly.prichardpartners.com TXT; (3 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58741;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232;; QUESTION SECTION:;existsoncloudflareonly.prichardpartners.com. IN TXT;; ANSWER SECTION:existsoncloudflareonly.prichardpartners.com. 300 IN TXT "This record not visible on ns10.dnsmadeeasy.com";; Query time: 124 msec;; SERVER: 220.127.116.11#53(18.104.22.168);; WHEN: Tue Aug 02 14:02:45 PDT 2022;; MSG SIZE rcvd: 132
When run on any Comcast Business connection, the answer is:
; <<>> DiG 9.10.6 <<>> @mimi.ns.cloudflare.com existsoncloudflareonly.prichardpartners.com TXT; (3 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48983;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 512;; QUESTION SECTION:;existsoncloudflareonly.prichardpartners.com. IN TXT;; AUTHORITY SECTION:prichardpartners.com. 180 IN SOA ns10.dnsmadeeasy.com. dns.dnsmadeeasy.com. 2009010132 43200 3600 1209600 180;; Query time: 26 msec;; SERVER: 22.214.171.124#53(126.96.36.199);; WHEN: Tue Aug 02 14:00:11 PDT 2022;; MSG SIZE rcvd: 129
I have tested from three networks not in the Comcast Business network (Linode, Hunter Communications fiber from EugNet, and a privacy vpn,) and all return the first result. I have also tested from three completely separate networks all in the Eugene, Oregon area, and all are affected by this issue. Each one has a unique Comcast Business account. In one case I connected a machine directly to the Comcast Gateway, cleared dns caches, and ran the tests with identical results (i.e. not a firewall config issue.)
Issue 2 is that this SOA enforcement - or whatever transparent modifications are taking place - causes some domain lookups to fail, and if a dig with +trace is used, the message ";; BAD (HORIZONTAL) REFERRAL" will eventually show up. However, I would prefer not to focus on this one as it primarily occurs when both name servers use the same IP as the apache host. This causes major issues including many sites not loading at all if accessed - exclusively - from Comcast Business networks.
Please note my main name servers are 188.8.131.52 (Google public DNS) and 184.108.40.206 (Cloudflare public DNS.) By using "dig @server" (from the basic query of "dig @server name type") these requests should bypass those two addresses and return results from the requested server. Instead, Comcast Business is modifying these requests to return results from the SOA as indicated by the whois lookup for the domain. I have tried using many other name servers with identical results - the interception is on port 53. I have not tested udp vs tcp, or port 853 to a degree that I can assert anything right now. Xfinity users do not appear to be affected.
This basic modification of DNS is causing harm to my own use, and the use of other business clients and their clients.
I can provide many more examples but would prefer to use DMs with Comcast Business reps (just for additional examples, everything else can happen publicly.) I welcome all additional info.