Tom, Thank you for this! It is very interesting that the behavior is intermittent. A friend of mine who tested it this weekend saw correct answers on IPv6 and incorrect answers on IPv4.
Kenneth On Tue, Apr 23, 2024 at 2:56 PM Tom Beecher <beec...@beecher.cc> wrote: > Validin, made an interesting observation on this. I am also a Spectrum > residential customer, none of their equipment, run my own DNS server > (pihole). > > My DHCP Assigned DNS servers are > > 2001:1998:f00:1::1 > 2001:1998:f00:2::1 > > bash-3.2$ dig -x 2001:1998:f00:1::1 +short > dns-cac-lb-01.rr.com. > bash-3.2$ dig -x 2001:1998:f00:2::1 +short > dns-cac-lb-02.rr.com. > bash-3.2$ > > > bash-3.2$ dig dns-cac-lb-01.rr.com +short > 209.18.47.61 > bash-3.2$ dig dns-cac-lb-02.rr.com +short > 209.18.47.62 > bash-3.2$ > > bash-3.2$ dig @209.18.47.61 validin.com +short > 157.245.112.183 > 137.184.54.107 > bash-3.2$ dig @209.18.47.62 validin.com +short > 157.245.112.183 > 137.184.54.107 > bash-3.2$ > > bash-3.2$ dig @2001:1998:f00:1::1 validin.com +short > 127.0.0.54 > bash-3.2$ > > bash-3.2$ dig @2001:1998:f00:2::1 validin.com +short > 127.0.0.54 > bash-3.2$ > > Same servers on V4 were returning correct info, but on V6 were not. > > However, a few minutes later : > > bash-3.2$ dig @2001:1998:f00:1::1 validin.com +short > 157.245.112.183 > 137.184.54.107 > bash-3.2$ dig @2001:1998:f00:2::1 validin.com +short > 157.245.112.183 > 137.184.54.107 > bash-3.2$ > > Deltas : > > bash-3.2$ dig @2001:1998:f00:1::1 validin.com > > ; <<>> DiG 9.10.6 <<>> @2001:1998:f00:1::1 validin.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42329 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;validin.com. IN A > > ;; ANSWER SECTION: > validin.com. 60 IN A 127.0.0.54 > > ;; Query time: 37 msec > ;; SERVER: 2001:1998:f00:1::1#53(2001:1998:f00:1::1) > ;; WHEN: Tue Apr 23 13:50:03 EDT 2024 > ;; MSG SIZE rcvd: 45 > > bash-3.2$ > > bash-3.2$ dig @2001:1998:f00:1::1 validin.com > > ; <<>> DiG 9.10.6 <<>> @2001:1998:f00:1::1 validin.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9667 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;validin.com. IN A > > ;; ANSWER SECTION: > validin.com. 600 IN A 157.245.112.183 > validin.com. 600 IN A 137.184.54.107 > > ;; Query time: 157 msec > ;; SERVER: 2001:1998:f00:1::1#53(2001:1998:f00:1::1) > ;; WHEN: Tue Apr 23 14:19:20 EDT 2024 > ;; MSG SIZE rcvd: 72 > > bash-3.2$ > > Seems like quite possibly they are intermittently caching bunk data from > something. > > > On Tue, Apr 23, 2024 at 1:39 PM Validin Axon <a...@validin.com> wrote: > >> Hi Jason, >> >> > I suspect what’s happened is an incorrect assumption that DNS is even >> the issue here. Because you mentioned Spectrum Shield, I suspect it is not. >> >> I appreciate the response and links. However, I've been told repeatedly >> by Spectrum that they're not blocking with Spectrum Shield. Despite these >> assurances, I've filled out a removal request through their published >> removal process several times, and the response I received stated that >> we're not being blocked. This check agrees with that: >> https://www.spectrum.net/support/forms/verify_url_security >> >> "Security Shield Is Not Blocking This Site >> The URL provided is not being blocked by Spectrum Security Shield >> The URL you entered should be accessible." >> >> Further, checking Spectrum DNS servers on the Spectrum network show that >> my company's main domain and all subdomains resolve to 127.0.0.54. So, if >> CujoAI/Spectrum Shield are not using DNS query responses to control access, >> then it's not CujoAI/Spectrum Shield that is responsible for the incorrect >> DNS response. Using a different recursive resolve, I can resolve our >> domains just fine. I can also resolve other domains that point to the same >> IPs as the sinkholed domain just fine. However, many people use the >> Spectrum default DNS servers and cannot access my website because of this. >> >> > You should contact Charter/Spectrum to have them investigate what their >> system might be blocking this content. >> >> I have tried, for months, including spending many hours on chat and phone >> support, to reach someone within Spectrum support who is capable of both >> understanding and directing me to someone who can fix the problem, but it >> hasn't happened yet. I've asked to talk to someone on the DNS team and was >> given a flat "No." I've posted here hoping that someone in the >> ISP-connected world knows SOMEONE at Spectrum, Akamai, or whichever company >> is actually responsible for the Spectrum DNS servers who can provide a >> remediation path. >> >> Regards, >> >> Kenneth >> >> On Tue, Apr 23, 2024 at 12:59 PM 'Livingood, Jason' via axon < >> a...@validin.com> wrote: >> >>> > However, there's no correction process for Spectrum's DNS sinkhole >>> >>> > But back to the topic: someone mentioned to me that Spectrum may not >>> be the direct providers for the DNS services they provide to their >>> customers. If anyone knows anything about how I might discover and reach >>> out to the people responsible, please let me know. >>> >>> >>> >>> I suspect what’s happened is an incorrect assumption that DNS is even >>> the issue here. Because you mentioned Spectrum Shield, I suspect it is not. >>> >>> Spectrum Shield ( >>> https://www.spectrum.com/resources/internet-wifi/benefits-of-spectrum-security-shield) >>> is a customer-managed security protection service built into their gateways >>> (I assume you can turn it off). The malware and content detection engine >>> behind that is very likely run by CujoAI (https://cujo.com/) and it >>> does not use DNS query/response exchanges as the control mechanism (in part >>> to counter-act DNS-changing malware or malware using its own DoH channel >>> for example). >>> >>> You should contact Charter/Spectrum to have them investigate what their >>> system might be blocking this content. >>> >>> Comcast (where I work) runs a similar system ( >>> https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security) >>> and maintains a site to report these sorts of issues ( >>> https://www.xfinity.com/support/articles/report-blocked-website). >>> >>> Jason >>> >>> >>> >>> >>> >>> >>> >>> >>> >>
