DNS Hijacking Redux, June/July 2023

I am in the middle of over 6 weeks of a struggle with Comcast's "Security Edge" and DNS hijacking. This has cost my client business and too many billable hours--and I've donated *far* too many unbillable hours, since it's unfair for my client to have to pay to fix this--and it's costing this client, and possibly others, business. I've collected detailed information on the problem, and am now deciding what is the best next step. (And the problem STILL isn't resolved for my client.)

In short, Security Edge is enabled by default these days. It hijacks DNS requests to third-parties selected by Comcast. It's unclear exactly what they do with all that information--most speculation is that it's to at the least collect it for pushing adverts, possibly sold, and likely to build traffic pattern data--but what is clear is that this is in violation of Internet standards. But all that aside, it's what's done when "Security Edge" decides that a domain is, in its estimation, compromised that is intolerable.

If this happens, DNS is redirected. Internet queries on the domain don't go to its nameservers; instead, the selected "security vendor" returns false DNS results. The real domain IP address(es) are not returned--instead, it's a redirect to a cryptic and unhelpful "notification page", with no resolution options. But much worse, other queries--such as NS, or (worst) MX records--simply fail. This means if someone tries to send E-Mail to that domain, they just fail. And there is no meaningful resolution procedure for the affected domain. Meanwhile, potential new customers, confronted with a failure to send E-Mail (such as queries for business), simply move on to other businesses.

The problem is there is no accountability or responsibility at any step in the entire process; everyone is a third party, and claims THEY aren't responsible.

How does this work? Essentially, I've identified two major vendors Comcast has selected to implement Security Edge--NetActuate and Cisco OpenDNS. I can't speak to Cisco--my clients are being affected by NetActuate--and they may do their checks differently, but the probability exists that they're no better.

NetActuate uses virustotal.com to check the reputation of a domain on every request. This is an aggregator that currently checks 90 different "security vendors", such as (and in this case, especially) Antiy-AVL and AutoShun. If **any one** of these return a result other that whatever virustotal.com determines qualifies as "Clean", the entire domain's DNS is blocked as described. 89 of the 90 security vendors may return "Clean"; that one will block everything.

But the problem is that nobody is responsible for correcting this. Comcast, if contacted, tells you they're not responsible; it's NetActuate. NetActuate, if contacted, tells you they're not responsible; it's virustotal.com. And virustotal.com--well, you guessed it. They're not responsible; the customer is supposed to contact any reporting security vendor themselves to reconcile issues. For many, that can be done; but there are some that either are unresponsive, or even if they respond and tell you they've cleared the problem, still show up from virustotal.com as not "Clean".

Comcast will tell you that you can just turn off Security Edge from your Comcast Business site login. This isn't true; you have to get tech support to fully deactivate it. And experience now shows that it periodically is automatically re-enabled. But even if you CAN disable it for *your* account, this doesn't solve the problem; anyone ELSE who is a Comcast customer, and assigned by Comcast to NetActuate, will still be blocked.

Virustotal.com IS responsible for which security vendors it decides to query. They are absolutely unresponsive when a bad vendor is reported, and have not been willing to investigate or remove them from its check list.

And at this point, after two weeks of work, I was able to get responses from all problematic security vendors (EVERY one was a false positive), and they did clear the issue. Except for two. Antiy-AVL is a Chinese company, and didn't respond for almost 3 weeks. They finally did respond, agreed it was false, and said it cleared. It went away--for a week. Then returned; in a subsequent E-Mail dialog, they confirmed it should be cleared--but it's not.

AutoShun is a more complex problem--it's been taken over by RiskAnalytics. Who also--finally, after a call to *sales*, claimed they confirmed there was no problem and it should be cleared. virustotal.com has never stopped reporting problems from them.

I started fighting this battle over six weeks ago. It is ongoing as I write this. A very helpful second-tier Comcast support person is still working with me, but even he is now frustrated and stymied. Meanwhile, the client is almost certainly losing business, and cannot use their legitimate domain for self-hosted services. They are still paying me for my work on this--but only about 10% of the actual hours, since I can't in good conscience bill them for Comcast's bad business decisions. I have dedicated far too many unbillable hours fighting this.

Three things are clear from all this--first, anyone using Comcast Business should check their own status. You can verify your DNS is hijacked by going to dnsleaktest.com. Check your rating at virustotal.com. Secondly, Comcast must re-evaluate its relationship with NetActuate and implement real and meaningful requirements for accountability and reconciliation for all third-party vendors down the line; this means not just NetActuate, but virustotal.com and individual security vendors used by them. And the biggest--ISPs do not have the right to hijack DNS. This may result in a complaint to the FCC. I'm still weighing my options on that.