Comcast DNS Issues XB6 XFI gateway
To start with, I'm a Resident Engineer that works directly with Internet service providers network security teams. Please bare in mind asking things like restart the modem and make sure you are wired vs wireless are entirely unnecessary (looking at you Comcast support).... as I have made a career in troubleshooting network connectivity and security issues and have went through the process multiple times.
As I have been in the Network security industry for years, I was using my own 3rd party modem with Comcast and had little to no issues at all for years. Fast forward to the present when the local headend started enforcing removal of modems supporting older DOCSIS standards. Ok thats fine with me, I am all about modernizing infrastructure especially under the premise that speeds will increase, so sure lets give the older modems the boot. What options did I have? At this point due to time and workload I didn't have time to reconfigure my home network with another Comcast approved 3rd party modem so I opted for the simple answer and wanted to see what all the "Buzz" was about with the XB6 xFi Advanced Gateway and at least I would get my home network back up and going with minimal effort. Moving forward, we received the device, installed with minimal effort and was back up and running, but then we had odd issues.
- IOT devices such as smart home thermostat would no longer stay connected to the cloud services
- Chromebook would not work at all
- Nvidia Shield intermittent internet access issues
- Intermittent access to websites to any and all websites (frequency 3-5 times a day for 5-10 minutes or even longer time periods) with the browser error: “ERR_NAME_NOT_RESOLVED”
So finally after a few months of consistent DNS issues and having a little time to look in to this I began troubleshooting. Before I explain my troubleshooting steps, let me preface some of the main pillars of networking, so those without the knowledge, understand the workflow/process of being able to reach their favorite websites.
Edumacation from yours truly:
When you are on your Laptop/PC/mobile device and you open a browser and try to visit your favorite website there are alot of gears turning under the hood. Lets start with IP addressing. Every publicly accessible server on the internet has a public IP address. IP addresses can be used as source or destinations. Think of how you send mail to a relative, the source is your home address the destination is your relatives home address, the post office is responsible for picking up your mail and delivering it to your relatives home address. Imagine that the post office is the internet service provider (Xfinity) who picks up your "mail" (packets) from your xFI gateway and determines how to get it to the destination IP (where the server lives). Thats great and all and is really a convaluted process, because you could spend a career explaining how a service provider connects you to your favorite servers.
But theres another pillar of networking that needs to be taken in to consideration called DNS.
When you compose a letter and send it to your relative, you already know the destination address (or look it up in your space age Rolodex). But for your computer, it is unlikely it has said Rolodex with all of the internet servers IP addresses stored for every site on the internet. So your computer relies on talking to whats called a DNS server (The internet Rolodex). When your computer boots, or you connect via WiFi, your computer makes a request to the xFI gateway asking for a (local) IP address and DNS servers your computer can talk to, to resolve the website name your are visiting to an IP address.
Great so how does this all apply to Comcast XB6 xFI gateway?
Well when your PC connects and gets its local IP and DNS servers assigned from the XB6 you will have Comcasts DNS servers (188.8.131.52 and 184.108.40.206) but wait it also provides IPv6 DNS servers as well (2001:558:feed::1 and 2001:558:feed::2). Well we haven't talked about IPv6 so lets backup a bit. When the internet was created IPv4 was the standard used for IP addresses and assignment, but there was a limited number of public IPv4 addresses that can be assigned, so smart peoples created IPv6 which has many more IP addresses to use. Great now thats covered what does that mean for my PC?
Well when you go to a website your PC will prefer to use the IPv6 DNS server to resolve the website to an IP address so you can compose your packet (mail). Due to the PC's order of precedence in the networking stack. IPv6 is preferred over IPv4 if available. This is great we are using IPv6 but unfortunately for some unknown reason throughout the day IPv6 DNS queries from your PC through the xFI gateway to Comcasts DNS server gets dropped every once in while. Ok well that should be fine right? We still have an IPv4 DNS server we can talk to as well right?
Well in my case my PC can't talk to the Comcast DNS servers (220.127.116.11 and 18.104.22.168) through the xFI gateway. This means I can't translate a website name to an IP address so I get the error in my web browser: “ERR_NAME_NOT_RESOLVED” which means I can't compose the packets to send to the server cause I don't know the servers IP address.
Disclaimer Note: this "edumaction" is overly simplified, but the basic principles are what makes the internet today and I don't have a lot of time to fully go in to the depth from beginning to end how this works 🙂
Now on to Troubleshooting:
Well lets not discuss the hours on a Comcast support call, 5 resets of modem, re-provisioning, measuring of the transmit and receive levels of the xFi gateway to the headend, disabling of the Advanced security settings and the inability to get transferred from the Residential Support center to an informed network engineer that really makes the network work, not to mention being transferred between 10+ representatives to repeat the same processes and still no contact or representative to hold accountable for a subpar internet connection, also a promise from the support manager to call me back which has not happened at the scheduled time.... /end rant
Firstly we have to rule out the customers (me) network, PC, and xFI settings right?
- Check on your PC (Windows/Linux/Mac/Android/Chromebook) to see if you are getting an IP address and DNS servers from the xFI gateway. If not talk to a support tech, they should be able to help you with these basic settings. To check you can use below commands:
ipconfig /allLinux (Ubuntu 18.04)
nmcli device show
- See if you can route to the Comcast provided DNS server if yes move on. Note being able to ping and route to it only tells you that routing works, doesn't mean there isn't some firewall in the xFI gateway rate limiting or dropping your dns queries:
- Clear your local dns cache to ensure your not using something that was stored locally on your machine:
Windows (run windows terminal as administrator)
sudo systemd-resolve --flush-caches
- Do a direct DNS query to Comcasts IPv4 DNS server and if you see timeouts thats a problem. In my case I can't make one successful DNS query to Comcast IPv4 DNS server at all (this is persistent)
nslookup google.com 22.214.171.124Linux
dig google.com @126.96.36.199
- Do a direct DNS query to Comcasts IPv6 DNS servers and see if you have timeouts as well (in my case it works "most" of the time but fails intermittently every day 3-5 times for sometimes lengthy periods)
nslookup google.com 2001:558:feed::1Linux
dig google.com @2001:558:feed::1
- If the Comcast DNS servers are unresponsive, try configuring on your local PC some 3rd pary external DNS servers like Googles 188.8.131.52 and try steps 4 and 5 again replacing 184.108.40.206 with 220.127.116.11. Now you should be able to use 3rd party DNS servers if you so choose because Comcasts "Broadband disclosure" states:
"Comcast does not block or otherwise prevent end user access to lawful content, applications, services, or non-harmful devices. Comcast does engage in reasonable network management practices described below and in our Network Management Information Center."
Note the only caveat they have is they will rate limit the number of transactions made to COMCAST DNS servers, they should not block anything to 3rd party DNS servers like Google:
"We limit the number of login, SMTP, DNS, and DHCP transactions per second (at levels far above “normal” rates) that customers can send to our servers in order to protect them from Denial of Service (DoS) attacks."
Yet somehow my DNS queries to Google are not returning a response (hermmm XB6 intercept/drop/redirect to Comcast servers? I can't find a Comcast support representative with enough knowledge on the XB6 to figure this out) Additionally colleagues of mine that have 3rd party modems are free to use whatever 3rd party DNS server they want with no issues on Xfinity's network, I just happen to be the only one of us using the XB6.
At this point you should be talking to Comcast, but I don't know what department will actually take you seriously and get an informed support representative to assist.
For @Comcast_Support see Incident CR930002267, please find me someone that will troubleshoot the issue and be accountable instead of calling in and playing the support shuffle game.
For the rest of you that are experiencing these issues and are just trying to get by in your day and have ran in to this issue, post your experience and whether or not you were able to get anyone to resolve these issues for you or your detailed workarounds that have worked for you.