Visitor
•
3 Messages
Resolving DNS pointing to private ip addresses
I am unable to resolve dns pointing to private EKS endpoints. Yes, vpn's are involved and if I configure my system to route `eks.amazonaws.com` dns requests over the vpn to a non-comcast dns server it works. However, I feel it's pretty bad behavior to selectively resolve dns if that's what's going on here.
I've called and was told someone would call me back, but they never did. Hoping there might some resolution to this or at least confirmation that what I'm seeing is how comcast operates.
While trying to troubleshoot I've setup some public dns entries that point to private ips (192.168.1.x) and found that comcasts dns servers (75.75.75.75,75.75.76.76) will not resolve those hosts for me. But, hosts pointing to public ips on he same domain DO resolve properly. This leads me to believe that comcast is filtering dns requests that return private ip address.
I can fix this problem entirely by setting the modem to bridge mode and using my own router/dns. Unfortunately, when doing that it's limiting my internet connection speed because WAN port is only 1Gbs. If I buy my own cable modem then I don't get the unlimited data.
I need to be able to resolve these addresses for work. Has anyone else experienced a problem like this?
flatlander3
Problem Solver
•
1.5K Messages
2 years ago
192.168.0.0/16 is a private class C range, so if you expecting anyone's DNS servers to resolve a domain to them, they won't.
You can troubleshoot dns entries and propagation with 3rd party sites like dnscheck or dnschecker, or tools like dig and nslookup to query public servers directly. You can setup a local resolver to handle your local traffic, but that does not propagate anywhere else, if that is what you were trying to do.
0
0
BruceW
Gold Problem Solver
•
26.3K Messages
2 years ago
Please see https://en.wikipedia.org/wiki/Private_network, especially this statement:
Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.
0
0
user_2d936a
Visitor
•
3 Messages
2 years ago
I appreciate both your responses. However, I am not trying to route private addresses, and a dns server should return whatever ip address is configured for that A record regardless of whether it's a private IP address or not.
If I set host1.example.com A 192.168.1.10 and then look up that address via dns it should (and will) return the 192 address. These are public domains with legitimate NS records pointing to authoritative DNS servers.
I understand that I cannot route that address over the internet and I am not trying to do that.
These private IP addresses are routable from/within my home network via a VPN. My problem is Comcast has decided not to resolve those host entries and it appears it's because they are private ip's -- I am able to reproduce this by creating host entries with public ip address and other with private ip addresses. All public ip A records are returned from Comcast DNS servers, but the A records pointing to reserved ip ranges are not being returned.
This is not normal DNS behavior.
While returning rfc1918 from public dns servers might not be a best practice it is 100% possible.
Unfortunately, since comcast does not allow you to modify dns settings on their equipment (and actively intercept all dns queries via their equipment) I wasn't able to easily us my own dns server unless I use bridge mode on the modem.
So, for now, that's what I've done. I'm back to using bridge mode with an internal resolver. It's unfortunate that comcast would do something like this. It affects my ability to work (can't access private eks clusters due to dns resolution failures). Can't use my own modem without losing unlimited data. :-/
0
0
BruceW
Gold Problem Solver
•
26.3K Messages
2 years ago
https://www.xfinity.com/support/articles/exp-unlimited-data says:
Prices from https://www.xfinity.com/learn/internet-service/xfi-complete.
Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.
0
0
flatlander3
Problem Solver
•
1.5K Messages
2 years ago
I guess I don't understand the point of adding unroutable to an SOA record.
You could just run ubound or isc's bind, and use that as a primary on your local client's network config for resolving. Benefit from your own cache too. You can also push whatever DNS servers and routes you want from the VPN server side. Then Xfinity isn't even involved and whoever connects via VPN gets your CNAMES. The DNS server or unbound server could exist on either side of the VPN.
0
0
user_2d936a
Visitor
•
3 Messages
2 years ago
@flatlander, I'm not doing anything with SOA records. The domains I am having issues with have valid SOA's. I'm talking strictly about A records.
Basically, what I wanted to do is this: https://dns-lookup.com/192.168.1.1.nip.io (the A record pointing to 192.168.1.1). The domain and IP address are examples for privacy reasons -- don't read anything into them.
Comcast messing with dns requests and results is what I don't understand. I should be able to query a dns server and get the response _from that server_!
As far as vpn's go, I need to be able to connect to many different accounts and clusters. I can use a secondary vpn to bypass this behavior, but then I need to do that from each device I use and tbh it's just annoying and created entirely by comcast trying to save bandwidth/spy/whatever their reasoning is for hijacking dns requests made through their device.
I called support hoping it was something I could disable upon request, but was not able to get that done.
So, I'm back to having two devices running 24/7, but I am able to resolve DNS like the internet gods intended.
0
0