If you have many devices and/or guests coming, then it is not feasible to set every device manually to a fixed DNS. Has Comcast acknowledged the problem officially at this stage?
I can also rule out a device vulnerability as I have seen it on: iOS, Android, Chromebooks, PCs, MacOS...
They seem to want to refer to their " security assurance department at 1-888-565-4329" every single time and typically respond that they are not responsible for what is going on on your computer.
I have verified that the DNS settings are coming from the router... now I cannot prove 100% for sure if it might be because of a cross-site-scripting vulnerabity or if there is an external attack that changes the router settings - or if they have a wrong default when rebooting (as some suggested), but it is definitely a vulnerarbity on the router side and no firmware update is available.
Several chat representatives offered meanwhile to send an XB6 router that would not have the problem - but Comcast's distribution logistics are extraordinarily stubborn and will refuse this to be sent to customers who are not on the 400MB/1GB tier yet. Their adherence to process trumps common sense and customer service. And they misunderstand what they are saying "we cannot" with what it means "we as an organization choose not to" help.
Finally, someone else with a brain chimes in... You hit the nail dead on the head with the wrong default when the modem reboots. You can confirm this on a brand new freshly installed OS by rebooting the modem and PC at the same time. Because windows retains the DNS servers in the registry, they get stored, and this is what most malware programs pick up, despite it not actually being malware, it is just a retained setting. It is still necessary to delete it, since windows is dumb and will revert to using it whenever it feels like it. My work around (as previously posted) is to set the DNS servers manually in an external router. This will prevent the utopia.net from hitting the client devices since they are always getting the DNS from the external router, and the external router is manually set to google dns.
I also experienced the annoying BS about the XB6... PROMISED that a technician would bring me one... but same story when he arrived... "you must have the gig service"
... View more
@Robgage wrote: This exact issue happened to me also. I was able to fix it by changing the user name and password of the gateway and then by changing the wireless name and passwords of both the 2.4 and 5 network. I did this last night and have had no issues since. I hope this helps. By the way. This is not a Comcast issue and is another way that the gateway can be hacked into due to not changing the generic username and password on the device.
I assure you that the username, password, ssid, and the password are all changed as soon as the modem is reset or a new one is obtained on my end.
Still amused that this thread keeps getting marked as resolved or best answers chosen.
... View more
For those looking for "resolution" here is my best attempt at providing you as much detail as I can from various sources.
What we know:
This is a known (by customers atleast) issue with the comcast XB3 series and potentially some other Cisco and Technicolor models.
This appears to be a issue within the firmare of the modem itself, where the "default" DNS is "utopia.net" while the modem is loading and connecting to comcast.
I suspect this is the case because whomever created the firmware needed to enter "something" as a default and was likely thinking "haha, utopia.net, that'll never exist"
Someone smart figured this out, and actually created the domain utopia.net which may I add looks suspicious as ever
This issue seems to be 100% duplicatable by rebooting the modem and PC at the same time (confirmed on multiple PC's)
This will create atleast 1 registry entry for "utopia" on every machine that is powered on when this issue occurs.
Search the registry for the word utopia and if it matches utopia.net, DELETE IT.
If you do not delete it, the machine WILL revert to it randomly, upon reboots, or whenever it desires.
This gives an illusion that this issue is happening more frequently than it really is.
This appears to NOT be related to any particular virus or malware infection on the PC
Some AntiVirus/Malware software WILL detect the afore mentioned registry key as a virus. While this registry key itself is NOT a virus, it does relate to other malware.
This DNS will be handed out to ANY device connected on your network. PC's and Mac's are prune to retaining this entry.
My OSX repair days have come to a minium, I cannot remember how to clear a previous DNS entry from OSX, but I suspect it is somewhere in the network manager.
Is my information compromised?
Keep in mind, these points aren't going to be things that an "average" person just "does". It would require someone with an amount of IT knowledge to successfully pull most of these things off.
While it is unlikely that this particular issue actually steals any information from you or your computer, it is possible for the owner of this domain to detect incoming connections coming from your machine which may give away your IP address and potentially allow a remote hacker to later compromise your system if you have open ports on your network.
It could redirect you to other malicious sites or search results that may contain questionable content. These sites are typically the sites you will get the infection from, not the DNS server.
Packets could get snooped and the contents revealed, although this form of hacking is getting substantially harder with advanced encription algorithms.
Use general internet common sense.
Do not enter a username, password, or any other personal information anywhere online while your DNS shows up as utopia.net
Don't use the same passwords everywhere, especially for banking & health, for the aforementioned bullet could allow one person to take control of your entire digital life.
How can you resolve this?
Buy your own external router
Disable the WiFi on the comcast gateway, including opting out of the Public WiFi Hotspot via your comcast account page
Set the firewall for IPv4 and IPv6 to "none/disabled"
Place the comcast gateway in bridged mode. The gateway should automatically reboot.
Disconnect ALL ethernet cables from the gateway while it reboots (independent issue, just trust me)
Wait for the gateway to fully bootup, including the telephony portion.
Confirm that your telephone works (if subscribed)
Connect the ethernet cable from your router to an ethernet port on the back of the gateway.
Reports indicate that port 4 will not work as it is reserved for "Xfinity Home Security"
Other reports indicate that port 1 will not work either (random?)
Try port 2 for best luck
Power up the external router and wait a few minutes for it to establish a connection
Plugin your wired devices to the new router and/or pair with a wifi device
Configure new wireless router
Look for a subsection labeled DNS
DISABLE automatic DNS assignment
This disables getting the DNS server from the comcast gateway, which as we know passes out Utopia.net
Manually enter comcast's DNS servers, which are in the beginning of this thread
*Optionally use Google DNS instead - Known to provide faster response times*
If available, enable the option that allows the router to hand out these DNS entries to each PC instead of passthrough the router
This will further prevent the PC from otherwise reverting in very rare cases
If this option isn't available, you will likely be fine. This is just a second layer.
I hope the information contained in this post is helpful and if so, please click the Kudos button. I'm just a normal everyday IT guy trying to help everyone who has likely spent countless days searching the internet for resolution to this. I am in no way related to Comcast and the information contained above is to be used at your sole discretion. I know some will complain that they shouldn't need to buy an external device to prevent an issue with the firmware, to which I 100% agree whole heartedly. I am offering a right-now solution versus waiting an undetermined amount of time for a firmware fix to be applied, tested, and deployed for this issue which could take weeks, months, or even more than a year to roll out widespread.
... View more
I've read all the other threads regarding this and still no resolution. Tech visited residence and no resolution.
I had the Cisco DPC3941T "XB3" in bridge mode for the last year using my own router. When there was (unknowingly at the time) widespread outages last month across the entire us, I thought maybe my connection issues were due to the router's age, so I elimited it from the equation. This did not resolve the issues I was having with connectivity, and actually inadverently introduced this utopia.net hijack.The modem now would randomly reboot, various occasions just drop connections and upon rebooting all PC's would have a connection-specific DNS suffix of utopia.net. The only way to get rid of this is to factory reset the modem, which must be done by pinhole since accessing 10.0.0.1 is either non responsive or the password was also hijacked. This behavior, as well as other concerns, are also confirmed by other users here:
Adding to this, this happens on every single device in my house (2-6 pcs, 3-4 phones). 100% without a doubt my PC's are NOT infected. This happens on machines with a clean install. After this incident occurs, an entry for utopia.net gets created in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\ for utopia.net that must be deleted or PC's will continue to try and connect here. This is what most antivirus scanners pickup as an "infection".
After dealing with this issue for a while, I finally swapped this version at a local center for another "XB3" TG1682 which is the Arris sourced version. The very first power up, utopia.net was present. Perform a hard reset, and remove the utopia.net entries from the pc, wait the boring 15 minutes for this thing to reboot and finally I'm back online. I call comcast tech support to request a new, different model modem, such as the XB6. The tech did what he could, but was unable to order an XB6 modem for me, but did schedule a tech to come out the next day, promising that the tech would bring me a new modem. I use the internet for the day, all devices turned off at bed time, wake up in the morning and it again is hijacked. Factory reset yet again, and remove the registry entries. A little while later, the tech arrives, and I show him the picture of whats going on and he informs me he's not seen this issue with any other customers at this time (which is fine, there arent a lot of customers with my level of tech savvy that bring these issues to light). He asks around some of his co workers for assistance, but again being in a small area, and not a lot of people bringing these issues to light, no luck on a solution. I am then told that I cannot get an XB6 because its not available in my area yet. Bummer. We agreed that replacing the modem was pointless, since all that he had available were of equivalent (XB3) models and we know this issue happened on 2 modems already. The tech is great, he's been to my residence on various occasion and does a wonderful job -- no complaints to him. My concern comes in that, many people in my area may also be experiencing this issue, or unknowingly using their computers in this state and sending their info through some hijacking sites. I am able to bypass this issue by putting the modem in bridge mode (which, might I add is quite a pain in the but on these devices to get the public IP to pass through), and using an external router with Google DNS configured. I have also manually edited the hosts files on all of my machines to loop back any traffic to utopia.net to 127.0.0.1 just to prevent anything from my side from actually going out to this bogus website.
I believe that this issue may be more widespread than expected, and I also believe that anyone who uses the device in a bridge mode, OR uses an external router with custom DNS entries, OR manually sets their DNS servers on their PC may be affected by this issue, but they are bypassing it the same way I was unknowingly (prior to finding this). I am looking for resolution from anyone who has the ability to provide one. I believe the issue is within the firmware itself for these units, perhaps the "default" dns suffix written in the firmware is "utopia.net" because someone thought it would be funny to write a random url in the firmware for a default, and someone smart enough to figure this out actually created the domain to hijack all these modems. There is undoubtedly a security issue here that NEEDS to be resolved. I would be more than willing to troubleshoot with anyone who wishes.
... View more