It's always DNS; or: why I closed my Comcast Business account

September 27, 2023

Warning: this post consists of a lot of grumbling and not much technical merit.

I don’t usually make blog posts just to complain. However today is different. I’m getting a new roof installed and this means I had to temporarily disconnect the coax that brings internet service into my house, due to the way the cable is routed across it. I was hoping this would be minimally disruptive, because I pay Comcast Business $210/mo for a level of service that includes a backup LTE modem.

As you can assume from the fact that I’m writing this post, it was disruptive anyway.

Comcast’s “Connection Pro” LTE modem sits on the AT&T network and in the past has behaved pretty well. However, for the past day it has been doing something weird. I cannot get to many websites, all failing with PR_END_OF_FILE_ERROR in Firefox.

So far, I have found that behavior on the following sites:

amazon.com
bestbuy.com
ebay.com
mozilla.org
newegg.com
store.ui.com

Upon further investigation, I discovered that these all resolve to the same IP.

;; ANSWER SECTION:
aws.amazon.com.         0       IN      A       192.73.252.25
aws.amazon.com.         0       IN      A       192.73.252.18
;; ANSWER SECTION:
bestbuy.com.            0       IN      A       192.73.252.18
bestbuy.com.            0       IN      A       192.73.252.25
;; ANSWER SECTION:
ebay.com.               0       IN      A       192.73.252.25
ebay.com.               0       IN      A       192.73.252.18
;; ANSWER SECTION:
mozilla.org.            0       IN      A       192.73.252.25
mozilla.org.            0       IN      A       192.73.252.18
;; ANSWER SECTION:
newegg.com.             0       IN      A       192.73.252.18
newegg.com.             0       IN      A       192.73.252.25

And no, this should not be the case.

This isn’t just the behavior of some default resolver that was gifted to me in DHCP - I have hardcoded an upstream.

It doesn’t matter what upstream resolver I use, the DNS requests are intercepted and I get the same bogus reply:

; <<>> DiG 9.16.1-Ubuntu <<>> store.ui.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7391
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;store.ui.com.                  IN      A

;; ANSWER SECTION:
store.ui.com.           0       IN      A       192.73.252.25
store.ui.com.           0       IN      A       192.73.252.18

;; Query time: 116 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Sep 27 11:00:40 MDT 2023
;; MSG SIZE  rcvd: 73

; <<>> DiG 9.16.1-Ubuntu <<>> store.ui.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1691
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;store.ui.com.                  IN      A

;; ANSWER SECTION:
store.ui.com.           0       IN      A       192.73.252.18
store.ui.com.           0       IN      A       192.73.252.25

;; Query time: 69 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Sep 27 11:00:43 MDT 2023
;; MSG SIZE  rcvd: 73

Let’s find out who they belong to.

25.252.73.192.in-addr.arpa. 14400 IN    PTR     pxy02-nsjc-c2szps.001.prd.c2szps.spscld.net.

Domain Name: SPSCLD.NET
Registry Domain ID: 2551237048_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2022-04-11T16:44:25Z
Creation Date: 2020-08-06T17:43:40Z
Registry Expiry Date: 2024-08-06T17:43:40Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2086851750

MarkMonitor appears to offer some kind of network security service. Further digging reveals that they provide the product that Comcast calls “SecurityEdge.” I explicitly turned this off on my DOCSIS modem on day one. I cannot configure the LTE modem myself, so have to contact support to have it disabled.

Frankly, I find it unacceptable that my ISP is attempting to intercept traffic to these sites, and has enabled this feature without my consent. It would be different if it were blocking known malware or abuse sites, but there is no reason for intercepting these. The fact that this behavior changed on its own is alarming.

I have lost all trust in Comcast and have given the required 30 day notice to close my account. I have to pay a $770 penalty to break my contract. I will be finding another ISP.

It is not just this sketchy behavior making me do this, either. Before I diagnosed the issue myself, both chat and phone support techs said there was no way to help me. Only after this investigation was I able to call again and tell them exactly how to fix it.

I also recall an interaction I had with support about a year ago, when my internet was going out daily for hours at a time. Upon complaining about this, they stated:

We don’t cause outages, we fix them.

Right.