Warning: this post consists of a lot of grumbling and not much technical merit.
I don’t usually make blog posts just to complain. However today is different. I’m getting a new roof installed and this means I had to temporarily disconnect the coax that brings internet service into my house, due to the way the cable is routed across it. I was hoping this would be minimally disruptive, because I pay Comcast Business $210/mo for a level of service that includes a backup LTE modem.
As you can assume from the fact that I’m writing this post, it was disruptive anyway.
Comcast’s “Connection Pro” LTE modem sits on the AT&T network and in the past
has behaved pretty well. However, for the past day it has been doing something
weird. I cannot get to many websites, all failing with
So far, I have found that behavior on the following sites:
Upon further investigation, I discovered that these all resolve to the same IP.
;; ANSWER SECTION: aws.amazon.com. 0 IN A 220.127.116.11 aws.amazon.com. 0 IN A 18.104.22.168 ;; ANSWER SECTION: bestbuy.com. 0 IN A 22.214.171.124 bestbuy.com. 0 IN A 126.96.36.199 ;; ANSWER SECTION: ebay.com. 0 IN A 188.8.131.52 ebay.com. 0 IN A 184.108.40.206 ;; ANSWER SECTION: mozilla.org. 0 IN A 220.127.116.11 mozilla.org. 0 IN A 18.104.22.168 ;; ANSWER SECTION: newegg.com. 0 IN A 22.214.171.124 newegg.com. 0 IN A 126.96.36.199
And no, this should not be the case.
This isn’t just the behavior of some default resolver that was gifted to me in DHCP - I have hardcoded an upstream.
It doesn’t matter what upstream resolver I use, the DNS requests are intercepted and I get the same bogus reply:
; <<>> DiG 9.16.1-Ubuntu <<>> store.ui.com @188.8.131.52 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7391 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;store.ui.com. IN A ;; ANSWER SECTION: store.ui.com. 0 IN A 184.108.40.206 store.ui.com. 0 IN A 220.127.116.11 ;; Query time: 116 msec ;; SERVER: 18.104.22.168#53(22.214.171.124) ;; WHEN: Wed Sep 27 11:00:40 MDT 2023 ;; MSG SIZE rcvd: 73
; <<>> DiG 9.16.1-Ubuntu <<>> store.ui.com @126.96.36.199 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1691 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;store.ui.com. IN A ;; ANSWER SECTION: store.ui.com. 0 IN A 188.8.131.52 store.ui.com. 0 IN A 184.108.40.206 ;; Query time: 69 msec ;; SERVER: 220.127.116.11#53(18.104.22.168) ;; WHEN: Wed Sep 27 11:00:43 MDT 2023 ;; MSG SIZE rcvd: 73
Let’s find out who they belong to.
22.214.171.124.in-addr.arpa. 14400 IN PTR pxy02-nsjc-c2szps.001.prd.c2szps.spscld.net.
Domain Name: SPSCLD.NET Registry Domain ID: 2551237048_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2022-04-11T16:44:25Z Creation Date: 2020-08-06T17:43:40Z Registry Expiry Date: 2024-08-06T17:43:40Z Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplain[email protected] Registrar Abuse Contact Phone: +1.2086851750
MarkMonitor appears to offer some kind of network security service. Further digging reveals that they provide the product that Comcast calls “SecurityEdge.” I explicitly turned this off on my DOCSIS modem on day one. I cannot configure the LTE modem myself, so have to contact support to have it disabled.
Frankly, I find it unacceptable that my ISP is attempting to intercept traffic to these sites, and has enabled this feature without my consent. It would be different if it were blocking known malware or abuse sites, but there is no reason for intercepting these. The fact that this behavior changed on its own is alarming.
I have lost all trust in Comcast and have given the required 30 day notice to close my account. I have to pay a $770 penalty to break my contract. I will be finding another ISP.
It is not just this sketchy behavior making me do this, either. Before I diagnosed the issue myself, both chat and phone support techs said there was no way to help me. Only after this investigation was I able to call again and tell them exactly how to fix it.
I also recall an interaction I had with support about a year ago, when my internet was going out daily for hours at a time. Upon complaining about this, they stated:
We don’t cause outages, we fix them.