Spectrum, Recursive dns and interception of root authoritative DNS
Hey all. I was wondering since were all? Worcester or surrounding and dealing with Spectrum as an ISP, if you’ve run into the same thing I have in the last few months. I used to, as you’ll see soon, run unbound as a recursive DNS server in my home network to cache and limit external DNS queries that was the forwarder behind Pihole. It worked great for a very long time. But a few months ago, my internet went down, and It turned out to be non cached dns queries starting to fail. I realized in logs that unbound was getting errors reaching out to dns servers and disabled it until I could investigate instead forwarding to cloud flare temporarily. Now that I have had time to research and investigate, I have found that at least SOMETHING is intercepting my my queries to authoritative DNS servers when I reset unbound and it throw’s away the response because they aren’t “AA” status responses and it never caches the root dns and therefor won’t resolve anything. I come to find out the “authoritative” servers are responding with a status of RA which means it’s not the actual authoritative service when I query manually, dig @198.41.0.4 . NS +norecurse an actual authoritative, and that this is most likely a change Spectrum has made. Has anybody else ran into this? Is it actually Spectrum. I guess I haven’t dug far enough yet to see if its may be a firmware update to my router, UDM PRO yet. Still working on that, but though I’d ask this group first before I dig into that and save myself the time and go straight to ISP workarounds. Thanks in advance! Looking forward to our next meeting!! Steve
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1 Tim. On Sun, Aug 24, 2025, 12:01 PM steve--- via WLUG <wlug@lists.wlug.org> wrote:
Hey all. I was wondering since were all? Worcester or surrounding and dealing with Spectrum as an ISP, if you’ve run into the same thing I have in the last few months.
I used to, as you’ll see soon, run unbound as a recursive DNS server in my home network to cache and limit external DNS queries that was the forwarder behind Pihole. It worked great for a very long time.
But a few months ago, my internet went down, and It turned out to be non cached dns queries starting to fail. I realized in logs that unbound was getting errors reaching out to dns servers and disabled it until I could investigate instead forwarding to cloud flare temporarily.
Now that I have had time to research and investigate, I have found that at least SOMETHING is intercepting my my queries to authoritative DNS servers when I reset unbound and it throw’s away the response because they aren’t “AA” status responses and it never caches the root dns and therefor won’t resolve anything.
I come to find out the “authoritative” servers are responding with a status of RA which means it’s not the actual authoritative service when I query manually, dig @198.41.0.4 . NS +norecurse an actual authoritative, and that this is most likely a change Spectrum has made. Has anybody else ran into this? Is it actually Spectrum. I guess I haven’t dug far enough yet to see if its may be a firmware update to my router, UDM PRO yet. Still working on that, but though I’d ask this group first before I dig into that and save myself the time and go straight to ISP workarounds.
Thanks in advance! Looking forward to our next meeting!!
Steve _______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/5AWI26...
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1
Tim.
Other than the hack value of doing it yourself, is there a specific reason that you avoid ISP DNS? -- Keith
Privacy. I don’t want one org, source, company knowing EVERY DNS query I make from my house and therefor every company, site, organization, service,…,etc that I use. If I have a recursive DNS server that doesn’t go to one DNS forward like Spectrum, Google, Cloud flair, etc, server, but instead caches the root entries locally on initial startup for .com, .net, .bix, .org, etc, and then cache as I go the next level down, nobody ever when and what I query but once, and then that’s just the next level of the recurse, which is auto refreshed when the cache TTL runs out. So I keep as much of my digital data away from prying eyes as possible. As the IETF says in their specs, passive monitoring is an attack, and should reasonable measures should be taken to reduce or eliminate it. Steve Thibault
On Aug 26, 2025, at 3:55 PM, Keith Wright via WLUG <wlug@lists.wlug.org> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1
Tim.
Other than the hack value of doing it yourself, is there a specific reason that you avoid ISP DNS?
-- Keith
_______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/U4OXJE...
Did you turn off any "security" features Spectrum has on the cable modem/gateway and put it into transparent bridging mode and use your own router? On Tue, Aug 26, 2025 at 04:02:17PM -0400, steve--- via WLUG wrote:
Privacy. I don’t want one org, source, company knowing EVERY DNS query I make from my house and therefor every company, site, organization, service,…,etc that I use.
If I have a recursive DNS server that doesn’t go to one DNS forward like Spectrum, Google, Cloud flair, etc, server, but instead caches the root entries locally on initial startup for .com, .net, .bix, .org, etc, and then cache as I go the next level down, nobody ever when and what I query but once, and then that’s just the next level of the recurse, which is auto refreshed when the cache TTL runs out. So I keep as much of my digital data away from prying eyes as possible. As the IETF says in their specs, passive monitoring is an attack, and should reasonable measures should be taken to reduce or eliminate it.
Steve Thibault
On Aug 26, 2025, at 3:55 PM, Keith Wright via WLUG <wlug@lists.wlug.org> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1
Tim.
Other than the hack value of doing it yourself, is there a specific reason that you avoid ISP DNS?
Got my own router. SO I have just a 3rd party modem I own that’s not a spectrum device, just a docsis 3.1 device compatible with spectrum. But no I haven’t set any transparent/bridge settings. That’s actually a good idea to check. I always think of the modem as invisible infrastructure but worth a look. Thanks! Steve Thibault
On Aug 26, 2025, at 4:41 PM, Chuck Anderson <cra@fea.st> wrote:
Did you turn off any "security" features Spectrum has on the cable modem/gateway and put it into transparent bridging mode and use your own router?
On Tue, Aug 26, 2025 at 04:02:17PM -0400, steve--- via WLUG wrote:
Privacy. I don’t want one org, source, company knowing EVERY DNS query I make from my house and therefor every company, site, organization, service,…,etc that I use.
If I have a recursive DNS server that doesn’t go to one DNS forward like Spectrum, Google, Cloud flair, etc, server, but instead caches the root entries locally on initial startup for .com, .net, .bix, .org, etc, and then cache as I go the next level down, nobody ever when and what I query but once, and then that’s just the next level of the recurse, which is auto refreshed when the cache TTL runs out. So I keep as much of my digital data away from prying eyes as possible. As the IETF says in their specs, passive monitoring is an attack, and should reasonable measures should be taken to reduce or eliminate it.
Steve Thibault
On Aug 26, 2025, at 3:55 PM, Keith Wright via WLUG <wlug@lists.wlug.org> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1
Tim.
Other than the hack value of doing it yourself, is there a specific reason that you avoid ISP DNS?
ISPs figured out a long time ago they could harvest and sell your DNS query information. Sure because of https they can't see what your google queries are, but they can deduce the results.. Just looking at my PiHole logs is pretty enlightening.. It's clear I was just about to go on vacation in Maine, before that I was researching places in the Berkshires, before that I was on a whole bunch of EV review sites. That's just filtering for stuff from this machine and my phone. If I turn the filter off and see all the queries, you can quickly figure out there are people into Dr. Who, Star Trek, Anime. Using spotify and discord and facebook and instagram and tumblr and reddit. Things like DNS over HTTPS and DNSSEC help, but just to stop MITM stuff.. if the ISP is running the DNS server, they can see the queries.. Now, maybe cloudflare or google is doing the same thing, but have far less of an understanding of who I am.. vs.. Verizon.. We can have a bigger conversation about what google knows about you.. Tim. On Tue, Aug 26, 2025 at 3:55 PM Keith Wright <kwright@keithdiane.us> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1
Tim.
Other than the hack value of doing it yourself, is there a specific reason that you avoid ISP DNS?
-- Keith
-- I am leery of the allegiances of any politician who refers to their constituents as "consumers".
If you're ever bored with using the Google recursors, give the Oracle recursors a try - 216.146.35.35 & 216.146.36.36 Source: I work on OCI's DNS service that maintains the recursors. On Tue, Aug 26, 2025 at 7:51 PM Tim Keller via WLUG <wlug@lists.wlug.org> wrote:
ISPs figured out a long time ago they could harvest and sell your DNS query information. Sure because of https they can't see what your google queries are, but they can deduce the results..
Just looking at my PiHole logs is pretty enlightening.. It's clear I was just about to go on vacation in Maine, before that I was researching places in the Berkshires, before that I was on a whole bunch of EV review sites. That's just filtering for stuff from this machine and my phone. If I turn the filter off and see all the queries, you can quickly figure out there are people into Dr. Who, Star Trek, Anime. Using spotify and discord and facebook and instagram and tumblr and reddit.
Things like DNS over HTTPS and DNSSEC help, but just to stop MITM stuff.. if the ISP is running the DNS server, they can see the queries.. Now, maybe cloudflare or google is doing the same thing, but have far less of an understanding of who I am.. vs.. Verizon..
We can have a bigger conversation about what google knows about you..
Tim.
On Tue, Aug 26, 2025 at 3:55 PM Keith Wright <kwright@keithdiane.us> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1
Tim.
Other than the hack value of doing it yourself, is there a specific reason that you avoid ISP DNS?
-- Keith
-- I am leery of the allegiances of any politician who refers to their constituents as "consumers". _______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/PWR564...
Might also be worth looking at Quad9's offering if you don't want tonfunnelmyour traffic to Google or Cloudflare. More info here: https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/... -------- Original Message -------- On 8/26/25 8:30 PM, Jared Greenwald via WLUG wrote:
If you're ever bored with using the Google recursors, give the Oracle recursors a try - 216.146.35.35 & 216.146.36.36
Source: I work on OCI's DNS service that maintains the recursors.
On Tue, Aug 26, 2025 at 7:51 PM Tim Keller via WLUG <wlug@lists.wlug.org> wrote:
ISPs figured out a long time ago they could harvest and sell your DNS query information. Sure because of https they can't see what your google queries are, but they can deduce the results..
Just looking at my PiHole logs is pretty enlightening.. It's clear I was just about to go on vacation in Maine, before that I was researching places in the Berkshires, before that I was on a whole bunch of EV review sites. That's just filtering for stuff from this machine and my phone. If I turn the filter off and see all the queries, you can quickly figure out there are people into Dr. Who, Star Trek, Anime. Using spotify and discord and facebook and instagram and tumblr and reddit.
Things like DNS over HTTPS and DNSSEC help, but just to stop MITM stuff.. if the ISP is running the DNS server, they can see the queries.. Now, maybe cloudflare or google is doing the same thing, but have far less of an understanding of who I am.. vs.. Verizon..
We can have a bigger conversation about what google knows about you..
Tim.
On Tue, Aug 26, 2025 at 3:55 PM Keith Wright <kwright@keithdiane.us> wrote:
Tim Keller via WLUG <wlug@lists.wlug.org> writes:
I've long since decided to avoid using my ISP's dns and went to running PiHole with the upstream dns being 8.8.8.8 and 1.1.1.1
Tim.
Other than the hack value of doing it yourself, is there a specific reason that you avoid ISP DNS?
-- Keith
--
I am leery of the allegiances of any politician who refers to their constituents as "consumers". _______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/PWR564...
participants (6)
-
Chuck Anderson -
eroc1990 -
Jared Greenwald -
Keith Wright -
steve@patternsoft.net -
Tim Keller