Can you provide a link that doesn't work? I'm using the new DNS, and have no problems. http://www.noaa.gov and http://noaa.gov both work fine. I am in the Chicago area, so maybe it's an issue with only certain servers? With the new Anycast, you never know just where it's going. You could try doing a tracerout/tracert to 75.75.75.75 to see where yours is going.

I didn't see this thread when I posted about a similar problem this morning.

As I read additional threads, I see customers saying that Comcast's DNS servers fail for fcc.gov, noaa.gov, weather.gov, nasa.gov.

Someone posted that they fail for all of the .eu domain!

andyross wrote:
> Can you provide a link that doesn't work?

Please see my thread.  Using 75.75.75.75, for _days_ the following have failed:

www.wrh.noaa.gov
sat.wrh.noaa.gov
www.weather.gov
www.nasa.gov

On the Broadband Reports forums, there were posts by Comcast people that it seemed to be an issue with a server in California. Based on your one link, it seems to be in Utah?

If it's still not working, try doing a tracerout to 75.75.75.75 and see where it goes. To do the traceroute with Windows:

Open up a command prompt

Type: tracert 75.75.75.75

It will step through each router on the way. About the next-to-last will roughly tell where your DNS is being sent to.

I'm in northen California.

tracert to 75.75.75.75 says:
 Pleasanton, CA
 S.F.
 San Jose
 then cdns01.comcast.net

Real irony here.  Another thread says to use www.dnssec-failed.org and www.dnsviz.net to troubleshoot DNS problems.

And I can't get to them either!

I specifically request that a Comcast employee in this forum help resolve this problem.

Would someone outside of California please try to get to the four websites I mentioned in message #3 and see if you can access them?  And run a traceroute/tracert to 75.75.75.75 to see where your DNS server is.

Thanks.

---

401 wrote:

I'm in northen California.

 

tracert to 75.75.75.75 says:
 Pleasanton, CA
 S.F.
 San Jose
 then cdns01.comcast.net

 

The servers in MA are also having trouble. You can (usually) see it when you check a problem domain at http://dns.comcast.net/dig-tool.php .

 

Real irony here.  Another thread says to use www.dnssec-failed.org and www.dnsviz.net to troubleshoot DNS problems.

 

It's even more ironic than you think! The authoritative DNS servers for the dnssec-failed.org domain are Comcast servers. The DNSSEC servers in MA and CA sometimes can't even get answers from Comcast's own servers. Interestingly, the cache-check page mentioned above doesn't do any checking when you enter the dnssec-failed.org domain; so maybe this particular problem isn't limited to MA and CA.

 

We're aware of a DNSSEC-related issue and are working with vendors to fix it. In the meantime, we put in place a workaround on the DNSSEC servers that should have resolved this. If you are still having issues, please post the results of a dig here so we can investigate.

---

jlivingood wrote:

We're aware of a DNSSEC-related issue and are working with vendors to fix it. In the meantime, we put in place a workaround on the DNSSEC servers that should have resolved this. If you are still having issues, please post the results of a dig here so we can investigate.

---

The cache check page is still showing problems with the servers in CA and MA. I'm in MA. For the record:

dig @75.75.75.75 ftc.gov

; <<>> DiG 9.3.1 <<>> @75.75.75.75 ftc.gov
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

>dig @75.75.75.75 b.usadotgov.net

; <<>> DiG 9.3.1 <<>> @75.75.75.75 b.usadotgov.net
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

In these cases 75.75.75.75 isn't sending back any response at all.

Then there's:

>dig @75.75.75.75 www.dnssec-failed.org

; <<>> DiG 9.3.1 <<>> @75.75.75.75 www.dnssec-failed.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

It is working for most other domains, though.

---

steve-baker wrote:

It's even more ironic than you think! The authoritative DNS servers for the dnssec-failed.org domain are Comcast servers. The DNSSEC servers in MA and CA sometimes can't even get answers from Comcast's own servers.

 

 

---

Actually, that's not ironic, it's expected. Caching and authoritative servers should be totally independent of each other. If the caching servers have a bug affecting DNSSEC in general, there's no reason why it shouldn't affect them when they try to access domains hosted by Comcast's auth servers.

But perhaps you could say that it's ironic that it's expected. Or maybe that it's unexpected that it's expected.

---

Barmar wrote:

 

---

steve-baker wrote:

It's even more ironic than you think! The authoritative DNS servers for the dnssec-failed.org domain are Comcast servers. The DNSSEC servers in MA and CA sometimes can't even get answers from Comcast's own servers.

 

 

---

 

Actually, that's not ironic, it's expected. Caching and authoritative servers should be totally independent of each other. If the caching servers have a bug affecting DNSSEC in general, there's no reason why it shouldn't affect them when they try to access domains hosted by Comcast's auth servers.

 

But perhaps you could say that it's ironic that it's expected. Or maybe that it's unexpected that it's expected.

---

Nope, there's lots of irony there. Let's not forget "Another thread says to use www.dnssec-failed.org and www.dnsviz.net to troubleshoot DNS problems." Trying to troubleshoot DNS problems via a domain that's mired in the problem is ironic.

In Atlanta. Can't get to NOAA or Paypal for days. Tracert on 75.75.75.75 routes to a server in Atlanta.

Comcast.net DNS is failing for me here in Seattle for some specific domains, but working for the ones listed above.

My DNS servers: 

Failing domains:

  - waol.org

  - angel.spscc.edu

Authoritative servers for these are hosted by the WA State Board for Community and Technical Colleges, in Olympia, WA.  DNS for these domains was tested and found working via EasyDNS and over AT&T and T-Mobile wireless connections.

Most domains hosted here are working on Comcast but a few are not.

Working:

  - sbctc.edu

  - www.cis.ctc.edu

  - noaa.gov

  - paypal.com

  - www.nasa.gov

   ...

paypal and noaa working again in ATL

---

pkreemer wrote:

Comcast.net DNS is failing for me here in Seattle for some specific domains, but working for the ones listed above.

 

My DNS servers: 

  68.87.69.150  cns.beaverton.or.bverton.comcast.net

  68.87.85.102  cns.cmc.co.denver.comcast.net

 

 

 

Failing domains:

  - waol.org

  - angel.spscc.edu

 

Authoritative servers for these are hosted by the WA State Board for Community and Technical Colleges, in Olympia, WA.  DNS for these domains was tested and found working via EasyDNS and over AT&T and T-Mobile wireless connections.

 

---

The problem in this case is at the other end. Angel.spscc.edu has a CNAME of angel.waol.org, so the problem with those domains is the same problem. The authoritative servers for waol.org are listed as:

ctc.ctc.edu.
ml-dns.ctc.edu.
quasar.ctc.edu.

The parent servers for the .edu domain don't have the IP addresses of those servers, so a lookup has to find those addresses. The authoritative servers for the ctc.edu domain are:

ruler.wa-k20.net.
apple.wa-k20.net.
dns3.ctc.edu.
dns4.ctc.edu.

Those servers listed immediately above don't have the addresses of the authoritative servers listed for the waol.org domain. EG:

"dig @ruler.wa-k20.net ctc.ctc.edu

...
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, ..."

ANSWER: 0 ... no answer for the IP address of ctc.ctc.edu, and so no DNS server to query to find the info about the waol.org domain.

Other servers might have waol.org info cached from queries made before the waol.org DNS situation got discombobulated. Checking at some open DNS servers is showing some stuff that I can't quite figure out, but I think the bottom line is that they have the addresses of

ctc.ctc.edu.
ml-dns.ctc.edu.
quasar.ctc.edu.

cached.

Steve, thanks very much for sorting through that!  And explaining it clearly.  I passed your description on to the networking staff here.

Paul

Hi, to report back on this: our IT staff had cutover to new DNS servers but hadn't updated them in the domain registration. That was fixed a couple of hours ago, and now I'm waiting for Comcast to pick up the change. 

Whois now lists these (correct) DNS servers for waol.org:

dns3.ctc.edu.
dns4.ctc.edu.

Thanks again for the help-

Paul

Delegations from the .ORG servers have 1-day TTLs. So it could take up to a day for some of the Comcast nameservers to pick up the change. Different servers will pick it up at different times, depending on when they last cached the old NS records.

---

pkreemer wrote:

Hi, to report back on this: our IT staff had cutover to new DNS servers but hadn't updated them in the domain registration. That was fixed a couple of hours ago, and now I'm waiting for Comcast to pick up the change. 

 

Thanks for the update.

 

 

Whois now lists these (correct) DNS servers for waol.org:

 

dns3.ctc.edu.
dns4.ctc.edu.

Those NS records have a TTL of zero. Is that really how they wanted to set it up?

 

 

Thanks again for the help-

 

You're welcome!

 

I think I have a better DNS connection now after making some changes in the window setup for DNS.

My router is using the Comcast DNS as part of the DHCP; the computer is setup to use the router as the DNS server even if the router cannot be set as the gateway in win7 (claims it did but erases it).

In the win7 tcp/ip, I have the router as the primary DNS & an OpenDNS as the secondary DNS.  Then in the "advanced" DNS page, I added the router as the 1st DNS & then 2 OpenDNS servers as the 2nd & 3rd DNS servers.  I think that it's working as I wanted, Comcast DNS 1st & if not there, then OpenDNS.  Haven't tried Google servers as didn't know about them until now but will stick to my method.

On occassion, I do get the "helper" page with the OpenDNS headers which I believe that my DNS listing did pass thru the Comcast DNS as not found but dropped down to the OpenDNS for a check & the OpenDNS server also did a "not found" & so returned their "helper" page instead of the Comcast page.

Nice little tool;

http://www.grc.com/dns/benchmark.htm