Menu
What's new
By:
Filters Better Search

Comcast/Xfinity Encrypted DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dave14305

dave14305

Part of the Furniture
For those of us subscribing to Comcast Xfinity internet service, I came to learn today of their encrypted DNS initiatives. Namely, they are beta testing DoH and DoT resolvers.

DoH: https://doh.xfinity.com/dns-query
DoT: dot.xfinity.com

Ref: https://indico.dns-oarc.net/event/3...6/1172/crowe-doh-dot-dnsoarc31_compressed.pdf

Now the big question might be why would you ever want to rely on your ISP DNS? Usually you want to protect your data from their snooping eyes. But reading the linked slides above, they seem to have the right intentions and facing the concerns over centralized DNS versus CDN content.
 
dave14305 said:
why would you ever want to rely on your ISP DNS?
Click to expand...

For proper geo-localisation by CDNs, and also to benefit from the CDN/Google/Netflix/etc... caches that most large ISPs install on their network borders.

I've always used my ISP DNS here, except for while testing DoT.
 
RMerlin said:
For proper geo-localisation by CDNs, and also to benefit from the CDN/Google/Netflix/etc... caches that most large ISPs install on their network borders.

I've always used my ISP DNS here, except for while testing DoT.
Click to expand...
RMerlin, can you still use VPN with my ISP (comcast) DNS and /or is it not recommended?
 
Last edited:
Kingp1n said:
RMerlin, can you still use VPN with my ISP (comcast) DNS and /or is it not recommended?
Click to expand...

Depends on your VPN provider. Some will block port 53 traffic except to servers they explicitly support, to "protect against accidental DNS leakage".

They should normally all allow DOT however, as I doubt any of them is blocking port 853. Need to configure the client to ignore the DNS settings pushed by them however.
 
In my observations Comcast's engineering side is a complete 180 from corporate.
 
dave14305 said:
For those of us subscribing to Comcast Xfinity internet service, I came to learn today of their encrypted DNS initiatives. Namely, they are beta testing DoH and DoT resolvers.

DoH: https://doh.xfinity.com/dns-query
DoT: dot.xfinity.com

Ref: https://indico.dns-oarc.net/event/3...6/1172/crowe-doh-dot-dnsoarc31_compressed.pdf

Now the big question might be why would you ever want to rely on your ISP DNS? Usually you want to protect your data from their snooping eyes. But reading the linked slides above, they seem to have the right intentions and facing the concerns over centralized DNS versus CDN content.
Click to expand...
Though they have this ,my question isn't about comcast but is specific to the server relative to the security and reliability it provides (if any).
 
SomeWhereOverTheRainBow said:
Though they have this ,my question isn't about comcast but is specific to the server relative to the security and reliability it provides (if any).
Click to expand...
The fact that a major US ISP is working on encrypted DNS is interesting to me. If they’ll get it right and roll it out will be another question. Maybe they will integrate stubby into all their WiFi Gateway modems?

But most Privacy-focused people still won’t want to trust their ISP with their lookup data, IMO.
 
dave14305 said:
The fact that a major US ISP is working on encrypted DNS is interesting to me. If they’ll get it right and roll it out will be another question. Maybe they will integrate stubby into all their WiFi Gateway modems?

But most Privacy-focused people still won’t want to trust their ISP with their lookup data, IMO.
Click to expand...
I just don't understand saying this, all traffic goes through you ISP. The ISP can just have the firewalls log all packets there source and destination everything is going over there networks.

Encrypting dns does much of nothing to hide what you do from your isp.
 
vdemarco said:
I just don't understand saying this, all traffic goes through you ISP. The ISP can just have the firewalls log all packets there source and destination everything is going over there networks.

Encrypting dns does much of nothing to hide what you do from your isp.
Click to expand...
I was thinking more in terms of tracking and marketing, not true stealth. But your point is taken. We choose to get in bed with our ISPs, if we have the luxury of ISP choices where we live.
 
dave14305 said:
I was thinking more in terms of tracking and marketing, not true stealth. But your point is taken. We choose to get in bed with our ISPs, if we have the luxury of ISP choices where we live.
Click to expand...
If i just wanted to track, i can do that looking the firewall again. You are right, if you don't trust your ISP and have a choice then you should switch or use a VPN. Now that is assuming you trust your VPN provider.

Just wanted to add that using Google or Cloud flare as your DNS provider really is now giving your provider access to all of you data that they didn't have before. I just don't understand why people want to do this.

My ISP already has everything, by switching DNS providers i am really not gaining anything, and they are really not loosing anything at all. (my ISP that is)
 
You must log in or register to reply here.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 767 (members: 11, guests: 756)
Top