What's new

Comcast/Xfinity Encrypted DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dave14305

Part of the Furniture
For those of us subscribing to Comcast Xfinity internet service, I came to learn today of their encrypted DNS initiatives. Namely, they are beta testing DoH and DoT resolvers.

DoH: https://doh.xfinity.com/dns-query
DoT: dot.xfinity.com

Ref: https://indico.dns-oarc.net/event/3...6/1172/crowe-doh-dot-dnsoarc31_compressed.pdf

Now the big question might be why would you ever want to rely on your ISP DNS? Usually you want to protect your data from their snooping eyes. But reading the linked slides above, they seem to have the right intentions and facing the concerns over centralized DNS versus CDN content.
 
why would you ever want to rely on your ISP DNS?

For proper geo-localisation by CDNs, and also to benefit from the CDN/Google/Netflix/etc... caches that most large ISPs install on their network borders.

I've always used my ISP DNS here, except for while testing DoT.
 
For proper geo-localisation by CDNs, and also to benefit from the CDN/Google/Netflix/etc... caches that most large ISPs install on their network borders.

I've always used my ISP DNS here, except for while testing DoT.
RMerlin, can you still use VPN with my ISP (comcast) DNS and /or is it not recommended?
 
Last edited:
RMerlin, can you still use VPN with my ISP (comcast) DNS and /or is it not recommended?

Depends on your VPN provider. Some will block port 53 traffic except to servers they explicitly support, to "protect against accidental DNS leakage".

They should normally all allow DOT however, as I doubt any of them is blocking port 853. Need to configure the client to ignore the DNS settings pushed by them however.
 
In my observations Comcast's engineering side is a complete 180 from corporate.
 
For those of us subscribing to Comcast Xfinity internet service, I came to learn today of their encrypted DNS initiatives. Namely, they are beta testing DoH and DoT resolvers.

DoH: https://doh.xfinity.com/dns-query
DoT: dot.xfinity.com

Ref: https://indico.dns-oarc.net/event/3...6/1172/crowe-doh-dot-dnsoarc31_compressed.pdf

Now the big question might be why would you ever want to rely on your ISP DNS? Usually you want to protect your data from their snooping eyes. But reading the linked slides above, they seem to have the right intentions and facing the concerns over centralized DNS versus CDN content.
Though they have this ,my question isn't about comcast but is specific to the server relative to the security and reliability it provides (if any).
 
Though they have this ,my question isn't about comcast but is specific to the server relative to the security and reliability it provides (if any).
The fact that a major US ISP is working on encrypted DNS is interesting to me. If they’ll get it right and roll it out will be another question. Maybe they will integrate stubby into all their WiFi Gateway modems?

But most Privacy-focused people still won’t want to trust their ISP with their lookup data, IMO.
 
The fact that a major US ISP is working on encrypted DNS is interesting to me. If they’ll get it right and roll it out will be another question. Maybe they will integrate stubby into all their WiFi Gateway modems?

But most Privacy-focused people still won’t want to trust their ISP with their lookup data, IMO.
I just don't understand saying this, all traffic goes through you ISP. The ISP can just have the firewalls log all packets there source and destination everything is going over there networks.

Encrypting dns does much of nothing to hide what you do from your isp.
 
I just don't understand saying this, all traffic goes through you ISP. The ISP can just have the firewalls log all packets there source and destination everything is going over there networks.

Encrypting dns does much of nothing to hide what you do from your isp.
I was thinking more in terms of tracking and marketing, not true stealth. But your point is taken. We choose to get in bed with our ISPs, if we have the luxury of ISP choices where we live.
 
I was thinking more in terms of tracking and marketing, not true stealth. But your point is taken. We choose to get in bed with our ISPs, if we have the luxury of ISP choices where we live.
If i just wanted to track, i can do that looking the firewall again. You are right, if you don't trust your ISP and have a choice then you should switch or use a VPN. Now that is assuming you trust your VPN provider.

Just wanted to add that using Google or Cloud flare as your DNS provider really is now giving your provider access to all of you data that they didn't have before. I just don't understand why people want to do this.

My ISP already has everything, by switching DNS providers i am really not gaining anything, and they are really not loosing anything at all. (my ISP that is)
 
Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top