If You Use Comcast DNS Servers, You Cannot Read This

[Edit: I changed the CNAME record for the root domain to be an A record pointing to the Posterous IP address (currently seems to be fixing the problem. However, I don’t like that solution because if Posterous changes its IP address then everything breaks. Also, I feel a bit stupid but I’ll leave this post up because it may be useful to someone else.]

A few months ago I decided to point diegobasch.com to my posterous blog, which used to be located at dbasch.posterous.com. As instructed by Posterous, I changed my Namecheap dns settings to look like this:


I use Google’s DNS servers, and I’ve never had a problem accessing my blog on Posterous. I went ahead merrily and kept dumping my thoughts, dry humor and sometimes vitriol into my blog. In the months since, I had a few blog posts that went somewhat viral on Twitter and Hacker News. Interestingly, I received many comments from people who tell me “your blog is down” or “I’d love to read your posts but I cannot access your site.”

At first I thought it might be temporary glitches on the part of Posterous or Namecheap, but I confirmed independently with both that everything works as it should.

Yesterday I asked Twitter to help me diagnose the problem. It turns out that the problem seems to be with Comcast, and perhaps other ISPs. Says @cavorite:

@dbasch It seems that the problem is with Comcast’s DNS servers, “dig @ diegobasch.com” yields SERVFAIL.

I started researching Comcast DNS servers on my own. 

Diegos-MacBook-Air-2:~ dbasch$ nslookup – cdns02.comcast.net
;; Got SERVFAIL reply from, trying next server
;; connection timed out; no servers could be reached

Diegos-MacBook-Air-2:~ dbasch$ nslookup –

** server can’t find diegobasch.com: NXDOMAIN

Interestingly, www.diegobasch.com works just fine:

Non-authoritative answer:


If you read this post, many people complain that Comcast seems to be hijacking requests for non-existent domains to show whatever they want. However, I changed my domain months ago. Comcast should have taken notice by now.

Two conclusions:

1) Comcast DNS servers are broken.
2) DNS in its current form is broken as well. It wasn’t designed to be used by the current internet. Furthermore, a particular ISP can decide to use its DNS servers as a mechanism for censorship.

I believe that OS makers should give people an option to choose among several DNS servers during the installation process, and explain why.

5 Replies to “If You Use Comcast DNS Servers, You Cannot Read This”

  1. This is no conspiracy. The problem is that this domain has misconfigured DNS.Its root domain record is a CNAME. This is not allowed and is a broken configuration. Some DNS servers and libraries support it anyway, but Comcast is doing nothing wrong by sticking to the spec.

  2. You’re right that using an A record isn’t great because your hosting provider loses the flexibility of being able to change IP addresses. This article explains it really well: https://devcenter.heroku.com/articles/avoiding-naked-domains-dns-arecordsMy solution is to use CloudFlare for my DNS (it’s free, why not?) and use their “page rules” feature to do a 301 (permanent) redirect from domain.com/* to http://www.domain.com/$1.You can see what happens if you run `curl -I maxmasnick.com`.dnsimple.com (another DNS provider) also lets you add a “URL” record, which also is a 301 redirect.One should be careful with 301 redirects because the are cached locally and quite thus permanent (see: http://www.jacquesmattheij.com/301+redirects+-+a+dangerous+one+way+street). But in this case I think this is what you want.

Leave a Reply

Your email address will not be published. Required fields are marked *