Oauth.xfinity.com

Hi,

I’m unable to access oauth.xfinity.com. dig returns different results depending on the server (75.75.75.75 is comcast which is my ISP). I tried 1.1.1.1/purge-cache/ but that didn’t help.

Thoughts? Thanks.

Tim

$ dig @75.75.75.75 oauth.xfinity.com

; <<>> DiG 9.10.3-P4-Debian <<>> @75.75.75.75 oauth.xfinity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13933
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;oauth.xfinity.com.             IN      A

;; ANSWER SECTION:
oauth.xfinity.com.      3538    IN      CNAME   oauth.g.xfinity.com.
oauth.g.xfinity.com.    3       IN      A       96.114.156.145

;; Query time: 9 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Tue Jan 08 08:08:07 MST 2019
;; MSG SIZE  rcvd: 84

$ dig @1.1.1.1 oauth.xfinity.com

; <<>> DiG 9.10.3-P4-Debian <<>> @1.1.1.1 oauth.xfinity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19061
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;oauth.xfinity.com.             IN      A

;; ANSWER SECTION:
oauth.xfinity.com.      6346    IN      CNAME   oauth.g.xfinity.com.
oauth.g.xfinity.com.    9       IN      A       68.87.29.197

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jan 08 08:16:47 MST 2019
;; MSG SIZE  rcvd: 84

The three authoritative nameservers for g.xfinity.com return 68.87.29.197 for oauth.g.xfinity.com, so it seems your ISP’s nameserver returns an incorrect value.

1 Like

Any idea why Google can return the correct value?

$ dig @8.8.8.8 oauth.xfinity.com

; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 oauth.xfinity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10045
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;oauth.xfinity.com.             IN      A

;; ANSWER SECTION:
oauth.xfinity.com.      309     IN      CNAME   oauth.g.xfinity.com.
oauth.g.xfinity.com.    29      IN      A       96.114.156.145

;; Query time: 44 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 10 15:07:31 MST 2019
;; MSG SIZE  rcvd: 84

Thats still not the correct value, at least if we may believe the domain’s authoritative nameservers :wink:

I agree that Comcast, to no one’s surprise, can’t manage DNS servers. I’m just wondering why Google resolves oauth.g.xfinity.com to 96.114.156.145 just like 75.75.75.75 yet the “authoritative” servers don’t? I’m way out of my league on this.

Either there is something cached, but assuming that has been going on for several days I’d be tempted to rule out caching. Another possibility could be that one of the intermediate nameservers feels the urge to “adopt” that entry.

I just ran the query against 8.8.8.8 however and did get the 68 address. Could you try again?

Yikes, Google (8.8.8.8) is now returning the “correct” value. Any ideas on how to encourage Comcast to fix this?

$ dig @8.8.8.8 oauth.xfinity.com

; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 oauth.xfinity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11988
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;oauth.xfinity.com.             IN      A

;; ANSWER SECTION:
oauth.xfinity.com.      6008    IN      CNAME   oauth.g.xfinity.com.
oauth.g.xfinity.com.    7       IN      A       68.87.29.197

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 10 15:32:21 MST 2019
;; MSG SIZE  rcvd: 84

$ dig @75.75.75.75 oauth.xfinity.com

; <<>> DiG 9.10.3-P4-Debian <<>> @75.75.75.75 oauth.xfinity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60514
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;oauth.xfinity.com.             IN      A

;; ANSWER SECTION:
oauth.xfinity.com.      3244    IN      CNAME   oauth.g.xfinity.com.
oauth.g.xfinity.com.    16      IN      A       96.114.156.145

;; Query time: 12 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Thu Jan 10 15:32:43 MST 2019
;; MSG SIZE  rcvd: 84

Convince an ISP to do something? Better buy a lottery ticket :slight_smile:

Not to abuse this thread…but why does 1.1.1.1 provide different answers? In the first case I’m using a VPN that I believe terminates in Australia and in the second case my normal Comcast residential connection.

$ dig @1.1.1.1 oauth.xfinity.com

; <<>> DiG 9.10.3-P4-Debian <<>> @1.1.1.1 oauth.xfinity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44611
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;oauth.xfinity.com.		IN	A

;; ANSWER SECTION:
oauth.xfinity.com.	7050	IN	CNAME	oauth.g.xfinity.com.
oauth.g.xfinity.com.	14	IN	A	96.114.156.145

;; Query time: 30 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jan 10 16:15:39 MST 2019
;; MSG SIZE  rcvd: 84


$ dig @1.1.1.1 oauth.xfinity.com

; <<>> DiG 9.10.3-P4-Debian <<>> @1.1.1.1 oauth.xfinity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8327
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;oauth.xfinity.com.             IN      A

;; ANSWER SECTION:
oauth.xfinity.com.      858     IN      CNAME   oauth.g.xfinity.com.
oauth.g.xfinity.com.    30      IN      A       68.87.29.197

;; Query time: 31 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jan 10 16:15:26 MST 2019
;; MSG SIZE  rcvd: 84

To be fair, Google pulled the same off earlier. But I agree, that shouldnt happen though I somewhat suspect neither Cloudflare nor Google are at fault here but something upstream returns “random” values.

Still not sure where it would get the 96 address from though :man_shrugging:

@mnordhoff

Given the CNAME to oauth.g.xfinity.com (where the g causes a delegation to different name servers that might do geo-location on client IP addresses (or in the case of Google and OpenDNS, EDNS client subnet), and the fact that Xfinity is a Comcast service, it would not surprise me if the Oauth service for clients with IP addresses on Comcast networks is provided separately from off-network clients.

In that case, it would be quite possible that you might get IP addresses for better-provisioned Oauth servers from Comcast’s own resolvers, from Google and OpenDNS, which send EDNS client subnet, or from an iterative, rather than forwarding, resolver running on your own computers on a Comcast network. Non-ECS providing public DNS like Cloudflare, Quad9, and others, might return IP addresses that are under-provisioned. Alternately, the different Oauth servers might only work with clients having Comcast-internal or external IP addresses, and getting the IP address from the wrong set from your DNS could break things.

I think only Comcast knows for sure how this all works, and although you all are saying they don’t know how to manage DNS, I think the problem may be that they are being too clever by half. You might want to open an issue with them, though, as it is likely only they could provide an authoritative answer as to why it doesn’t work (no point hoping for a solution to the problem, though).