Welcome to Comcast DNS

We have noticed that certain Netgear routers with older firmware are performing DNS queries for the names of Netgear NTP servers at a rapid rate, which we initially thought was a DDOS attack on our DNS recursive resolvers.  This seems to occur when a cable modem is reset. The router firmware bug can cause a single router to query at rates of thousands per second (millions per day) and impact that customer’s experience by flooding their connection until the router is reset. The DNS records being queried are: time-a.netgear.com, time-b.netgear.com, time-c.netgear.com

Netgear has confirmed the firmware bug and recommends the end users update their device’s firmware to the latest build for the impacted devices. The following links provide specific instructions on upgrading:

WNDR4500: http://support.netgear.com/product/wndr4500
WNR3500Lv2: http://support.netgear.com/product/wnr3500lv2

If anyone needs help upgrading or has additional questions, they can contact Netgear directly at (888)NETGEAR. They are aware of the issue and ready to assist customers.

The domain bncr.fi.cr is currently failing DNSSEC validation. This is because several RRSIG records in the domain are invalid, including www.bncr.fi.cr. The domain owners have been contacted and made aware of the issue. The DNSViz report of this failure can be found at http://dnsviz.net/d/www.bncr.fi.cr/UX_OqQ/dnssec/.

The domain vsp.virginia.gov is currently failing DNSSEC validation. This is because DNSKEYs are expired. The domain owners have been contacted and made aware of the issue. The DNSViz report of this failure can be found at http://dnsviz.net/d/vsp.virginia.gov/UWb1Yg/dnssec/.

The domain energystar.gov is currently failing DNSSEC validation. This is because the domain has a published DS record that does not match any DNSKEY record. The domain owners have been contacted and made aware of the issue. The DNSViz report of this failure can be found at http://dnsviz.net/d/energystar.gov/UWbUKg/dnssec/.

The domain bncr.fi.cr is currently failing DNSSEC validation. This is because the RRSIG and DNSKEY do not validate records in the domain. The domain owners have been contacted and made aware of the issue. The DNSViz report of this failure can be found at http://dnsviz.net/d/bncr.fi.cr/UWbGQA/dnssec/.

Check out this video interview on Negative Trust Anchors "NTAs" for domains failing DNSSEC validation: http://www.youtube.com/watch?v=AattVxfFmNo

The domain sangitacpatelmd.com is currently failing DNSSEC validation. This is because the domain has published DS records, but no DNSKEY or RRSIG records. The domain owners have been contacted and made aware of the issue. The DNSViz report of this failure can be found at http://dnsviz.net/d/sangitacpatelmd.com/UUrU2Q/dnssec/.

The domain teamtony.org is currently failing DNSSEC validation. This is because the domain has published DS records, but no DNSKEY or RRSIG records. The domain owners have been contacted and made aware of the issue. The DNSViz report of this failure can be found at http://dnsviz.net/d/teamtony.org/UUoL3A/dnssec/.

The domain eeoc.gov has been failing DNSSEC validation. This was because the RRSIGs covering the domain records had expired. The domain owners corrected the issue and informed us. We have flushed our cache for these records to speed resolution. The DNSViz report at the time of this failure can be found at http://dnsviz.net/d/eeoc.gov/UUidFg/dnssec/.

The domain coffeecupmonument.com is currently failing DNSSEC validation. This is because there are published DS records, but no corresponding DNSKEY records. The domain owners have been contacted and made aware of the issue. The DNSViz report of this failure can be found at http://dnsviz.net/d/coffeecupmonument.com/UT3dOQ/dnssec/.