We get around the brain-damage by having our router grab all DNS requests and convert them to DoT or DoH using dnsdist. That probably won't work if you're hosting a DNS server on your cable connection though.

Call the normal support number and have them disable the "Security Edge" service. The "best" they can apparently offer is that it'll stay disabled until your modem gets a firmware upgrade or is factory reset. Then you'll have to call back in and disable it again.

Just be prepared that they're going to tell you it'll cost more for providing less service. Security Edge is horrible? Disabling it costs more. Don't need a phone number so Comcast can pad their numbers to the FCC? It'll cost you more. Same with not needing cable TV for your business. It costs you more because Comcast can't use you as a bargaining chip when negotiating with other media companies.

-A

On Sun Sep 24, 2023, 05:05 AM GMT, Al Whaley wrote:
I am looking for a senior contact at Comcast. 

I have been trying to assist someone with a business connection that runs a server farm.  Recently the business cable modem started to short-stop port 53 for UDP and TCP.  Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled.  Sadly, the proxy is stupid and a) ignores the intended destination address, and b) drops things it doesn’t know about, including any AXFR / IXFR and other more esoteric traffic, normal for DNS server installations, but not used by the public.  The DNS servers are not able to do work, e.g. act as secondaries.

I know others in the same configuration with servers that have been lucky and not had this ‘feature’ activated, but I have found several references on forums where people have been caught by this and unsuccessful in reaching anyone in management, so it is a known problem.

Comcast doesn’t allow customer supplied DOCSIS modems with multiple fixed IPs.  Other avenues exhausted as well.

I’m hoping someone at Comcast can disable this.  Attempts to go through customer service… well we all know where that ends up.  Escalations just don’t go to anyone technical or interested.

regards
Al Whaley
Sunnyside Computing, Inc.