I am looking for a senior contact at Comcast. I have been trying to assist someone with a business connection that runs a server farm. Recently the business cable modem started to short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled. Sadly, the proxy is stupid and a) ignores the intended destination address, and b) drops things it doesn’t know about, including any AXFR / IXFR and other more esoteric traffic, normal for DNS server installations, but not used by the public. The DNS servers are not able to do work, e.g. act as secondaries. I know others in the same configuration with servers that have been lucky and not had this ‘feature’ activated, but I have found several references on forums where people have been caught by this and unsuccessful in reaching anyone in management, so it is a known problem. Comcast doesn’t allow customer supplied DOCSIS modems with multiple fixed IPs. Other avenues exhausted as well. I’m hoping someone at Comcast can disable this. Attempts to go through customer service… well we all know where that ends up. Escalations just don’t go to anyone technical or interested. regards Al Whaley Sunnyside Computing, Inc.
We get around the brain-damage by having our router grab all DNS requests and convert them to DoT or DoH using dnsdist. That probably won't work if you're hosting a DNS server on your cable connection though. Call the normal support number and have them disable the "Security Edge" service. The "best" they can apparently offer is that it'll stay disabled until your modem gets a firmware upgrade or is factory reset. Then you'll have to call back in and disable it again. Just be prepared that they're going to tell you it'll cost more for providing less service. Security Edge is horrible? Disabling it costs more. Don't need a phone number so Comcast can pad their numbers to the FCC? It'll cost you more. Same with not needing cable TV for your business. It costs you more because Comcast can't use you as a bargaining chip when negotiating with other media companies. -A On Sun Sep 24, 2023, 05:05 AM GMT, Al Whaley <mailto:awnanog@sunnyside.com> wrote:
I am looking for a senior contact at Comcast.
I have been trying to assist someone with a business connection that runs a server farm. Recently the business cable modem started to short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled. Sadly, the proxy is stupid and a) ignores the intended destination address, and b) drops things it doesn’t know about, including any AXFR / IXFR and other more esoteric traffic, normal for DNS server installations, but not used by the public. The DNS servers are not able to do work, e.g. act as secondaries.
I know others in the same configuration with servers that have been lucky and not had this ‘feature’ activated, but I have found several references on forums where people have been caught by this and unsuccessful in reaching anyone in management, so it is a known problem.
Comcast doesn’t allow customer supplied DOCSIS modems with multiple fixed IPs. Other avenues exhausted as well.
I’m hoping someone at Comcast can disable this. Attempts to go through customer service… well we all know where that ends up. Escalations just don’t go to anyone technical or interested.
regards Al Whaley Sunnyside Computing, Inc.
I've been down this road many times before. You need to find your local account manager/sales rep and ask them to remove the coding from the account. This may result in losing the bundle price, so pair it with a different service like Comcast Connection Pro or something like that. Should keep it from coming back vs calling support over and over. If you don't have a local account manager ping me off list and I can try getting you in touch with someone I know. Good luck. - Patch On Sun, Sep 24, 2023, 9:37 AM Aaron de Bruyn via NANOG <nanog@nanog.org> wrote:
We get around the brain-damage by having our router grab all DNS requests and convert them to DoT or DoH using dnsdist. That probably won't work if you're hosting a DNS server on your cable connection though.
Call the normal support number and have them disable the "Security Edge" service. The "best" they can apparently offer is that it'll stay disabled until your modem gets a firmware upgrade or is factory reset. Then you'll have to call back in and disable it again.
Just be prepared that they're going to tell you it'll cost more for providing less service. Security Edge is horrible? Disabling it costs more. Don't need a phone number so Comcast can pad their numbers to the FCC? It'll cost you more. Same with not needing cable TV for your business. It costs you more because Comcast can't use you as a bargaining chip when negotiating with other media companies.
-A
On Sun Sep 24, 2023, 05:05 AM GMT, Al Whaley <awnanog@sunnyside.com> wrote:
I am looking for a senior contact at Comcast.
I have been trying to assist someone with a business connection that runs a server farm. Recently the business cable modem started to short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled. Sadly, the proxy is stupid and a) ignores the intended destination address, and b) drops things it doesn’t know about, including any AXFR / IXFR and other more esoteric traffic, normal for DNS server installations, but not used by the public. The DNS servers are not able to do work, e.g. act as secondaries.
I know others in the same configuration with servers that have been lucky and not had this ‘feature’ activated, but I have found several references on forums where people have been caught by this and unsuccessful in reaching anyone in management, so it is a known problem.
Comcast doesn’t allow customer supplied DOCSIS modems with multiple fixed IPs. Other avenues exhausted as well.
I’m hoping someone at Comcast can disable this. Attempts to go through customer service… well we all know where that ends up. Escalations just don’t go to anyone technical or interested.
regards Al Whaley Sunnyside Computing, Inc.
I have been trying to assist someone with a business connection that runs a server farm. Recently the business cable modem started to short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled.
Sounds like the person you helped turned on Security Edge. They can turn it off too at https://business.comcast.com/support/article/internet/securityedge-manage-se.... Jason
It's a fraud tactic as far as I'm concerned, they markup internet only into the hundreds of dollars a month, but if you bundle with security edge it's very affordable, except after 12-36 months now it is even more expensive than if you had just let them screw you initially. On Mon, Sep 25, 2023, 6:16 AM Livingood, Jason via NANOG <nanog@nanog.org> wrote:
*> *I have been trying to assist someone with a business connection that runs a server farm. Recently the business cable modem started to short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled.
Sounds like the person you helped turned on Security Edge. They can turn it off too at https://business.comcast.com/support/article/internet/securityedge-manage-se....
Jason
participants (5)
-
Aaron de Bruyn
-
Al Whaley
-
Evan Moyer
-
Livingood, Jason
-
TJ Trout