Skip to content
GaelMartinez's profile

Contributor

 • 

21 Messages

Tue, Dec 24, 2019 10:00 PM

transparent dns proxying started after a modem swap ...

Today my gateway was replaced with a 

 
Model:CGA4131COM
Vendor:Technicolor
Hardware Revision:2.1
 
running the following firmware...
 
eMTA & DOCSIS Software Version:CM DOCSIS Application - Prod_17.20_d31 & MTA Application - Prod_17.2
Software Image Name:CGA4131COM_3.1p24s1_PROD_sey
Advanced Services:CGA4131COM
Packet Cable:2.0
 
I have static ips and run a dns server slave and mail server, the dns zones stopped downloading right after the swap... looking at the errors, the SOA of my zones were incorrect...
When trying the following tests, I was surprised to see that any random ip could be used as a dns server and was responding to dns queries implying that some kind of transparent dns proxy was occuring... 
 
root@infra:/etc/bind# nslookup www.comcast.com 1.2.3.4
Server:         1.2.3.4
Address:        1.2.3.4#53

Non-authoritative answer:
www.comcast.com canonical name = www.comcast.com.edgekey.net.
www.comcast.com.edgekey.net     canonical name = e523.dscb.akamaiedge.net.
Name:   e523.dscb.akamaiedge.net
Address: 23.45.1.143

root@infra:/etc/bind# nslookup www.comcast.com 4.5.6.7
Server:         4.5.6.7
Address:        4.5.6.7#53

Non-authoritative answer:
www.comcast.com canonical name = www.comcast.com.edgekey.net.
www.comcast.com.edgekey.net     canonical name = e523.dscb.akamaiedge.net.
Name:   e523.dscb.akamaiedge.net
Address: 23.45.1.143

root@infra:/etc/bind# nslookup www.comcast.com 9.8.7.6
Server:         9.8.7.6
Address:        9.8.7.6#53

Non-authoritative answer:
www.comcast.com canonical name = www.comcast.com.edgekey.net.
www.comcast.com.edgekey.net     canonical name = e523.dscb.akamaiedge.net.
Name:   e523.dscb.akamaiedge.net
Address: 23.45.1.143
As it was not happening before, I'm assuming that it is a weird behavior from the gateway... it is configured in pass thru, firewall is disabled, wan dhcp is disabled, all rules are off... Is that a bug ? Am I missing some obvious button to disable that dreadful transparent proxying ?
 
 
 
 

Responses

Visitor

 • 

2 Messages

10 months ago

When I requested a speed upgrade to our Comcast Business account, I begged them not to include SecurityEdge, but they couldn't split it off. Several days ago the speed upgrage went beautifully, but at 3 am this morning Comcast apparently downloaded new modem firmware (I still can't login) and flipped on SecurityEdge. Our local DNS was rendered next to useless until I figured out what was going on and temporarily switched it to forwarding mode. Which by the way exposed a terrible performance latency that SecurityEdge causes in its less-than-transparently proxying (more like a man-in-the-middle DoS attack).

 

The Comcast CSRs were nice, and I eventually ran into one who agreed with me that SecurityEdge had to go. They escalated it up a tier and within a few hours it was disabled for the account. One I restored the original DNS config, everything worked perfectly. Comcast - please at least make SecurityEdge optional, or better yet, throw it back into the sewage.

Official Employee

 • 

508 Messages

10 months ago

Thank you so much for taking the time to reach out to us through our business forums regarding the security edge services. I very much appreciate your patience and greatly apologize for the delay in our response. I know how important the services are to your business and we want to do all that we can to assist.I would love to assist getting the security Edge services disabled for you. Can you please reach out through private message with your first and last name, full business service address and account number or phone number? 

Contributor

 • 

21 Messages

10 months ago

Hello Michelle, was your reponse for me ? I would still love to have that Edge service disabled as it is still blocking me from handling my secondary dns and blocks me from monitoring my other dns servers on the internet ... was told that I would have to pay more to get my service back and working as it was before due to the contract promotion... 

Official Employee

 • 

508 Messages

10 months ago

Yes, that response was for you. I would love to dig further into your promotion and see what options we have to get that service removed for you. Can you please provide the requested account information through private message and we can get to the bottom of this for you. 

Contributor

 • 

21 Messages

10 months ago

Hello Michelle,

 

Getting the following message when trying to send you an email

 

Screen Shot 2020-04-22 at 8.14.16 PM.png

 

I did send you all my info on 4/15 regarding my issue with disneyplus/bamgrid and unreliable location.. I will try again to send you a private message tomorrow if the system let me... 

Official Employee

 • 

508 Messages

10 months ago

Thanks for reaching out again. I am sorry to hear that you are having an issue sending me a private message. I am going to send you one directly and you should be able to respond to that as well without issue. 

Occasional Visitor

 • 

5 Messages

10 months ago

Hi, Gael.

 

Baed upon the symptoms that you are describing, I suspect that I have become a victim of the same problem.

 

I upgraded my business service yesterday morning and since doing so all of my local DNS servers have been rendered useless.  I am unable to resolve any external addresses for which my servers are not authoritative and see about a dozen FORMERR messages logged every 12 seconds or so in syslog.

 

Assuming that this is the same issue that you're experiencing, has there been any resolution yet?

 

Chris  

Official Employee

 • 

508 Messages

10 months ago

Thanks so much for taking the time to reach out to us regarding your internet connection issues. I very much appreciate your patience and greatly apologize for the delay in our response. I know how important the services are to your business and we want to do all that we can to assist. I would love to get to the bottom of the DNS proxy issues. Can you please reach out through private message with your first and last name, business service address and account number or phone number? 

Contributor

 • 

21 Messages

10 months ago


@n0uk wrote:

Hi, Gael.

 

Baed upon the symptoms that you are describing, I suspect that I have become a victim of the same problem.

 

I upgraded my business service yesterday morning and since doing so all of my local DNS servers have been rendered useless.  I am unable to resolve any external addresses for which my servers are not authoritative and see about a dozen FORMERR messages logged every 12 seconds or so in syslog.

 

Assuming that this is the same issue that you're experiencing, has there been any resolution yet?

 

Chris  


No Chris, as usual the case looped and went nowhere... I was sent back to a team to disable the 

Security Edge, then that team prefered to send me back to the loyalty line that I tried already without success in the past as the Security Edge feature is part of the "promotion bundle I have" (note here: never i was told that this thing even when turned off was still breaking DNS)... the fix I was provided at the time was dropping the promotion and paying more ... to get the service back as before... 

 

Official Employee

 • 

133 Messages

10 months ago

Hi there! Thanks so much for reaching out. You've absolutely reached the right place, and are in good hands. I will own this Issue for you and ensure that I provide the best help I can today. If I can look into this for you further, I'd like to see if I can troubleshoot this for you. Can you please send me a private note with the last four of the account number and/or last statement balance, your full name, phone number, and service address including city, state, and zip code? 

Official Employee

 • 

255 Messages

10 months ago

I appreciate your detailed reply. I apologize you are having trouble with your DNS servers. Let me take a closer look at your service in greater detail. Do you currently have any online access? 

Contributor

 • 

21 Messages

10 months ago

 


@Comcast_Robert wrote:

Hi there! Thanks so much for reaching out. You've absolutely reached the right place, and are in good hands. I will own this Issue for you and ensure that I provide the best help I can today. If I can look into this for you further, I'd like to see if I can troubleshoot this for you. Can you please send me a private note with the last four of the account number and/or last statement balance, your full name, phone number, and service address including city, state, and zip code? 


 

Hello Robert, I do not know if you were answering to Chris or myself...

 

In case, my info is 

 

GM-HOSTING LLC
(account-specific information removed for the security of the account)
(account information removed)
(account information removed)
(account information removed)
 

Contributor

 • 

21 Messages

9 months ago

Hey Chris, 

 

did you ever get a fix from comcast for that issue ? I did figure out a work around that I can share with you in private to go around that awful $@#$@#$ of transparent proxying on port 53 outbound...  

Occasional Visitor

 • 

8 Messages

8 months ago

Gael, can you share that solution here?  I've just his the same darn issue and have yet to call and try and get it fixed, but it's crippling our ability to do anything.  I hate it, and want SecurityEdge gone - it is not something I wanted, just something they threw at me.  I'm also renting hardware which can't work with my IP ranges and is useless to me.  I am not impressed with this "upgrade".

 

Official Employee

 • 

255 Messages

8 months ago

Hello, thanks for sharing your message and this experience. I am sorry you have had service trouble while having Security Edge. The last thing we want is for this service to cause this type of frustration. Are you able to send a private message so I can locate your account? I should be able to work with our business contacts to disable the feature and I will review all possibilities with you.