Mailing List Archive: Comcast contact sought

Comcast contact sought

Sep 23, 2023, 10:05 PM

Post #1 of 5 (147 views)

I am looking for a senior contact at Comcast.

I have been trying to assist someone with a business connection that
runs a server farm. Recently the business cable modem started to
short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy
somehow got activated and all outbound traffic to any IPv4 or IPv6
address is intercepted and handled by the modem – or not handled.
Sadly, the proxy is stupid and a) ignores the intended destination
address, and b) drops things it doesn’t know about, including any AXFR /
IXFR and other more esoteric traffic, normal for DNS server
installations, but not used by the public. The DNS servers are not able
to do work, e.g. act as secondaries.

I know others in the same configuration with servers that have been
lucky and not had this ‘feature’ activated, but I have found several
references on forums where people have been caught by this and
unsuccessful in reaching anyone in management, so it is a known problem.

Comcast doesn’t allow customer supplied DOCSIS modems with multiple
fixed IPs. Other avenues exhausted as well.

I’m hoping someone at Comcast can disable this. Attempts to go through
customer service… well we all know where that ends up. Escalations just
don’t go to anyone technical or interested.

regards
Al Whaley
Sunnyside Computing, Inc.

Re: Comcast contact sought [ In reply to ]

nanog at nanog

Sep 24, 2023, 9:35 AM

Post #2 of 5 (147 views)

Permalink

We get around the brain-damage by having our router grab all DNS requests and convert them to DoT or DoH using dnsdist. That probably won't work if you're hosting a DNS server on your cable connection though.

Call the normal support number and have them disable the "Security Edge" service. The "best" they can apparently offer is that it'll stay disabled until your modem gets a firmware upgrade or is factory reset. Then you'll have to call back in and disable it again.

Just be prepared that they're going to tell you it'll cost more for providing less service. Security Edge is horrible? Disabling it costs more. Don't need a phone number so Comcast can pad their numbers to the FCC? It'll cost you more. Same with not needing cable TV for your business. It costs you more because Comcast can't use you as a bargaining chip when negotiating with other media companies.

-A

On Sun Sep 24, 2023, 05:05 AM GMT, Al Whaley <mailto:awnanog@sunnyside.com> wrote:
> I am looking for a senior contact at Comcast.
>
> I have been trying to assist someone with a business connection that runs a server farm. Recently the business cable modem started to short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled. Sadly, the proxy is stupid and a) ignores the intended destination address, and b) drops things it doesn’t know about, including any AXFR / IXFR and other more esoteric traffic, normal for DNS server installations, but not used by the public. The DNS servers are not able to do work, e.g. act as secondaries.
>
> I know others in the same configuration with servers that have been lucky and not had this ‘feature’ activated, but I have found several references on forums where people have been caught by this and unsuccessful in reaching anyone in management, so it is a known problem.
>
> Comcast doesn’t allow customer supplied DOCSIS modems with multiple fixed IPs. Other avenues exhausted as well.
>
> I’m hoping someone at Comcast can disable this. Attempts to go through customer service… well we all know where that ends up. Escalations just don’t go to anyone technical or interested.
>
> regards
> Al Whaley
> Sunnyside Computing, Inc.

Re: Comcast contact sought [ In reply to ]

evmoy15 at gmail

Sep 24, 2023, 10:17 AM

Post #3 of 5 (147 views)

Permalink

I've been down this road many times before. You need to find your local
account manager/sales rep and ask them to remove the coding from the
account. This may result in losing the bundle price, so pair it with a
different service like Comcast Connection Pro or something like that.
Should keep it from coming back vs calling support over and over. If you
don't have a local account manager ping me off list and I can try getting
you in touch with someone I know. Good luck.

- Patch

On Sun, Sep 24, 2023, 9:37 AM Aaron de Bruyn via NANOG <nanog@nanog.org>
wrote:

> We get around the brain-damage by having our router grab all DNS requests
> and convert them to DoT or DoH using dnsdist. That probably won't work if
> you're hosting a DNS server on your cable connection though.
>
> Call the normal support number and have them disable the "Security Edge"
> service. The "best" they can apparently offer is that it'll stay disabled
> until your modem gets a firmware upgrade or is factory reset. Then you'll
> have to call back in and disable it again.
>
> Just be prepared that they're going to tell you it'll cost more for
> providing less service. Security Edge is horrible? Disabling it costs more.
> Don't need a phone number so Comcast can pad their numbers to the FCC?
> It'll cost you more. Same with not needing cable TV for your business. It
> costs you more because Comcast can't use you as a bargaining chip when
> negotiating with other media companies.
>
> -A
>
> On Sun Sep 24, 2023, 05:05 AM GMT, Al Whaley <awnanog@sunnyside.com>
> wrote:
>
> I am looking for a senior contact at Comcast.
>
> I have been trying to assist someone with a business connection that runs
> a server farm. Recently the business cable modem started to short-stop
> port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got
> activated and all outbound traffic to any IPv4 or IPv6 address is
> intercepted and handled by the modem – or not handled. Sadly, the proxy is
> stupid and a) ignores the intended destination address, and b) drops things
> it doesn’t know about, including any AXFR / IXFR and other more esoteric
> traffic, normal for DNS server installations, but not used by the public.
> The DNS servers are not able to do work, e.g. act as secondaries.
>
> I know others in the same configuration with servers that have been lucky
> and not had this ‘feature’ activated, but I have found several references
> on forums where people have been caught by this and unsuccessful in
> reaching anyone in management, so it is a known problem.
>
> Comcast doesn’t allow customer supplied DOCSIS modems with multiple fixed
> IPs. Other avenues exhausted as well.
>
> I’m hoping someone at Comcast can disable this. Attempts to go through
> customer service… well we all know where that ends up. Escalations just
> don’t go to anyone technical or interested.
>
> regards
> Al Whaley
> Sunnyside Computing, Inc.
>
>

Re: Comcast contact sought [ In reply to ]

nanog at nanog

Sep 25, 2023, 6:14 AM

Post #4 of 5 (146 views)

Permalink

> I have been trying to assist someone with a business connection that runs a server farm. Recently the business cable modem started to short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy somehow got activated and all outbound traffic to any IPv4 or IPv6 address is intercepted and handled by the modem – or not handled.

Sounds like the person you helped turned on Security Edge. They can turn it off too at https://business.comcast.com/support/article/internet/securityedge-manage-settings.

Jason

Re: Comcast contact sought [ In reply to ]

tj at pcguys

Sep 25, 2023, 12:29 PM

Post #5 of 5 (145 views)

Permalink

It's a fraud tactic as far as I'm concerned, they markup internet only into
the hundreds of dollars a month, but if you bundle with security edge it's
very affordable, except after 12-36 months now it is even more expensive
than if you had just let them screw you initially.

On Mon, Sep 25, 2023, 6:16 AM Livingood, Jason via NANOG <nanog@nanog.org>
wrote:

> *> *I have been trying to assist someone with a business connection that
> runs a server farm. Recently the business cable modem started to
> short-stop port 53 for UDP and TCP. Apparently, a transparent DNS proxy
> somehow got activated and all outbound traffic to any IPv4 or IPv6 address
> is intercepted and handled by the modem – or not handled.
>
>
>
> Sounds like the person you helped turned on Security Edge. They can turn
> it off too at
> https://business.comcast.com/support/article/internet/securityedge-manage-settings.
>
>
>
>
> Jason
>