Rick, Michael, Fine with balug-admin, though I confess when I'm just on my phone I can't as easily send from the right email address, which is why you saw me keep deleting the email list from my To: list.
I confess as well I have been away a few days and not following things as closely as I should but this morning I have tested both of your systems to see if port 53 is blocked and I cannot find that port 53 is blocked at all. I tested by doing simple dig commands @your-nameservers. I assume that's sufficient.
A quick note on SecurityEdgeTM. I did not, on my site, go to the settings for SecurityEdgeTM - instead I stayed on the main business.comcast.com page and disabled the entire product. I suspect that is more effective, but I admit I'm not reading your posts as thoroughly as I should. Specifically, I go to page "https://business.comcast.com/connectivity/internetdashboard/?index" (when logged in) and in the lower left, there's a gear symbol next to the status of SecurityEdge, and clicking on that gives me a pop-up side panel where I can disable the entire product. The product seems at least partly geared to protecting the world from me, not me from the world, and blocks me doing things. Sad, lame, poorly though out product IMHO.
I also did try this command: dig -p 5353 @96.86.170.229 balug.org and had no trouble at all with it.
Specifically all these commands gave exactly the full normal output one would expect and were extremely fast: 1087 2024/06/04 06:54:07 dig a linuxmafia.com 1088 2024/06/04 06:54:17 dig a balug.org 1089 2024/06/04 06:55:54 dig @linuxmafia.com. a linuxmafia.com. 1090 2024/06/04 06:56:43 host ns0.sunnyside.com. 1091 2024/06/04 06:57:26 dig a balug.org 1092 2024/06/04 06:57:30 dig ns balug.org 1093 2024/06/04 06:58:53 dig ns balug.org @96.86.170.229 1094 2024/06/04 07:04:48 dig -p 5353 @96.86.170.229 balug.org
Al
al@post:/z/dns$ dig a linuxmafia.com
; <<>> DiG 9.16.6 <<>> a linuxmafia.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40024 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ; COOKIE: f11d131e6875657301000000665f1c7f041c0db84eb094fe (good) ;; QUESTION SECTION: ;linuxmafia.com. IN A
;; ANSWER SECTION: linuxmafia.com. 36679 IN A 96.95.217.99
;; Query time: 0 msec ;; SERVER: 192.147.248.10#53(192.147.248.10) ;; WHEN: Tue Jun 04 06:54:07 PDT 2024 ;; MSG SIZE rcvd: 87
al@post:/z/dns$ dig a balug.org
; <<>> DiG 9.16.6 <<>> a balug.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11417 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ; COOKIE: b482118c217e285d01000000665f1c898bbff5b5edb3d896 (good) ;; QUESTION SECTION: ;balug.org. IN A
;; ANSWER SECTION: balug.org. 9722 IN A 96.86.170.229
;; Query time: 0 msec ;; SERVER: 192.147.248.10#53(192.147.248.10) ;; WHEN: Tue Jun 04 06:54:17 PDT 2024 ;; MSG SIZE rcvd: 82
al@post:/z/dns$ dig @linuxmafia.com. a linuxmafia.com.
; <<>> DiG 9.16.6 <<>> @linuxmafia.com. a linuxmafia.com. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43273 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 3 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;linuxmafia.com. IN A
;; ANSWER SECTION: linuxmafia.com. 86400 IN A 96.95.217.99
;; AUTHORITY SECTION: linuxmafia.com. 86400 IN NS ns0.sunnyside.com. linuxmafia.com. 86400 IN NS ns3.linuxmafia.com. linuxmafia.com. 86400 IN NS ns.tx.primate.net. linuxmafia.com. 86400 IN NS ns1.linuxmafia.com. linuxmafia.com. 86400 IN NS ns.primate.net.
;; ADDITIONAL SECTION: ns1.linuxmafia.com. 86400 IN A 96.95.217.99 ns3.linuxmafia.com. 86400 IN A 107.204.234.170
;; Query time: 23 msec ;; SERVER: 96.95.217.99#53(96.95.217.99) ;; WHEN: Tue Jun 04 06:55:54 PDT 2024 ;; MSG SIZE rcvd: 203
al@post:/z/dns$ dig ^C al@post:/z/dns$ host ns0.sunnyside.com. ns0.sunnyside.com has address 99.43.100.202 ns0.sunnyside.com has IPv6 address 2600:1700:45a:e520:8099:43:100:ca al@post:/z/dns$ dig a balug.org
; <<>> DiG 9.16.6 <<>> a balug.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64776 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ; COOKIE: e211ccbbe58795cd01000000665f1d46cd1e1ed08173e4ee (good) ;; QUESTION SECTION: ;balug.org. IN A
;; ANSWER SECTION: balug.org. 9533 IN A 96.86.170.229
;; Query time: 0 msec ;; SERVER: 192.147.248.10#53(192.147.248.10) ;; WHEN: Tue Jun 04 06:57:26 PDT 2024 ;; MSG SIZE rcvd: 82
al@post:/z/dns$ dig ns balug.org
; <<>> DiG 9.16.6 <<>> ns balug.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35169 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ; COOKIE: 1c7d712b366d870601000000665f1d4a2859210ac56d69f9 (good) ;; QUESTION SECTION: ;balug.org. IN NS
;; ANSWER SECTION: balug.org. 245 IN NS nsx.sunnyside.com. balug.org. 245 IN NS nsy.sunnysidex.com. balug.org. 245 IN NS ns0.balug.org. balug.org. 245 IN NS ns1.linuxmafia.com.
;; ADDITIONAL SECTION: ns1.linuxmafia.com. 41793 IN A 96.95.217.99 nsx.sunnyside.com. 39875 IN A 50.242.105.52 nsy.sunnysidex.com. 39875 IN A 50.18.139.240 ns0.balug.org. 245 IN A 96.86.170.229 nsx.sunnyside.com. 39875 IN AAAA 2603:3024:180d:f100:50:242:105:34 nsy.sunnysidex.com. 39875 IN AAAA 2600:1f1c:528:c500:5e0b:8a37:6598:356c ns0.balug.org. 246 IN AAAA 2001:470:1f05:19e::2
;; Query time: 0 msec ;; SERVER: 192.147.248.10#53(192.147.248.10) ;; WHEN: Tue Jun 04 06:57:30 PDT 2024 ;; MSG SIZE rcvd: 327
al@post:/z/dns$ dig ns balug.org @96.86.170.229
; <<>> DiG 9.16.6 <<>> ns balug.org @96.86.170.229 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18557 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 8e52861009e139f9e08c9083665f1d9dd0fd488facdb9e1b (good) ;; QUESTION SECTION: ;balug.org. IN NS
;; ANSWER SECTION: balug.org. 3600 IN NS nsx.sunnyside.com. balug.org. 3600 IN NS ns0.balug.org. balug.org. 3600 IN NS nsy.sunnysidex.com. balug.org. 3600 IN NS ns1.linuxmafia.com.
;; ADDITIONAL SECTION: ns0.balug.org. 3600 IN A 96.86.170.229 ns0.balug.org. 3600 IN AAAA 2001:470:1f05:19e::2
;; Query time: 19 msec ;; SERVER: 96.86.170.229#53(96.86.170.229) ;; WHEN: Tue Jun 04 06:58:53 PDT 2024 ;; MSG SIZE rcvd: 217
al@post:/z/dns$ dig -p 5353 @96.86.170.229 balug.org
; <<>> DiG 9.16.6 <<>> -p 5353 @96.86.170.229 balug.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19989 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 7721edc894b4f780e65714a2665f1f00f62318d534f67494 (good) ;; QUESTION SECTION: ;balug.org. IN A
;; ANSWER SECTION: balug.org. 86400 IN A 96.86.170.229
;; AUTHORITY SECTION: balug.org. 3600 IN NS ns1.linuxmafia.com. balug.org. 3600 IN NS nsx.sunnyside.com. balug.org. 3600 IN NS ns0.balug.org. balug.org. 3600 IN NS nsy.sunnysidex.com.
;; ADDITIONAL SECTION: ns0.balug.org. 3600 IN A 96.86.170.229 ns0.balug.org. 3600 IN AAAA 2001:470:1f05:19e::2
;; Query time: 23 msec ;; SERVER: 96.86.170.229#5353(96.86.170.229) ;; WHEN: Tue Jun 04 07:04:48 PDT 2024 ;; MSG SIZE rcvd: 233
On 6/3/2024 09:36, Rick Moen wrote:
Quoting Al Whaley (aw009@sunnyside.com):
That security edge feature is no longer optional on Comcast business accounts. However you can log into your Comcast business website portal as yourself and look at your options and very quickly turn security edge off.
Guys, I've moved this back to balug-admin, because I like the record that keeps, and we're not talking about anything that dannot be public. Is that alright?
Good idea about that accursed SecurityEdge "feature". I've now disabled that blasted thing in the Comcast Business account to the extent they permit, I think?
Initial login takes me to https://business.comcast.com/account/dashboard/accounts/689906011127102015Co... where I see Subscribed Services described as "Business Internet Essential 150 Mbps / 25 Mbps" and below that "SecurityEdgeTM", which is a link, following which goes to https://securityedge.comcast.com/#home , showing tab Dashboard, which has nothing adjustable, but move on to tab Settings, page https://securityedge.comcast.com/#settings/profiles . Here, "Web Filters" had a predefined "protection level" of "Light", but one can select "None", which I did.
Scrolling down the page, everything settable is Off, except that section Internet Security has "Malware & Phishing Protection" set to "On", which slide control is greyed out (unchangeable). Subtitle is "Keeps user from compromising the network or their personal data if they accidentally or intentionally access infected web [sic] pages or click on phishing emails." Select Save at the page bottom to implement.
Slide control "Web Filters" at the top of the page now shows Off.
The other tabs, "Block & Allow Lists", "Block Page Construction", "Domain Lookup", and "Scheduled Reports" don't appear to have anything useful for my purposes.
Orange banner at the very top of the page now says: "Web Filter Protection is now off. To safeguarg your network, Malware, Phishing, and Botnet Protection remains on. Learn More [link]."
Following link goes to https://securityedge.comcast.com/#help/turning-web-filters-on-and-off , which is a long documentation page including justifying preventing turning that part off:
Malware, phishing and botnet traffic is generated by malicious software. Protection against this traffic is critical. This is why we do not recommend disabling the Malware and Phishing setting for any user profile. The setting remains enabled even if you turn off Web Filters.
Also notable:
To turn Web Filters on or off, log in to Comcast Business SecurityEdge. On the top right of any page, click the Web Filters toggle switch: from On to Off to deactivate the Protection Level, Block & Allow Lists and Off-Hours Internet Schedule, or from Off to On to activate them. The ^^^ change is applied immediately. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Noting that final sentence, I now attempt another smoke test, to see if the problem is gone:
$ dig -p 5353 @96.86.170.229 balug.org ;; connection timed out; no servers could be reached $
Nope.
Noting Al's wording "look at your options and very quickly turn security edge off", I try to see if there's another entry point into the account to do so. What about "My Account" over on the far side of the navbar for https://business.comcast.com/account/account-details/689906011127102015Comca... ?
I see: SUBSCRIBED SERVICES: Business Internet - SecurityEdge
Clicking "Business Internt" takes me to https://business.comcast.com/connectivity/internetdashboard/ , Where Item SECURITYEDGEtm Cybersecurity is shown as "Disabled".
At some point, I tried toggling the "Web Filters" toggle from the Off to the On position, and then back to Off. This resulted in my losing connectivity to my server for a few minutes, getting Network Unreachable on my ssh reconnection. I infer that the "modem" device was resetting.
I continute to get... $ dig -p 5353 @96.86.170.229 balug.org ;; connection timed out; no servers could be reached $
Al, Michael, am I missing a trick, here?