[BALUG-Admin] Comcast Business apparently blocking 5353 UDP Re: linuxmafia.com "retry limit exceeded"
Al
awbalug@sunnyside.com
Tue Jun 4 14:26:43 UTC 2024
Rick, Michael,
Fine with balug-admin, though I confess when I'm just on my phone I
can't as easily send from the right email address, which is why you saw
me keep deleting the email list from my To: list.
I confess as well I have been away a few days and not following things
as closely as I should but this morning I have tested both of your
systems to see if port 53 is blocked and I cannot find that port 53 is
blocked at all. I tested by doing simple dig commands
@your-nameservers. I assume that's sufficient.
A quick note on SecurityEdgeTM. I did not, on my site, go to the
settings for SecurityEdgeTM - instead I stayed on the main
business.comcast.com page and disabled the entire product. I suspect
that is more effective, but I admit I'm not reading your posts as
thoroughly as I should.
Specifically, I go to page
"https://business.comcast.com/connectivity/internetdashboard/?index"
(when logged in) and in the lower left, there's a gear symbol next to
the status of SecurityEdge, and clicking on that gives me a pop-up side
panel where I can disable the entire product. The product seems at
least partly geared to protecting the world from me, not me from the
world, and blocks me doing things. Sad, lame, poorly though out product
IMHO.
I also did try this command:
dig -p 5353 @96.86.170.229 balug.org
and had no trouble at all with it.
Specifically all these commands gave exactly the full normal output one
would expect and were extremely fast:
1087 2024/06/04 06:54:07 dig a linuxmafia.com
1088 2024/06/04 06:54:17 dig a balug.org
1089 2024/06/04 06:55:54 dig @linuxmafia.com. a linuxmafia.com.
1090 2024/06/04 06:56:43 host ns0.sunnyside.com.
1091 2024/06/04 06:57:26 dig a balug.org
1092 2024/06/04 06:57:30 dig ns balug.org
1093 2024/06/04 06:58:53 dig ns balug.org @96.86.170.229
1094 2024/06/04 07:04:48 dig -p 5353 @96.86.170.229 balug.org
Al
al@post:/z/dns$ dig a linuxmafia.com
; <<>> DiG 9.16.6 <<>> a linuxmafia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40024
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
; COOKIE: f11d131e6875657301000000665f1c7f041c0db84eb094fe (good)
;; QUESTION SECTION:
;linuxmafia.com. IN A
;; ANSWER SECTION:
linuxmafia.com. 36679 IN A 96.95.217.99
;; Query time: 0 msec
;; SERVER: 192.147.248.10#53(192.147.248.10)
;; WHEN: Tue Jun 04 06:54:07 PDT 2024
;; MSG SIZE rcvd: 87
al@post:/z/dns$ dig a balug.org
; <<>> DiG 9.16.6 <<>> a balug.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11417
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
; COOKIE: b482118c217e285d01000000665f1c898bbff5b5edb3d896 (good)
;; QUESTION SECTION:
;balug.org. IN A
;; ANSWER SECTION:
balug.org. 9722 IN A 96.86.170.229
;; Query time: 0 msec
;; SERVER: 192.147.248.10#53(192.147.248.10)
;; WHEN: Tue Jun 04 06:54:17 PDT 2024
;; MSG SIZE rcvd: 82
al@post:/z/dns$ dig @linuxmafia.com. a linuxmafia.com.
; <<>> DiG 9.16.6 <<>> @linuxmafia.com. a linuxmafia.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43273
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;linuxmafia.com. IN A
;; ANSWER SECTION:
linuxmafia.com. 86400 IN A 96.95.217.99
;; AUTHORITY SECTION:
linuxmafia.com. 86400 IN NS ns0.sunnyside.com.
linuxmafia.com. 86400 IN NS ns3.linuxmafia.com.
linuxmafia.com. 86400 IN NS ns.tx.primate.net.
linuxmafia.com. 86400 IN NS ns1.linuxmafia.com.
linuxmafia.com. 86400 IN NS ns.primate.net.
;; ADDITIONAL SECTION:
ns1.linuxmafia.com. 86400 IN A 96.95.217.99
ns3.linuxmafia.com. 86400 IN A 107.204.234.170
;; Query time: 23 msec
;; SERVER: 96.95.217.99#53(96.95.217.99)
;; WHEN: Tue Jun 04 06:55:54 PDT 2024
;; MSG SIZE rcvd: 203
al@post:/z/dns$ dig ^C
al@post:/z/dns$ host ns0.sunnyside.com.
ns0.sunnyside.com has address 99.43.100.202
ns0.sunnyside.com has IPv6 address 2600:1700:45a:e520:8099:43:100:ca
al@post:/z/dns$ dig a balug.org
; <<>> DiG 9.16.6 <<>> a balug.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64776
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
; COOKIE: e211ccbbe58795cd01000000665f1d46cd1e1ed08173e4ee (good)
;; QUESTION SECTION:
;balug.org. IN A
;; ANSWER SECTION:
balug.org. 9533 IN A 96.86.170.229
;; Query time: 0 msec
;; SERVER: 192.147.248.10#53(192.147.248.10)
;; WHEN: Tue Jun 04 06:57:26 PDT 2024
;; MSG SIZE rcvd: 82
al@post:/z/dns$ dig ns balug.org
; <<>> DiG 9.16.6 <<>> ns balug.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35169
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
; COOKIE: 1c7d712b366d870601000000665f1d4a2859210ac56d69f9 (good)
;; QUESTION SECTION:
;balug.org. IN NS
;; ANSWER SECTION:
balug.org. 245 IN NS nsx.sunnyside.com.
balug.org. 245 IN NS nsy.sunnysidex.com.
balug.org. 245 IN NS ns0.balug.org.
balug.org. 245 IN NS ns1.linuxmafia.com.
;; ADDITIONAL SECTION:
ns1.linuxmafia.com. 41793 IN A 96.95.217.99
nsx.sunnyside.com. 39875 IN A 50.242.105.52
nsy.sunnysidex.com. 39875 IN A 50.18.139.240
ns0.balug.org. 245 IN A 96.86.170.229
nsx.sunnyside.com. 39875 IN AAAA
2603:3024:180d:f100:50:242:105:34
nsy.sunnysidex.com. 39875 IN AAAA
2600:1f1c:528:c500:5e0b:8a37:6598:356c
ns0.balug.org. 246 IN AAAA 2001:470:1f05:19e::2
;; Query time: 0 msec
;; SERVER: 192.147.248.10#53(192.147.248.10)
;; WHEN: Tue Jun 04 06:57:30 PDT 2024
;; MSG SIZE rcvd: 327
al@post:/z/dns$ dig ns balug.org @96.86.170.229
; <<>> DiG 9.16.6 <<>> ns balug.org @96.86.170.229
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18557
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8e52861009e139f9e08c9083665f1d9dd0fd488facdb9e1b (good)
;; QUESTION SECTION:
;balug.org. IN NS
;; ANSWER SECTION:
balug.org. 3600 IN NS nsx.sunnyside.com.
balug.org. 3600 IN NS ns0.balug.org.
balug.org. 3600 IN NS nsy.sunnysidex.com.
balug.org. 3600 IN NS ns1.linuxmafia.com.
;; ADDITIONAL SECTION:
ns0.balug.org. 3600 IN A 96.86.170.229
ns0.balug.org. 3600 IN AAAA 2001:470:1f05:19e::2
;; Query time: 19 msec
;; SERVER: 96.86.170.229#53(96.86.170.229)
;; WHEN: Tue Jun 04 06:58:53 PDT 2024
;; MSG SIZE rcvd: 217
al@post:/z/dns$ dig -p 5353 @96.86.170.229 balug.org
; <<>> DiG 9.16.6 <<>> -p 5353 @96.86.170.229 balug.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19989
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7721edc894b4f780e65714a2665f1f00f62318d534f67494 (good)
;; QUESTION SECTION:
;balug.org. IN A
;; ANSWER SECTION:
balug.org. 86400 IN A 96.86.170.229
;; AUTHORITY SECTION:
balug.org. 3600 IN NS ns1.linuxmafia.com.
balug.org. 3600 IN NS nsx.sunnyside.com.
balug.org. 3600 IN NS ns0.balug.org.
balug.org. 3600 IN NS nsy.sunnysidex.com.
;; ADDITIONAL SECTION:
ns0.balug.org. 3600 IN A 96.86.170.229
ns0.balug.org. 3600 IN AAAA 2001:470:1f05:19e::2
;; Query time: 23 msec
;; SERVER: 96.86.170.229#5353(96.86.170.229)
;; WHEN: Tue Jun 04 07:04:48 PDT 2024
;; MSG SIZE rcvd: 233
On 6/3/2024 09:36, Rick Moen wrote:
> Quoting Al Whaley (aw009@sunnyside.com):
>
>> That security edge feature is no longer optional on Comcast business
>> accounts. However you can log into your Comcast business website
>> portal as yourself and look at your options and very quickly turn
>> security edge off.
> Guys, I've moved this back to balug-admin, because I like the record
> that keeps, and we're not talking about anything that dannot be public.
> Is that alright?
>
> Good idea about that accursed SecurityEdge "feature". I've now disabled
> that blasted thing in the Comcast Business account to the extent they
> permit, I think?
>
> Initial login takes me to
> https://business.comcast.com/account/dashboard/accounts/689906011127102015Comcast.IMS
> where I see Subscribed Services described as "Business Internet
> Essential 150 Mbps / 25 Mbps" and below that "SecurityEdgeTM", which is
> a link, following which goes to https://securityedge.comcast.com/#home ,
> showing tab Dashboard, which has nothing adjustable, but move on to tab
> Settings, page https://securityedge.comcast.com/#settings/profiles .
> Here, "Web Filters" had a predefined "protection level" of "Light", but
> one can select "None", which I did.
>
> Scrolling down the page, everything settable is Off, except that section
> Internet Security has "Malware & Phishing Protection" set to "On", which
> slide control is greyed out (unchangeable). Subtitle is "Keeps user
> from compromising the network or their personal data if they
> accidentally or intentionally access infected web [sic] pages or click
> on phishing emails." Select Save at the page bottom to implement.
>
> Slide control "Web Filters" at the top of the page now shows Off.
>
> The other tabs, "Block & Allow Lists", "Block Page Construction",
> "Domain Lookup", and "Scheduled Reports" don't appear to have anything
> useful for my purposes.
>
> Orange banner at the very top of the page now says: "Web Filter
> Protection is now off. To safeguarg your network, Malware, Phishing,
> and Botnet Protection remains on. Learn More [link]."
>
> Following link goes to
> https://securityedge.comcast.com/#help/turning-web-filters-on-and-off ,
> which is a long documentation page including justifying preventing
> turning that part off:
>
> Malware, phishing and botnet traffic is generated by malicious
> software. Protection against this traffic is critical. This is why we do
> not recommend disabling the Malware and Phishing setting for any user
> profile. The setting remains enabled even if you turn off Web Filters.
>
> Also notable:
>
> To turn Web Filters on or off, log in to Comcast Business SecurityEdge.
> On the top right of any page, click the Web Filters toggle switch: from
> On to Off to deactivate the Protection Level, Block & Allow Lists and
> Off-Hours Internet Schedule, or from Off to On to activate them. The
> ^^^
> change is applied immediately.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Noting that final sentence, I now attempt another smoke test, to see if
> the problem is gone:
>
> $ dig -p 5353 @96.86.170.229 balug.org
> ;; connection timed out; no servers could be reached
> $
>
> Nope.
>
> Noting Al's wording "look at your options and very quickly turn
> security edge off", I try to see if there's another entry point into the
> account to do so. What about "My Account" over on the far side of the
> navbar for
> https://business.comcast.com/account/account-details/689906011127102015Comcast.IMS
> ?
>
> I see:
> SUBSCRIBED SERVICES:
> Business Internet
> - SecurityEdge
>
> Clicking "Business Internt" takes me to
> https://business.comcast.com/connectivity/internetdashboard/ , Where
> Item
> SECURITYEDGEtm
> Cybersecurity
> is shown as "Disabled".
>
> At some point, I tried toggling the "Web Filters" toggle from the Off to
> the On position, and then back to Off. This resulted in my losing
> connectivity to my server for a few minutes, getting Network Unreachable
> on my ssh reconnection. I infer that the "modem" device was resetting.
>
> I continute to get...
> $ dig -p 5353 @96.86.170.229 balug.org
> ;; connection timed out; no servers could be reached
> $
>
> Al, Michael, am I missing a trick, here?
>
More information about the BALUG-Admin
mailing list