HawkXP71 99 Posted October 15, 2021 Author Share Posted October 15, 2021 7 minutes ago, cayars said: I had to think for a bit but I remember this now. Referred back to my notes on it I have an entry: "Xfinity SecureEdge for Business transparently intercepts Port 53 DNS and breaks DNSSEC" I believe I found this initially on Reddit but didn't save the link. Below is from a couple of posts organized as one entry in my electronic notes. You can turn this off yourself in case you ever need to or can reconfigure it here: https://business.comcast.com/help-and-support/internet/securityedge-portal-access Background info on config and getting reports on security if you want it. https://business.comcast.com/help-and-support/internet/securityedge-manage-settings/ The problem is a bit wacky but probably because queries to root name servers over https were returning IP addresses. But that's not possible. But if you switch to using DNS over TLS and redirecting to 1.1.1.1 / 1.0.0.1 the issue would go away and you would get back expected results like: [root@web ~]# dig google.com @198.41.0.4 +trace ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com @198.41.0.4 +trace ;; global options: +cmd . 600 IN NS i.root-servers.net. . 600 IN NS j.root-servers.net. . 600 IN NS k.root-servers.net. . 600 IN NS l.root-servers.net. . 600 IN NS m.root-servers.net. . 600 IN NS b.root-servers.net. . 600 IN NS c.root-servers.net. . 600 IN NS d.root-servers.net. . 600 IN NS e.root-servers.net. . 600 IN NS f.root-servers.net. . 600 IN NS g.root-servers.net. . 600 IN NS h.root-servers.net. . 600 IN NS a.root-servers.net. . 600 IN RRSIG NS 8 0 518400 20200331050000 20200318040000 33853 etc That right there shows something is goofy and mucking things up. Basically, if your system requires and validates DNSSEC it completely breaks the network as you found out! So just in case it gets turned back on you have a link that should allow you to turn it back off. You could also setup DNS over TLS or similar to fix the issue as well so keep that in your back pocket. Great! I appreciate the info 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now