Jump to content

Recently getting a bunch of "no stream available" on previews


HawkXP71
 Share

Recommended Posts

HawkXP71
7 minutes ago, cayars said:

I had to think for a bit but I remember this now. Referred back to my notes on it I have an entry:
"Xfinity SecureEdge for Business transparently intercepts Port 53 DNS and breaks DNSSEC"

I believe I found this initially on Reddit but didn't save the link. Below is from a couple of posts organized as one entry in my electronic notes.

You can turn this off yourself in case you ever need to or can reconfigure it here:
https://business.comcast.com/help-and-support/internet/securityedge-portal-access

Background info on config and getting reports on security if you want it.
https://business.comcast.com/help-and-support/internet/securityedge-manage-settings/

The problem is a bit wacky but probably because queries to root name servers over https were returning IP addresses. But that's not possible.
But if you switch to using DNS over TLS and redirecting to 1.1.1.1 / 1.0.0.1 the issue would go away and you would get back expected results like:


[root@web ~]# dig google.com @198.41.0.4 +trace

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com @198.41.0.4 +trace
;; global options: +cmd
.			600	IN	NS	i.root-servers.net.
.			600	IN	NS	j.root-servers.net.
.			600	IN	NS	k.root-servers.net.
.			600	IN	NS	l.root-servers.net.
.			600	IN	NS	m.root-servers.net.
.			600	IN	NS	b.root-servers.net.
.			600	IN	NS	c.root-servers.net.
.			600	IN	NS	d.root-servers.net.
.			600	IN	NS	e.root-servers.net.
.			600	IN	NS	f.root-servers.net.
.			600	IN	NS	g.root-servers.net.
.			600	IN	NS	h.root-servers.net.
.			600	IN	NS	a.root-servers.net.
.			600	IN	RRSIG	NS 8 0 518400 20200331050000 20200318040000 33853
etc

That right there shows something is goofy and mucking things up.
Basically, if your system requires and validates DNSSEC it completely breaks the network as you found out!

So just in case it gets turned back on you have a link that should allow you to turn it back off.  You could also setup DNS over TLS or similar to fix the issue as well so keep that in your back pocket.

Great!    I appreciate the info

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...