Take 2. Sent from the wrong email address! Greg
On Sat, 12 Feb 2022 at 08:01, Greg Choules <gregchou...@googlemail.com> wrote: > > "...to use a traditional VPN solution such as DNSSEC ..." > DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or > whichever port you choose - see the manuals and KB articles for how to > configure non-standard ports. DNSSEC adds extra records to provide checks > that answers are genuine. > > > "P.S. My guess is that this so-call "security" service is no such thing, > or at > least its not the only thing. They are probably harvesting DNS > lookups > to sell as marketing data, or at least that would be my first guess." > I would try to establish exactly what Comcast's Security Service is > actually doing first, or if this is even the real problem. Run some manual > tests between the machines inside and the machines outside to establish > whether port number is the problem. e.g. use "dig -p" > > Thanks, Greg > > > On Fri, 11 Feb 2022 at 16:30, Jakob Bohm via bind-users < > bind-users@lists.isc.org> wrote: > >> On 2022-02-11 16:20, Tim Daneliuk via bind-users wrote: >> > >> > After some months of poking around, we are now certain that our >> > so-called "Business" >> > service from Comcast is compromising our DNS servers because of their >> > execrable "Security Edge" garbage. (They are willing to remove this >> > 'service' >> > only if we are willing to incur a higher monthly recurring fee.) >> > >> > Our master is in the wild and works fine, but the slave is behind the >> > compromised >> > Comcast pipe. The effect of having Security Edge in place is that the >> > slave cannot get updates from the master and is also unable to resolve >> > anything outside our own zone. Comcast is apparently hijacking all >> port >> > 53 requests and doing unspeakable things with them. >> > >> > Is there a way to have these servers work as usual, listening to >> > resolution >> > request on port 53, but have the slave update AND forward requests to >> the >> > master over a non-standard port, so as to work around the Comcast >> > madness? >> > >> > TIA, >> > Tim >> > >> > P.S. My guess is that this so-call "security" service is no such >> > thing, or at >> > least its not the only thing. They are probably harvesting DNS >> > lookups >> > to sell as marketing data, or at least that would be my first >> guess. >> If bind cannot be configured to avoid a port blocking or filtering 3rd >> party filter between two of your own servers, the obvioussolution is >> to use a traditional VPN solution such as DNSSEC or OpenVPN to encrypt >> all traffic between the two servers. That should pass through any ISP >> filters that don't block work-from-home VPNs. >> >> Enjoy >> >> Jakob >> -- >> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com >> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 >> This public discussion message is non-binding and may contain errors. >> WiseMo - Remote Service Management for PCs, Phones and Embedded >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
