Re: Bind: Standard Ports And Non Standard Ports
On 2022-02-12 09:01, Greg Choules wrote: > "...to use a traditional VPN solution such as DNSSEC ..." DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or whichever port you choose - see the manuals and KB articles for how to configure non-standard ports. DNSSEC adds extra records to provide checks that answers are genuine. Oops, typo, I meant IPSEC. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind: Standard Ports And Non Standard Ports
Take 2. Sent from the wrong email address! Greg On Sat, 12 Feb 2022 at 08:01, Greg Choules wrote: > > "...to use a traditional VPN solution such as DNSSEC ..." > DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or > whichever port you choose - see the manuals and KB articles for how to > configure non-standard ports. DNSSEC adds extra records to provide checks > that answers are genuine. > > > "P.S. My guess is that this so-call "security" service is no such thing, > or at > least its not the only thing. They are probably harvesting DNS > lookups > to sell as marketing data, or at least that would be my first guess." > I would try to establish exactly what Comcast's Security Service is > actually doing first, or if this is even the real problem. Run some manual > tests between the machines inside and the machines outside to establish > whether port number is the problem. e.g. use "dig -p" > > Thanks, Greg > > > On Fri, 11 Feb 2022 at 16:30, Jakob Bohm via bind-users < > bind-users@lists.isc.org> wrote: > >> On 2022-02-11 16:20, Tim Daneliuk via bind-users wrote: >> > >> > After some months of poking around, we are now certain that our >> > so-called "Business" >> > service from Comcast is compromising our DNS servers because of their >> > execrable "Security Edge" garbage. (They are willing to remove this >> > 'service' >> > only if we are willing to incur a higher monthly recurring fee.) >> > >> > Our master is in the wild and works fine, but the slave is behind the >> > compromised >> > Comcast pipe. The effect of having Security Edge in place is that the >> > slave cannot get updates from the master and is also unable to resolve >> > anything outside our own zone. Comcast is apparently hijacking all >> port >> > 53 requests and doing unspeakable things with them. >> > >> > Is there a way to have these servers work as usual, listening to >> > resolution >> > request on port 53, but have the slave update AND forward requests to >> the >> > master over a non-standard port, so as to work around the Comcast >> > madness? >> > >> > TIA, >> > Tim >> > >> > P.S. My guess is that this so-call "security" service is no such >> > thing, or at >> > least its not the only thing. They are probably harvesting DNS >> > lookups >> > to sell as marketing data, or at least that would be my first >> guess. >> If bind cannot be configured to avoid a port blocking or filtering 3rd >> party filter between two of your own servers, the obvioussolution is >> to use a traditional VPN solution such as DNSSEC or OpenVPN to encrypt >> all traffic between the two servers. That should pass through any ISP >> filters that don't block work-from-home VPNs. >> >> Enjoy >> >> Jakob >> -- >> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com >> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 >> This public discussion message is non-binding and may contain errors. >> WiseMo - Remote Service Management for PCs, Phones and Embedded >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind: Standard Ports And Non Standard Ports
On Fri, Feb 11, 2022 at 10:21 AM Tim Daneliuk via bind-users < bind-users@lists.isc.org> wrote: > > After some months of poking around, we are now certain that our so-called > "Business" > service from Comcast is compromising our DNS servers because of their > execrable "Security Edge" garbage. (They are willing to remove this > 'service' > only if we are willing to incur a higher monthly recurring fee.) > > According to "the Internet" (aka, some random reddit thread), there is a way to disable this: https://www.reddit.com/r/networking/comments/fl0ujm/xfinity_secureedge_for_business_transparently/ It did not *look* like this required changing service / a higher fee, but ... W > Our master is in the wild and works fine, but the slave is behind the > compromised > Comcast pipe. The effect of having Security Edge in place is that the > slave cannot get updates from the master and is also unable to resolve > anything outside our own zone. Comcast is apparently hijacking all port > 53 requests and doing unspeakable things with them. > > Is there a way to have these servers work as usual, listening to resolution > request on port 53, but have the slave update AND forward requests to the > master over a non-standard port, so as to work around the Comcast madness? > > TIA, > Tim > > P.S. My guess is that this so-call "security" service is no such thing, or > at > least its not the only thing. They are probably harvesting DNS > lookups > to sell as marketing data, or at least that would be my first guess. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- The computing scientist’s main challenge is not to get confused by the complexities of his own making. -- E. W. Dijkstra -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind: Standard Ports And Non Standard Ports
I have Comcast Business with 2 name servers behind it and 50 or so domain names hosted on them. No problems at all. Never heard of Security Edge. We could have a discussion on your setup and compare notes but your problems have nothing to do with port 53 filtering in the Comcast network, IMHO. Ted On 2/11/2022 7:20 AM, Tim Daneliuk via bind-users wrote: After some months of poking around, we are now certain that our so-called "Business" service from Comcast is compromising our DNS servers because of their execrable "Security Edge" garbage. (They are willing to remove this 'service' only if we are willing to incur a higher monthly recurring fee.) Our master is in the wild and works fine, but the slave is behind the compromised Comcast pipe. The effect of having Security Edge in place is that the slave cannot get updates from the master and is also unable to resolve anything outside our own zone. Comcast is apparently hijacking all port 53 requests and doing unspeakable things with them. Is there a way to have these servers work as usual, listening to resolution request on port 53, but have the slave update AND forward requests to the master over a non-standard port, so as to work around the Comcast madness? TIA, Tim P.S. My guess is that this so-call "security" service is no such thing, or at least its not the only thing. They are probably harvesting DNS lookups to sell as marketing data, or at least that would be my first guess. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind: Standard Ports And Non Standard Ports
Yes, look for “port” configuration in the documentation: https://bind9.readthedocs.io/en/v9_16_25/ You can configure the upstream to listen on non-standard port and the downstream to use it. We use this internally in the system tests. As a side note please separate the technical questions and rants. The experience shows that sticking to the technical questions leads to more pleasant experience on the mailing list. Thanks. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 11. 2. 2022, at 16:21, Tim Daneliuk via bind-users > wrote: > > > After some months of poking around, we are now certain that our so-called > "Business" > service from Comcast is compromising our DNS servers because of their > execrable "Security Edge" garbage. (They are willing to remove this 'service' > only if we are willing to incur a higher monthly recurring fee.) > > Our master is in the wild and works fine, but the slave is behind the > compromised > Comcast pipe. The effect of having Security Edge in place is that the > slave cannot get updates from the master and is also unable to resolve > anything outside our own zone. Comcast is apparently hijacking all port > 53 requests and doing unspeakable things with them. > > Is there a way to have these servers work as usual, listening to resolution > request on port 53, but have the slave update AND forward requests to the > master over a non-standard port, so as to work around the Comcast madness? > > TIA, > Tim > > P.S. My guess is that this so-call "security" service is no such thing, or at > least its not the only thing. They are probably harvesting DNS lookups > to sell as marketing data, or at least that would be my first guess. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind: Standard Ports And Non Standard Ports
On 2022-02-11 16:20, Tim Daneliuk via bind-users wrote: After some months of poking around, we are now certain that our so-called "Business" service from Comcast is compromising our DNS servers because of their execrable "Security Edge" garbage. (They are willing to remove this 'service' only if we are willing to incur a higher monthly recurring fee.) Our master is in the wild and works fine, but the slave is behind the compromised Comcast pipe. The effect of having Security Edge in place is that the slave cannot get updates from the master and is also unable to resolve anything outside our own zone. Comcast is apparently hijacking all port 53 requests and doing unspeakable things with them. Is there a way to have these servers work as usual, listening to resolution request on port 53, but have the slave update AND forward requests to the master over a non-standard port, so as to work around the Comcast madness? TIA, Tim P.S. My guess is that this so-call "security" service is no such thing, or at least its not the only thing. They are probably harvesting DNS lookups to sell as marketing data, or at least that would be my first guess. If bind cannot be configured to avoid a port blocking or filtering 3rd party filter between two of your own servers, the obvioussolution is to use a traditional VPN solution such as DNSSEC or OpenVPN to encrypt all traffic between the two servers. That should pass through any ISP filters that don't block work-from-home VPNs. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users