[sf-lug] Resolved: DNS issues again because of Comcast Business SecurityEdge

Michael Paoli michael.paoli at berkeley.edu
Fri Jan 9 09:00:14 PST 2026 

As of:
Jan  8 10:01:56 local time
the issue was resolved.

More details for the those that may be interested:

The work-arounds implemented for these zones:

sf-lug.org
sf-lug.com
sflug.com
sf-lug.net
sflug.net
sflug.org
e.9.1.0.5.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa

balug.org

berkeleylug.com

mpaoli.net

savingthedolph.in

Have been left in place, and will probably remain (and be added)
for any zones/domains where I'm primary control of primary,
and [ns1.]linuxmafia.com. is a secondary, and so long as
Xfinity / Comcast [Business] are in the picture between The Internet
and [ns1.]linumafia.com. and SecurityEdge may possibly become an
issue yet again (this most recent was the 3rd time it's majorly
screwed up DNS over the past several years).
Leaving/having the work-around in place has no significant downsides,
and allows those to continue to function whether or not SecurityEdge
is in the way and otherwise breaking things.
For the curious, the work-around has the primaries also listening
on port 5353 of the Internet routable IPv4 IPs,
and [ns1.]linuxmafia.com. using those, with port 5353
as the first primary to try for zone transfers,
and with fallback to the default of port 53.
[ns1.]linuxmafia.com. is, at this time, still IPv4 only for
any Internet routable IP addresses that are or would be routable.

On Thu, Jan 8, 2026 at 9:36 AM Michael Paoli <michael.paoli at berkeley.edu> wrote:
>
> FYI, as of
> Jan  7 06:09:55 local time
> have workaround in place, so though the issue is still present,
> workaround is in place and most* domains are no longer having issues.
> *at least those I generally attend to, including the LUG domains
> of SF-LUG, BALUG, BerkeleyLUG
> Also,
> linuxmafia.com (and thus SF-LUG list) was never significantly impacted.
>
> Work to fix the actual issue is ongoing, Rick has lead on that,
> ball has been in Comcast Business's court for a while now.
>
> On Tue, Jan 6, 2026 at 11:44 PM Michael Paoli
> <michael.paoli at berkeley.edu> wrote:
> >
> > This is at least the 3rd time Comcast Business has screwed it up.
> > Their SecurityEdge [mis-]"feature" screws up and
> > interferes with DNS.  It basically commandeers all UDP and TCP
> > outbound port 53 traffic (and totally fails with IPv6 TCP).
> >
> > This is again currently impacting ns1.linuxmafia.com,
> > which is on Comcast Business, and SecurityEdge has become enabled
> > yet again, and is yet again breaking things.
> > Though ns1.linuxmafia.com. (authoritative for sf-lug.org. and quite a number
> > of additional domains, including also balug.org.) still answers queries and
> > can generally respond, it can no longer get updates (AXFR and IXFR fail,
> > because SecurityEdge).
> >
> > As of the latest, Rick is very much on top of the issue, and has been since
> > fairly early this morning local time.  Looking over logs on that host,
> > the problem was apparently not yet present at (local times):
> > Jan  5 15:53:47
> > but problem was present by:
> > Jan  5 16:02:59
> > and possibly as early as or slightly earlier than:
> > Jan  5 15:56:22
> > and at least at the time I'm typing this, the problem is still
> > currently ongoing.
> > Bit of references on the earlier (and can follow the trails from there):
> > http://linuxmafia.com/pipermail/sf-lug/2023q3/015928.html

More information about the sf-lug mailing list