Skip to main content

    Support

    Offers

U
user_3a989e
1st Topic
1st Like

Visitor

 • 

7 Messages

Wednesday, May 4th, 2022 5:13 PM

Closed

advanced security

Comcast has recently begun blocking an IBM subdomain: dhe.ibm.com.   I spent 2 hours on the phone with support last night.   No joy.  It acts like a DNS problem, but I wondered if Advanced Security might be blocking it.  So I went to turn it off and I can't see how.  When I get to the Advanced Security tab, there are no options to turn it on or off.  All it is says is "You're protected."  and "No action needed."

How do I turn Advanced Security off to see if that's what's blocking the subdomain?

Thanks.

Question

 • 

Updated 

3 years ago

1.2K

6

0

BruceW

Gold Problem Solver

 • 

26.3K Messages

3 years ago

... How do I turn Advanced Security off ...

Please see https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security#mcetoc_1fj3kht6b1, "Disabling Advanced Security".

You might also have a look at https://www.google.com/search?q=dhe.ibm.com . None of the DNS servers I tried returned an IP address for "dhe.ibm.com". The hostname appears to be incomplete.

(edited)

2

0

user_3a989e

Visitor

 • 

7 Messages

@BruceW​ Thanks for the reply.

I was able to find the Advanced Security using the app and have turned it off.  Thanks for the pointer.   I was going in through the webiste from my computer, which is very different.

 

You're right it's incomplete -- that's the base address of the subdomain.   An example of one that should work is public.dhe.ibm.com.  There's no content there, but it should bring up notifications that, well, there's no content there. 

Thank you.  I'll let you know here if this worked.

3 years ago

0

user_3a989e

Visitor

 • 

7 Messages

@BruceW​ Nope.  Turning off Advanced Security didn't help.  

Support has been, well, unhelpful.  They turned it off and turned it back on about 5 times.  After that, they decided that it worked for them, so everything was fine.  They did send me a new modem, which I will install, but don't expect it to help.

When I try to hit public.dhe.ibm.com from a browser (any browser, I've tried 3), I get a DNS_PROBE_FINISHED_NXDOMAIN message.  If I go into a CMD windows an try to lookup that address at the Comcast DNS (nslookup public.dhe.ibm.com 75.75.75.75) I get a timeout.  If I try the free Google DNS (nslookup public.dhe.ibm.com 8.8.8.8) it works.  (Nobody I talked to seemed to know what a DNS was.)

I'm getting tired of going to Starbucks two or three times a week to download products and fixes that I need for work.  If I can't get this fixed, I'm going to have to drop Comcast.  Any help would be appreciated.

Thanks

3 years ago

0

BruceW

Gold Problem Solver

 • 

26.3K Messages

3 years ago

... If I go into a CMD windows an try to lookup that address at the Comcast DNS (nslookup public.dhe.ibm.com 75.75.75.75) I get a timeout. ...

Running that command on my Comcast Internet service with a retail modem and router (not rental equipment) I get:

C>nslookup public.dhe.ibm.com 75.75.75.75
Server:  cdns01.comcast.net
Address:  75.75.75.75
Non-authoritative answer:
Name:    dispby-112.boulder.ibm.com
Address:  170.225.15.112
Aliases:  public.dhe.ibm.com

Http references to "public.dhe.ibm.com" redirect to "www.ibm.com/support". Why not just use that URL instead?

2

0

flatlander3

Problem Solver

 • 

1.5K Messages

@BruceW​ 

That's a weird one.  I poked at it a bit too.  Google 8.8.8.8 knows the cname, but cloudflare 1.1.1.1/1.0.0.1 does not.  Then all of the sudden after bombing out a few times, Xfinity knew it so now it's cached.

# dig @75.75.75.75 -t AAAA public.dhe.ibm.com

public.dhe.ibm.com      canonical name = dispby-112.boulder.ibm.com.

I'm not sure what the RFC issue is.  Perhaps a 'gray area' RFC implementation is but something is messed up and you're not supposed to run dns checks on someone else's stuff.  I'll let Xfinity and IBM fight over that one.

I know for a fact a name server I'm running on another provider isn't exactly 100% RFC and it works so Xfinity isn't strict enforcing everything, so I don't know what to say, other than your advice for hitting it with www.ibm.com/support is spot on.  Everyone including opendns seems to agree that works.

3 years ago

0

user_3a989e

Visitor

 • 

7 Messages

3 years ago

0

BruceW

Gold Problem Solver

 • 

26.3K Messages

3 years ago

... Here's a real-life example ...

That works for me. What happens exactly when you try to access that link?

Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.

(edited)

2

0

user_3a989e

Visitor

 • 

7 Messages

@BruceW​ So I guess I can't paste a picture here.  This is what Chrome tells me (Note the DNS message)

https://ak-delivery04-mul.dhe.ibm.com/sdfdl/v2/sar/CM/WS/09w1z/1/Xa.2/Xb.jusyLTSp44S02bbB6_rtzScjSWqGmcd6jAVj9-w1NDc0LBUwGBstPrE7RAQ/Xc.CM/WS/09w1z/1/wlp-featureRepo-21.0.0.8.zip/Xd./Xf.LPR.D1vk/Xg.11756186/Xi.habanero/XY.habanero/XZ.U9353VmIDFtPcf5QdivTqLRqEGwMUUJ-/wlp-featureRepo-21.0.0.8.zip

This site can’t be reached

Check if there is a typo in ak-delivery04-mul.dhe.ibm.com.

  • If spelling is correct,try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN
Here's what's happening during the DNS lookup;

C:\Users\myuser>  nslookup ak-delivery04-mul.dhe.ibm.com 8.8.8.8   (Google)
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    e1740.d.akamaiedge.net
Address:  23.61.125.206
Aliases:  ak-delivery04-mul.dhe.ibm.com
          ak-delivery04-mul.dhe.ibm.com.edgekey.net


C:\Users\myuser> nslookup ak-delivery04-mul.dhe.ibm.com 75.75.75.75  (Comcast)
Server:  cdns01.comcast.net
Address:  75.75.75.75

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to cdns01.comcast.net timed-out

Thanks

3 years ago

0

XfinityBrie

Administrator

 • 

671 Messages

Hey there @user_3a989e

 

I've been keeping an eye on the thread since it was opened, I saw that @EG and @BruceW were helping out already, so didn't want to step on their toes, haha. We can definitely take a peak at the device itself of course, though we are a bit limited to what internal changes we can make to customers gateways here. This type of scenario would usually go up to the folks in the advanced repair teams, which we can open a service request for. It can take 24-72 hours for them to follow-up, depending on how busy their queue is. 

I am an Official Xfinity Employee.
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer.tick

3 years ago

BruceW

Gold Problem Solver

 • 

26.3K Messages

3 years ago

... DNS_PROBE_FINISHED_NXDOMAIN  ...

The site works for me in Chrome, and I get this nslookup result consistently:

C>nslookup ak-delivery04-mul.dhe.ibm.com 75.75.75.75
Server:  cdns01.comcast.net
Address:  75.75.75.75
Non-authoritative answer:
Name:    e1740.d.akamaiedge.net
Address:  104.99.54.72
Aliases:  ak-delivery04-mul.dhe.ibm.com
          ak-delivery04-mul.dhe.ibm.com.edgekey.net

Please post any responses as Comments instead of Replies. As noted above, I am notified when Comments are posted, but not when Replies are posted.

0

0

flatlander3

Problem Solver

 • 

1.5K Messages

3 years ago

How about just for a temporary test, try disabling ipv6 on windows for your network connection?  https://adamtheautomator.com/disable-ipv6/

Others have said manually setting DNS servers on your windows network connection using an Xfinity gateway  has no effect, but if you can nslookup and query an alternate, I'm not sure if that's entirely true.  I use 3rd party stuff.  Nothing to test with.  Just for kicks, have you tried plugging in google for primary and secondary DNS?  (Manually specify servers, maybe even still use Xfinity for a 3rd and 4th name server?) -- then reboot or disable/enable the connection?

I also think actually being able to store your gateway settings offsite, and being able to manipulate them with an app is a horrid idea (phone app especially horrid), but when you changed the advanced security option, did you try a real power cycle? (pull plug, give it 10-15 seconds to discharge).  I don't know the settings actually change in real time when you change them on the app, or if you need to power-cycle to reload them.

0

0

EG

Expert

 • 

110K Messages

3 years ago

@flatlander3 

FWIW. The default DNS server settings can not be changed in the Comcast rented gateway devices.

4

0

flatlander3

Problem Solver

 • 

1.5K Messages

@EG​  Yes, I'm aware of that.

There are however other knobs to turn on a device connected to it.  Are all of the DNS requests hijacked?  That's not clear if you can perform a dig or nslookup directly to another name server, but as far as troubleshooting goes, it's a knob to turn.   There aren't many user facing ones.  So is IPV6 on a device.  Even after all of these years, I do see problems with libraries and buggy IPV6 implementations along with inconsistent UDP behavior.

3 years ago

0

EG

Expert

 • 

110K Messages

@flatlander3​ 

The gateways also no longer act as DNS relays / forwarders, so even changing the settings in the individual network clients will have no effect. Comcast has taken over.....  

I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Please mark an Accepted Answer!tick
I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Please mark an Accepted Answer!tick

3 years ago

0

user_3a989e

Visitor

 • 

7 Messages

@flatlander3​ I'm not sure hijacked is the correct word, but yes this is the only subdomain I'm aware of that I can't get to.  IBM has something like 72 subdomains.   I use several of them every day and all have worked..  My working theory is that one of the physical servers at 75.75.75.75 has a busted cache.  I don't know how they're doing the routing at that IP, but maybe I'm always getting the bad server because of the identity of the last hop I'm taking before I get there (dns-sw02.area4.il.chicago.comcast.net [68.86.188.78]).  Google's last hop is 142.251.60.23.  It bounces around Comcast servers for a while (6), but eventually escapes. 

No, I have not recycled since I turned off Advanced Security.  Hard to believe that it puts anything on my gateway (and a tad scary as well), but it's worth a shot.

I'll try the ipv6 and also see if I can do something in my Windows setting that will let me get past that DNS.  @EG's post doesn't make me optimistic, but you never know.

Are there any Comcast employees on here interested in saving a customer?  I suspect this is going to have to be diagnosed from the inside out.

Thanks guys.

3 years ago

0

user_3a989e

Visitor

 • 

7 Messages

@flatlander3 @EG  @BruceW  -- Got it!  

netsh interface ip set dns name="myadaptername" static 8.8.8.8

                                       10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 174877303
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-99-FF-B4-6C-6A-77-43-E3-BF
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       8.8.8.8

I was able to hit public.dhe.ibm.com and also the ak-delivery04-mul.dhe.ibm.com.

I presume I will have to do that every time I reboot, but that's not a big deal now that I know what to do.

Next question -- are there risks to what I just did?  Should I leave it alone except for whenever I want to download from IBM?

@XfinityBrie -- thanks for jumping in.  I'm still convinced there's a problem at your end.  Would you want to open an Advanced Support ticket for it?

Thanks for the help everybody.



3 years ago

forum icon

New to the Community?

Start Here