DNS from LAN to router: "server failed"

[vrapp]

If I nslookup static.digital.business.comcast.com from a LAN computer using router's DNS, the result is "server failed"
If I do the same using external DNS used by the router (75.75.75.75), it works. If I nslookup it from the router itself, at the page "network tools", it works.
How to troubleshoot this problem?

 

[dave14305]

Same happened to me. It's because DNSSEC is enabled and this name gets a BOGUS DS reply.

10:07:34 dnsmasq[8568]: 31072 192.168.1.245/63783 query[A] static.digital.business.comcast.com.home.lan from 192.168.1.245
10:07:34 dnsmasq[8568]: 31072 192.168.1.245/63783 config static.digital.business.comcast.com.home.lan is NXDOMAIN
10:07:34 dnsmasq[8568]: 31073 192.168.1.245/63784 query[AAAA] static.digital.business.comcast.com.home.lan from 192.168.1.245
10:07:34 dnsmasq[8568]: 31073 192.168.1.245/63784 config static.digital.business.comcast.com.home.lan is NXDOMAIN
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 query[A] static.digital.business.comcast.com from 192.168.1.245
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 forwarded static.digital.business.comcast.com to 149.112.112.11
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 forwarded static.digital.business.comcast.com to 9.9.9.11
10:07:34 dnsmasq[8568]: * 192.168.1.245/63785 dnssec-query[DS] business.comcast.com to 9.9.9.11
10:07:34 dnsmasq[8568]: Insecure DS reply received for dscx.akamaiedge.net, check domain configuration and upstream DNS server DNSSEC support
10:07:34 dnsmasq[8568]: * 192.168.1.245/63785 reply business.comcast.com is BOGUS DS
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 validation static.digital.business.comcast.com is BOGUS
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 reply static.digital.business.comcast.com is 52.85.79.14
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 reply static.digital.business.comcast.com is 52.85.79.24
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 reply static.digital.business.comcast.com is 52.85.79.67
10:07:34 dnsmasq[8568]: 31074 192.168.1.245/63785 reply static.digital.business.comcast.com is 52.85.79.40

 

[vrapp]

Thanks! So - is the problem in the router, in the dns server, or in Comcast somewhere?

 

[dave14305]

Thanks! So - is the problem in the router, in the dns server, or in Comcast somewhere?

The root of the problem is Comcast's own configuration for its business domain. You can work around it by disabling DNSSEC if it's important enough to you, or disabe Strict validation of DNSSEC on the WAN page. There might be some other DNSMASQ trickery possible, but I'm not sure what it would be.

 

[vrapp]

I sent this to our Comcast Business rep and asked to forward to the parties competent enough to address it, but the reaction was not very promising - try another browser, delete cookies, and so on.