XDNoc and Comcast/AT&T (Resolved) Investigating / Notice
2 days

Comcast (AT&T) Business service SecureEdge is currently hijacking DNS requests, causing some users to receive HTTPS/HTTP errors when they click on links processed by ExchangeDefender. Unfortunately the Business SecureEdge is not a managed service so if it's enabled on your router/account you're going to run into issues. You can disable it from the Comcast Business web site but please read about the issues others are encountering in trying to turn this service off.

Call Comcast Business Support at (800)391-3000 and request to "remove Security Edge from my account and router/modem." Once the service is removed from your account, the errors and issues should go away.

Technical Details

Comcast is hijacking DNS lookups (this is done regardless of whether you use their DNS servers or public 8.8.8.8 or 1.1.1.1) and effectively blocking all lookups of the domain. Here is what a normal lookup for d.xdref.com looks like:

C:\>nslookup d.xdref.com 8.8.8.8

Server: dns.google

Address: 8.8.8.8


Non-authoritative answer:

Name: d.xdref.com

Address: 72.29.121.220


C:\>nslookup d.xdref.com

Server: UnKnown

Address: 192.168.1.50


Non-authoritative answer:

Name: d.xdref.com

Address: 72.29.121.220


Note that regardless of whether you use local or public DNS, the correct IP is returned as 72.29.121.220.

But if you have Comcast SecurityEdge, your request will be redirected:

C:\>nslookup d.xdref.com 8.8.8.8

Server: dns.google

Address: 8.8.8.8


Non-authoritative answer:

Name: d.xdref.com

Addresses: 2607:f740:e::16

          2607:f740:e::ad

          199.38.182.52

          199.38.182.75

Note that even though we're using Google's public DNS in both scenarios, Comcast redirects those lookups to their blocking proxy. That you can't manage or control aside from disabling and removing it from your account. We hope this helps, it's not a service we encounter a lot.