APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

An unusual DNS issue


2013/07/01

A customer forwarded a screen shot to me. It was a vanilla "This page cannot be displayed" message from Internet Explorer, but the accompanying text pleaded "Whitelist or allowed URL groups are not working. Need help quickly if possible.. Note last name.. That's the name on my paycheck.".

Ahh, the "that's the name on my paycheck" problem. I'm sure most of us know that one well. These problems tend to get bumped up the priority list, don't they?

However, I wasn't quite sure how to respond. The first sentence about "Whitelist not working" implied that he thought this was a Kerio Control firewall issue. However, Control wouldn't cause that IE message. Control would either put up a big red "Accessed Denied" message or optionally redirect the user somewhere else (usually a customer supplied page that explains why certain things are blocked).



Oh, it could be a firewall issue, but I suspected the the reason was more basic. I asked him to do a traceroute: if the problem truly was Control, the traceroute would not get beyond his firewall. Sure enough, when he tried it, it got 12 hops out and then failed:

traceroute fails

However, when I tried traceroute from my own machine, it completed. Obviously the site itself was functional and I could access it with my browser also. I asked my customer if his boss had used the site recently; he didn't know but implied that he likely had. Ordinarily, that's as much help as I would be able to offer: there was something misbehaving between his site and the other. He might be able to get around it by setting his bosses machine to temporarily use a proxy somewhere that he could reach, but other than that, there's nothing I could do about it.

Except that I happened to notice that the "www" host resolved to a completely different address than the bare url. One had a 72. IP and the other began with 216. I had actually accessed it at the 216 address, not the 72. I couldn't get to the .72 address, but my customer could - we had exactly the opposite issue!

With that in mind, I suggested he try putting the 72. address in Control's DNS host table. Control will resolve from its hosts file before asking Internet DNS servers, so if he put the www site in there with that address, Control would answer with that and not ask anywhere else.

Of course, this is a bit of a crapshoot. The two sites may not be identical - they might be in transition from one to the other and updates may be only happening in one place. It's also true that what works today might not work tomorrow, especially if they are in transition. There are other plausible and implausible scenarios: these folks might be victims of DNS poisoning and the 216. site might be a trojan site - or vice versa.

Nevertheless, perhaps driven by that spectre of an unsigned paycheck, my customer tried that and it seemed to work. He did have another question for me, though, which was "How do I explain this to my (non-technical) boss?"

That I do not have an answer for.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> An unusual DNS issue




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Keeping URIs so that they will still be around in 2, 20 or 200 or even 2000 years is clearly not as simple as it sounds ... However, all over the Web, webmasters are making decisions which will make it really difficult for themselves in the future. (Tim Berners-Lee)

Try not to become a man of success, but rather try to become a man of value. (Albert Einstein)







This post tagged: