An unusual DNS issue
A customer forwarded a screen shot to me. It was a vanilla "This page cannot be displayed" message from Internet Explorer, but the accompanying text pleaded "Whitelist or allowed URL groups are not working. Need help quickly if possible.. Note last name.. That's the name on my paycheck.".
Ahh, the "that's the name on my paycheck" problem. I'm sure most of us know that one well. These problems tend to get bumped up the priority list, don't they?
However, I wasn't quite sure how to respond. The first sentence about "Whitelist not working" implied that he thought this was a Kerio Control firewall issue. However, Control wouldn't cause that IE message. Control would either put up a big red "Accessed Denied" message or optionally redirect the user somewhere else (usually a customer supplied page that explains why certain things are blocked).
Oh, it could be a firewall issue, but I suspected the the reason was more basic. I asked him to do a traceroute: if the problem truly was Control, the traceroute would not get beyond his firewall. Sure enough, when he tried it, it got 12 hops out and then failed:
However, when I tried traceroute from my own machine, it completed. Obviously the site itself was functional and I could access it with my browser also. I asked my customer if his boss had used the site recently; he didn't know but implied that he likely had. Ordinarily, that's as much help as I would be able to offer: there was something misbehaving between his site and the other. He might be able to get around it by setting his bosses machine to temporarily use a proxy somewhere that he could reach, but other than that, there's nothing I could do about it.
Except that I happened to notice that the "www" host resolved to a completely different address than the bare url. One had a 72. IP and the other began with 216. I had actually accessed it at the 216 address, not the 72. I couldn't get to the .72 address, but my customer could - we had exactly the opposite issue!
With that in mind, I suggested he try putting the 72. address in Control's DNS host table. Control will resolve from its hosts file before asking Internet DNS servers, so if he put the www site in there with that address, Control would answer with that and not ask anywhere else.
Of course, this is a bit of a crapshoot. The two sites may not be identical - they might be in transition from one to the other and updates may be only happening in one place. It's also true that what works today might not work tomorrow, especially if they are in transition. There are other plausible and implausible scenarios: these folks might be victims of DNS poisoning and the 216. site might be a trojan site - or vice versa.
Nevertheless, perhaps driven by that spectre of an unsigned paycheck, my customer tried that and it seemed to work. He did have another question for me, though, which was "How do I explain this to my (non-technical) boss?"
That I do not have an answer for.
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
Increase ad revenue 50-250% with Ezoic
Inexpensive and informative Apple related e-books:
Digital Sharing Crash Course
Take Control of Upgrading to El Capitan
Take Control of OS X Server
Take Control of Upgrading to Yosemite
Take Control of the Mac Command Line with Terminal, Second Edition