Cannot access certain websites

[Guest]

Server 2003 SP1 standard
Internet Explorer 6.0
Snap Gear lite 2 plus router


Hi. I see I'm not the only one with this problem. On our server or on any PC
in the domain we cannot access:

www.ebay.ie - page goes to
http://sea.search.msn.co.uk/dnserror.aspx?FORM=DNSAS&q=www.ebay.ie

www.corkcitylibrary.ie - we get

Access forbidden!

You don't have permission to access the requested directory. There is either
no index document or the directory is read-protected.

If you think this is a server error, please contact the webmaster.

Error 403
www.corkcitylibrary.ie
Thu Apr 12 12:19:20 2007
Apache

www.corkcity.ie - same as ebay.ie, page redirected to
http://sea.search.msn.co.uk/dnserror.aspx?FORM=DNSAS&q=www.corkcity.ie

We can access ebay.com and ebay.co.uk, corkcitylibrary.com but not the
catalog on corkcitylibrary.com which links to libcat.corkcity.ie, we get
"page cannot be displayed"

Also nslookups of the problem domains using our ISPs (BT) dns servers result
in dns timeouts. BT have assured us that there is no problem at their end and
at this point I have no reason to disbelieve them.

I've researched this problem quite a bit and will be trying the following
this afternoon:

1) reboot router and test.
2) assuming 1 didn't work, replace the snapgear router to see if it's
anything to do with MTU settings/faulty router (reaching here a bit, I know).
Can't find an option to adjust the MTU size in the router management page or
in the config files
3)download and run tcp/ip optimizer
4)run winsock repair utility as there have been quite a few antivirus
removal tools run on the server by the previous IT admin.

Is there anything else I can try to solve this problem? Is there anything in
what I've posted that could isolate if its a dns problem or router? My
suspicions are the router as this problem affects all machines on the domain
and the default gateway is the ip of our router.

Thanks in advance

 

[Robert Aldwinckle]

(cross-post added to Server Networking)

Server 2003 SP1 standard
Internet Explorer 6.0
Snap Gear lite 2 plus router


Hi. I see I'm not the only one with this problem. On our server or on any PC
in the domain we cannot access:

www.ebay.ie - page goes to
http://sea.search.msn.co.uk/dnserror.aspx?FORM=DNSAS&q=www.ebay.ie

In case it is your DNS you can try to cache that site's lookup.
E.g. switch to a cmd windows and enter:

ping -n 1 www.ebay.ie

That site apparently doesn't allow ICMP which ping is based on
so press Ctrl-c as soon as the lookup is done:

E.g. you'll see:

<example>

Pinging hp-intl-other.ebay.com [66.135.208.98] with 32 bytes of data:

Control-C
^C
</example>

Notice that the address name being pinged is not the same name as
the one that you issue? That's because the name you are using is an
alias for a canonical name:

<nslookup>
Name: hp-intl-other.ebay.com
Addresses: 66.135.192.91, 66.135.192.93, 66.135.208.98, 66.135.208.99
Aliases: www.ebay.ie
</nslookup>

In order to fully cache the lookup that you want to do, you need to cache
the lookup for the canonical name too. Otherwise the only thing cached
is the fact that it is an alias.

<example>
F:\>ping -n 1 hp-intl-other.ebay.com

Pinging hp-intl-other.ebay.com [66.135.192.93] with 32 bytes of data:

Control-C
^C
</example>

Now if you do an ipconfig /displaydns you can find (e.g. right-click, Find, Up)
both a CNAME-record for the alias and an A-record for the canonical name.
Then you would have "Time To Live" seconds to let IE do cached lookups.
So, assuming that your DNS was the problem, you could then have a better
chance at getting a connection with IE.

<displaydns>
www.ebay.ie
----------------------------------------
Record Name . . . . . : www.ebay.ie
Record Type . . . . . : 5
Time To Live . . . . : 260
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : hp-intl-other.ebay.com


Record Name . . . . . : hp-intl-other.ebay.com
Record Type . . . . . : 1
Time To Live . . . . : 3154
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 66.135.208.98

www.corkcitylibrary.ie - we get

Access forbidden!

You don't have permission to access the requested directory. There is either
no index document or the directory is read-protected.

If you think this is a server error, please contact the webmaster.

Error 403
www.corkcitylibrary.ie
Thu Apr 12 12:19:20 2007
Apache

That's not unusual if you are just trying to open at the the root directory.

Hmm... are you sure even that there is an HTTP public port open there?

F:\>telnet www.corkcitylibary.ie 80
Connecting To www.corkcitylibary.ie...Could not open connection to the host, on port 80: Connect failed

www.corkcity.ie - same as ebay.ie, page redirected to
http://sea.search.msn.co.uk/dnserror.aspx?FORM=DNSAS&q=www.corkcity.ie

How did you get the second? It's the canonical name for the first.

<nslookup>
Non-authoritative answer:
Name: www.corkcity.ie
Address: 217.75.0.177
Aliases: www.corkcitylibrary.ie

We can access ebay.com and ebay.co.uk, corkcitylibrary.com but not the
catalog on corkcitylibrary.com which links to libcat.corkcity.ie, we get
"page cannot be displayed"

Heh. That one telnet can open and it's not an alias.

Non-authoritative answer:
Name: libcat.corkcity.ie
Address: 83.71.133.162

Also nslookups of the problem domains using our ISPs (BT) dns servers result
in dns timeouts. BT have assured us that there is no problem at their end and
at this point I have no reason to disbelieve them.

Try using nslookup in interactive mode then and use

set debug

That way you may find a better set of DNS addresses to use for
lookups for this site.

I've researched this problem quite a bit and will be trying the following
this afternoon:

1) reboot router and test.
2) assuming 1 didn't work, replace the snapgear router to see if it's
anything to do with MTU settings/faulty router (reaching here a bit, I know).
Can't find an option to adjust the MTU size in the router management page or
in the config files
3)download and run tcp/ip optimizer
4)run winsock repair utility as there have been quite a few antivirus
removal tools run on the server by the previous IT admin.

Is there anything else I can try to solve this problem?

Try putting FiddlerTool in between the server and the client?
You may get a different set of timeouts that way. Etc.

Is there anything in
what I've posted that could isolate if its a dns problem or router? My
suspicions are the router as this problem affects all machines on the domain
and the default gateway is the ip of our router.

If even your nslookup is timing out I would suspect the DNS addresses
that you have. If you can't get your ISP to fix them or find better alternate
addresses you could use the addresses from the lookups that I found for you
and add them as overrides to your HOSTS file.

Thanks in advance

HTH

Robert Aldwinckle
---

 

[Guest]

Thanks for your help Robert. You were right in your diagnosis, it did turn
out to be a dns issue but my resolution was different:

I ran dnscmd /info from the windows support tools command prompt and in the
forwarders section there was an entry for a dns server which turned out to be
one of our ISPs older dns servers. I ran dnscmd /resetforwarders, changed the
primary dns of our server to point at our ISPs primary dns and was able to
access the sites I previously couldn't. As a test I changed the primary dns
of our server back to point at itself and tried accessing the problem sites -
was able to access them without a problem. Am delighted to say this issue is
no more after much head scratching.

Thanks again for your help.

(cross-post added to Server Networking)

Server 2003 SP1 standard
Internet Explorer 6.0
Snap Gear lite 2 plus router


Hi. I see I'm not the only one with this problem. On our server or on any PC
in the domain we cannot access:

www.ebay.ie - page goes to
http://sea.search.msn.co.uk/dnserror.aspx?FORM=DNSAS&q=www.ebay.ie

In case it is your DNS you can try to cache that site's lookup.
E.g. switch to a cmd windows and enter:

ping -n 1 www.ebay.ie

That site apparently doesn't allow ICMP which ping is based on
so press Ctrl-c as soon as the lookup is done:

E.g. you'll see:

<example>

Pinging hp-intl-other.ebay.com [66.135.208.98] with 32 bytes of data:

Control-C
^C
</example>

Notice that the address name being pinged is not the same name as
the one that you issue? That's because the name you are using is an
alias for a canonical name:

<nslookup>
Name: hp-intl-other.ebay.com
Addresses: 66.135.192.91, 66.135.192.93, 66.135.208.98, 66.135.208.99
Aliases: www.ebay.ie
</nslookup>

In order to fully cache the lookup that you want to do, you need to cache
the lookup for the canonical name too. Otherwise the only thing cached
is the fact that it is an alias.

<example>
F:\>ping -n 1 hp-intl-other.ebay.com

Pinging hp-intl-other.ebay.com [66.135.192.93] with 32 bytes of data:

Control-C
^C
</example>

Now if you do an ipconfig /displaydns you can find (e.g. right-click, Find, Up)
both a CNAME-record for the alias and an A-record for the canonical name.
Then you would have "Time To Live" seconds to let IE do cached lookups.
So, assuming that your DNS was the problem, you could then have a better
chance at getting a connection with IE.

<displaydns>
www.ebay.ie
----------------------------------------
Record Name . . . . . : www.ebay.ie
Record Type . . . . . : 5
Time To Live . . . . : 260
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : hp-intl-other.ebay.com


Record Name . . . . . : hp-intl-other.ebay.com
Record Type . . . . . : 1
Time To Live . . . . : 3154
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 66.135.208.98

www.corkcitylibrary.ie - we get

Access forbidden!

You don't have permission to access the requested directory. There is either
no index document or the directory is read-protected.

If you think this is a server error, please contact the webmaster.

Error 403
www.corkcitylibrary.ie
Thu Apr 12 12:19:20 2007
Apache

That's not unusual if you are just trying to open at the the root directory.

Hmm... are you sure even that there is an HTTP public port open there?

F:\>telnet www.corkcitylibary.ie 80
Connecting To www.corkcitylibary.ie...Could not open connection to the host, on port 80: Connect failed

www.corkcity.ie - same as ebay.ie, page redirected to
http://sea.search.msn.co.uk/dnserror.aspx?FORM=DNSAS&q=www.corkcity.ie

How did you get the second? It's the canonical name for the first.

<nslookup>
Non-authoritative answer:
Name: www.corkcity.ie
Address: 217.75.0.177
Aliases: www.corkcitylibrary.ie

We can access ebay.com and ebay.co.uk, corkcitylibrary.com but not the
catalog on corkcitylibrary.com which links to libcat.corkcity.ie, we get
"page cannot be displayed"

Heh. That one telnet can open and it's not an alias.

Non-authoritative answer:
Name: libcat.corkcity.ie
Address: 83.71.133.162

Also nslookups of the problem domains using our ISPs (BT) dns servers result
in dns timeouts. BT have assured us that there is no problem at their end and
at this point I have no reason to disbelieve them.

Try using nslookup in interactive mode then and use

set debug

That way you may find a better set of DNS addresses to use for
lookups for this site.

I've researched this problem quite a bit and will be trying the following
this afternoon:

1) reboot router and test.
2) assuming 1 didn't work, replace the snapgear router to see if it's
anything to do with MTU settings/faulty router (reaching here a bit, I know).
Can't find an option to adjust the MTU size in the router management page or
in the config files
3)download and run tcp/ip optimizer
4)run winsock repair utility as there have been quite a few antivirus
removal tools run on the server by the previous IT admin.

Is there anything else I can try to solve this problem?

Try putting FiddlerTool in between the server and the client?
You may get a different set of timeouts that way. Etc.

Is there anything in
what I've posted that could isolate if its a dns problem or router? My
suspicions are the router as this problem affects all machines on the domain
and the default gateway is the ip of our router.

If even your nslookup is timing out I would suspect the DNS addresses
that you have. If you can't get your ISP to fix them or find better alternate
addresses you could use the addresses from the lookups that I found for you
and add them as overrides to your HOSTS file.

Thanks in advance

HTH

Robert Aldwinckle