Mark_Andrews at isc.org
Fri Sep 29 01:36:14 UTC 2006
> Ping is generally a bad connection test. It uses ICMP which most firewalls wi
Any sane firewall will accept ICMP. TCP and UDP don't
operate correctly if you block ICMP.
The only problem with ICMP/ECHO was with directed broadcasts
and any router purchased in the last 10 years has support
for directed broadcasts off by default.
> A better test is to telnet on port 80. If you are a windows person, ge
> into a cmd window and type telnet <IP Address> 80 <enter>. That gives you a
> test using TCP over 80 which is going to more accurately reflect what firewal
> holes are open.
> Did you do a lookup for a workstation that can't connect? If you are getting
> resolution at the workstation level, then most likely DNS isn't your problem.
> Make sure that the IP address that you are resolving matches the IP addresses
> you get when you test from outside your network. If they are different, then
> you probably have a hand jammed zone file some where. To find that rogue DNS
> server, do the following from a cmd window:
> nslookup <enter>
> set q=soa <enter>
> oscn.net <enter>
> If something other than the legit servers come back, seek and destroy the rog
> Quoting Steve Ingraham <singraham at okcca.net>:
> > Dawn Connelly wrote:
> > I tried to hit the web page by IP address... interestingly the first IP
> > address
> > gave me a standard 403 error which normally indicates that they are
> > looking at
> > host headers. When I tried to go to the second IP address, I got the
> > following
> > error message;
> > OCISWebInterfaceSupport2 error '800a2407'
> > [OCISWebInterfaceSupport2:3D]No User Account Exists(,)
> > /applications/oscn/start.asp, line 7
> > So the servers are definitely different which probably isn't a good
> > thing. Might
> > not have anything to do with this problem though.
> > If you can get DNS resolution using dig, DNS probably isn't your
> > problem. Test
> > from one of the workstations that can't connect to confirm though. One
> > thing
> > you might try is telneting on port 80 to the server's IP address. If
> > you can't
> > establish a connection then you are looking at either a permissions or
> > networking problem.
> > </end 2 cents>
> > I pinged the two IP addresses from my workstation (which cannot
> > connect). Pinging 220.127.116.11 times out. Pinging 18.104.22.168 goes
> > through with no errors.
> > Steve Ingraham
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users