cannot connect

Mark Andrews Mark_Andrews at isc.org
Fri Sep 29 01:36:14 UTC 2006


> Ping is generally a bad connection test. It uses ICMP which most firewalls wi
> ll
> block.

	Any sane firewall will accept ICMP.  TCP and UDP don't
	operate correctly if you block ICMP.

	The only problem with ICMP/ECHO was with directed broadcasts
	and any router purchased in the last 10 years has support
	for directed broadcasts off by default.

> A better test is to telnet on port 80. If you are a windows person, ge
> t
> into a cmd window and type telnet <IP Address> 80 <enter>. That gives you a
> test using TCP over 80 which is going to more accurately reflect what firewal
> ls
> holes are open.
> 
> Did you do a lookup for a workstation that can't connect? If you are getting 
> DNS
> resolution at the workstation level, then most likely DNS isn't your problem.
> Make sure that the IP address that you are resolving matches the IP addresses
> you get when you test from outside your network. If they are different, then
> you probably have a hand jammed zone file some where. To find that rogue DNS
> server, do the following from a cmd window:
> nslookup <enter>
> set q=soa <enter>
> oscn.net <enter>
> 
> If something other than the legit servers come back, seek and destroy the rog
> ue
> zone.
> 
> Quoting Steve Ingraham <singraham at okcca.net>:
> 
> > Dawn Connelly wrote:
> > I tried to hit the web page by IP address... interestingly the first IP
> > address
> > gave me a standard 403 error which normally indicates that they are
> > looking at
> > host headers.  When I tried to go to the second IP address, I got the
> > following
> > error message;
> > OCISWebInterfaceSupport2 error '800a2407'
> >
> > [OCISWebInterfaceSupport2:3D][9998]No User Account Exists(,)
> >
> > /applications/oscn/start.asp, line 7
> >
> > So the servers are definitely different which probably isn't a good
> > thing. Might
> > not have anything to do with this problem though.
> >
> > If you can get DNS resolution using dig, DNS probably isn't your
> > problem. Test
> > from one of the workstations that can't connect to confirm though. One
> > thing
> > you might try is telneting on port 80 to the server's IP address.  If
> > you can't
> > establish a connection then you are looking at either a permissions or
> > networking problem.
> >
> > </end 2 cents>
> >
> >
> >
> > I pinged the two IP addresses from my workstation (which cannot
> > connect).  Pinging 65.71.189.80 times out.  Pinging 204.61.6.30 goes
> > through with no errors.
> >
> > Steve Ingraham
> >
> >
> 
> 
> 
> 
> 
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list