How do i verify the IP obtained from the Internet Domain lookup is correct?

Posted on 2008-06-15
Last Modified: 2010-04-09
i apolgize as i can not give out the actual company public names & IPs, especially if they are trying to secure their environment in some way that i am not aware of.  Sorry, but where security comes into play, so does the Sabanes-Oxley requirements.  

My main question is this:
If i Dig or nslookup the company public FQDN - ex., i get their public ex. IP:
Now from my home, i remote into one of the non-company satelite locations who run this conpany's app -

Shouldn't i be able to open this public IP & port 443 thru the firewall, then connect to the company to upload & download with them as was done before the firewall was added?
Question by:kbbcnet
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 21789969
it would depend on the configuration of the firewall.  a generic "shouldn't I be able to" is by default in a firewall situation, no.  a firewall should block all traffic unless specifically permitted ( and configured).  

I'm not sure what exactly your main question is exactly, and the answer woudl also depend on the hardware / software involved.

if you are logged into a remote site with vpn access between the locations, then its likely that you woudl be using an internal Ip, or, they may have static entries in a local DNS server to provide a consistent URL (different hardware vendors approach this differently however).

LVL 16

Author Comment

ID: 21790185

i am unsure why you do not understand the specific questions i asked previously?

i continue to ask for verification of this:
1/ an Internet server site domain name must resolve to a specific IP - correct???
2/ If i go to the site by name successfully, i should be able to go to the site by IP - correct??
3/ The name resolves on the Internet to a certain IP - If opened on my firewall, i connect - correct?
4/ Why does the IP assoicated with the site name - not work????

The site changed its IPs & now i cannot connect to the site.
i have added the new IPs to the Firewall (the domain name resolves to these IPs)

i previously was able to connect to this site.  In order to do lthis, i had set my firewall to allow unrestriced access to their IP & particular port.

If i open the firewall and give the connecting PC unrestricted access to the Internet - i connect to the site with no problem.  Do you see my question & problem?  The new IP should work as the old one did - correct???

The site IP change is the only variation between when things conected & worked.

Expert Comment

ID: 21790206
1/ an Internet server site domain name must resolve to a specific IP - correct???

generally, yes.  however, it may resolve to a different ip depending upon the DNS server configuration in question. i.e. during propagation of changes, region/location, -

2/ If i go to the site by name successfully, i should be able to go to the site by IP - correct??

yes and no.  no, it would depend on the hosting server/services used by the company that is hosting the site.  a number of them use a single IP address for mulitple sites, with virtual servers for each site running under that IP address.  Yes, you may be able to under some circumstances - i.e. a static NAT translation to single web server.

3/ The name resolves on the Internet to a certain IP - If opened on my firewall, i connect - correct?

the name resolves based upon a static entry in a DNS server with either hosting company, your ISP or your own DNS Server.

4/ Why does the IP assoicated with the site name - not work????

refer point 1.

You should not have to configure yoru firewall in any way for you to make a connection to them through it from a more secure interface to a less secure interface unless you have restricted otugoing access.

Their web site may not be running on Port 80, and it also may have redirections to another IP Address.

an alternative to ip address management on the firewall would be a product similar to Websense, where you can use the URL vs the IP.  this may also help with your problem.

LVL 16

Author Comment

ID: 21790283

Your comments are much appreciated; however, you describe some very basic web hosting environments.  This is not a web hosting app; if it was this would not be an issue.  i do not have probelms with my web based host customers.
Also, we do this support pro bono for the non-profit folks and the enterprise IT folks are not very cooperative.

*This particular situation envolves a enterprise ISP like HP & a enterprise win32 application.
*Customers buy the claims software app and install at their locations.
*Each customer has his on partition in the Enterprise server farms.
*Customer win32 app stores claims info and then encrypts the info and uploads files to Enterprise Server Farm.
*After enterpise processes claims, the info is encrypted & downloads updated files to customer.
*The connection between the Server farms & the customers is accomplished inside of the win32 app comm drvier which is hard coded with the public access point domain name and use Java to handle the connection process.
*All uploads & downloads are initiated from customers app and Java goes out to the Internet to connect to the enterprise site.
*The connection between the apps over the Internet work excellent.
***The occasional problem is some customers more robust firewalls block the Java going out.  The resolve over time has been to of course unrestrict the Jave thru port 443 and to unrestrict the enterprise site IP.   This has been fiarly effective workaround to the more cumbersome win32 app.

Now, the enterprise folks have made some change in their environment which we will not be privy to.
The only apparent change is the IPs for the site; however, adding those IPs has not allowed the app to connect.  Since the app does all of the authenication, security, etc. from within, i only need to get out to the Internet.  So it is a wierd issue and i am brainstorming to get out of my box.  
LVL 16

Accepted Solution

kbbcnet earned 0 total points
ID: 21827971
Solution, and then close the question by clicking "Accept as Solution" on your own post.

i have verifified the info i was looking for.

The simple answer i was looking to verify is that a large corp as this one could not de-publish, nor spoof their IP.  
The the dns name would always resolve to some IP which then could be added to a Firewall if needed.

Also, many firewalls can use the dns name &/or filter by packet at the higher layers allowing the server name thru and yes filtering, CBAC & Anonymizer could come into play; however, they did not in this environment.  In fact, this would have eliminated the issue in this case.

Once the Firewall & Networks cached info & routes were cleared; things worked as expected.  As it turns out just the usual kind of Windows DNS issues.

The simple answer was Yes, Yes and Yes!

This is why the Ip did not work.
*The confusion occurred here - when the main site went down off & on; the realtime failover site had different a IP; so Dig would give back the IP that was available when the main site was not.   When the Main site was up the other IP would be returned by a DNS lookup.


Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 106
Exchange Server Send connector and DNS Round Robin ? 6 48
Edge Server Subscription 5 23
Check Spoof email 6 34
Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices. provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question