How do i verify the IP obtained from the Internet Domain lookup is correct?

Posted on 2008-06-15
Medium Priority
Last Modified: 2010-04-09
i apolgize as i can not give out the actual company public names & IPs, especially if they are trying to secure their environment in some way that i am not aware of.  Sorry, but where security comes into play, so does the Sabanes-Oxley requirements.  

My main question is this:
If i Dig or nslookup the company public FQDN - ex. connect.MS-inc.com, i get their public ex. IP:
Now from my home, i remote into one of the non-company satelite locations who run this conpany's app -

Shouldn't i be able to open this public IP & port 443 thru the firewall, then connect to the company to upload & download with them as was done before the firewall was added?
Question by:kbbcnet
  • 3
  • 2

Expert Comment

ID: 21789969
it would depend on the configuration of the firewall.  a generic "shouldn't I be able to" is by default in a firewall situation, no.  a firewall should block all traffic unless specifically permitted ( and configured).  

I'm not sure what exactly your main question is exactly, and the answer woudl also depend on the hardware / software involved.

if you are logged into a remote site with vpn access between the locations, then its likely that you woudl be using an internal Ip, or, they may have static entries in a local DNS server to provide a consistent URL (different hardware vendors approach this differently however).

LVL 16

Author Comment

ID: 21790185

i am unsure why you do not understand the specific questions i asked previously?

i continue to ask for verification of this:
1/ an Internet server site domain name must resolve to a specific IP - correct???
2/ If i go to the site by name successfully, i should be able to go to the site by IP - correct??
3/ The name resolves on the Internet to a certain IP - If opened on my firewall, i connect - correct?
4/ Why does the IP assoicated with the site name - not work????

The site changed its IPs & now i cannot connect to the site.
i have added the new IPs to the Firewall (the domain name resolves to these IPs)

i previously was able to connect to this site.  In order to do lthis, i had set my firewall to allow unrestriced access to their IP & particular port.

If i open the firewall and give the connecting PC unrestricted access to the Internet - i connect to the site with no problem.  Do you see my question & problem?  The new IP should work as the old one did - correct???

The site IP change is the only variation between when things conected & worked.

Expert Comment

ID: 21790206
1/ an Internet server site domain name must resolve to a specific IP - correct???

generally, yes.  however, it may resolve to a different ip depending upon the DNS server configuration in question. i.e. during propagation of changes, region/location, -

2/ If i go to the site by name successfully, i should be able to go to the site by IP - correct??

yes and no.  no, it would depend on the hosting server/services used by the company that is hosting the site.  a number of them use a single IP address for mulitple sites, with virtual servers for each site running under that IP address.  Yes, you may be able to under some circumstances - i.e. a static NAT translation to single web server.

3/ The name resolves on the Internet to a certain IP - If opened on my firewall, i connect - correct?

the name resolves based upon a static entry in a DNS server with either hosting company, your ISP or your own DNS Server.

4/ Why does the IP assoicated with the site name - not work????

refer point 1.

You should not have to configure yoru firewall in any way for you to make a connection to them through it from a more secure interface to a less secure interface unless you have restricted otugoing access.

Their web site may not be running on Port 80, and it also may have redirections to another IP Address.

an alternative to ip address management on the firewall would be a product similar to Websense, where you can use the URL vs the IP.  this may also help with your problem.

LVL 16

Author Comment

ID: 21790283

Your comments are much appreciated; however, you describe some very basic web hosting environments.  This is not a web hosting app; if it was this would not be an issue.  i do not have probelms with my web based host customers.
Also, we do this support pro bono for the non-profit folks and the enterprise IT folks are not very cooperative.

*This particular situation envolves a enterprise ISP like HP & a enterprise win32 application.
*Customers buy the claims software app and install at their locations.
*Each customer has his on partition in the Enterprise server farms.
*Customer win32 app stores claims info and then encrypts the info and uploads files to Enterprise Server Farm.
*After enterpise processes claims, the info is encrypted & downloads updated files to customer.
*The connection between the Server farms & the customers is accomplished inside of the win32 app comm drvier which is hard coded with the public access point domain name and use Java to handle the connection process.
*All uploads & downloads are initiated from customers app and Java goes out to the Internet to connect to the enterprise site.
*The connection between the apps over the Internet work excellent.
***The occasional problem is some customers more robust firewalls block the Java going out.  The resolve over time has been to of course unrestrict the Jave thru port 443 and to unrestrict the enterprise site IP.   This has been fiarly effective workaround to the more cumbersome win32 app.

Now, the enterprise folks have made some change in their environment which we will not be privy to.
The only apparent change is the IPs for the site; however, adding those IPs has not allowed the app to connect.  Since the app does all of the authenication, security, etc. from within, i only need to get out to the Internet.  So it is a wierd issue and i am brainstorming to get out of my box.  
LVL 16

Accepted Solution

kbbcnet earned 0 total points
ID: 21827971
Solution, and then close the question by clicking "Accept as Solution" on your own post.

i have verifified the info i was looking for.

The simple answer i was looking to verify is that a large corp as this one could not de-publish, nor spoof their IP.  
The the dns name would always resolve to some IP which then could be added to a Firewall if needed.

Also, many firewalls can use the dns name &/or filter by packet at the higher layers allowing the server name thru and yes filtering, CBAC & Anonymizer could come into play; however, they did not in this environment.  In fact, this would have eliminated the issue in this case.

Once the Firewall & Networks cached info & routes were cleared; things worked as expected.  As it turns out just the usual kind of Windows DNS issues.

The simple answer was Yes, Yes and Yes!

This is why the Ip did not work.
*The confusion occurred here - when the main site went down off & on; the realtime failover site had different a IP; so Dig would give back the IP that was available when the main site was not.   When the Main site was up the other IP would be returned by a DNS lookup.


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Suggested Courses
Course of the Month9 days, 3 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question