Solved

How do i verify the IP obtained from the Internet Domain lookup is correct?

Posted on 2008-06-15
5
301 Views
Last Modified: 2010-04-09
i apolgize as i can not give out the actual company public names & IPs, especially if they are trying to secure their environment in some way that i am not aware of.  Sorry, but where security comes into play, so does the Sabanes-Oxley requirements.  

My main question is this:
If i Dig or nslookup the company public FQDN - ex. connect.MS-inc.com, i get their public ex. IP: 145.100.100.50
Now from my home, i remote into one of the non-company satelite locations who run this conpany's app -

Shouldn't i be able to open this public IP & port 443 thru the firewall, then connect to the company to upload & download with them as was done before the firewall was added?
0
Comment
Question by:kbbcnet
  • 3
  • 2
5 Comments
 
LVL 7

Expert Comment

by:naughton
Comment Utility
it would depend on the configuration of the firewall.  a generic "shouldn't I be able to" is by default in a firewall situation, no.  a firewall should block all traffic unless specifically permitted ( and configured).  

I'm not sure what exactly your main question is exactly, and the answer woudl also depend on the hardware / software involved.

if you are logged into a remote site with vpn access between the locations, then its likely that you woudl be using an internal Ip, or, they may have static entries in a local DNS server to provide a consistent URL (different hardware vendors approach this differently however).



0
 
LVL 16

Author Comment

by:kbbcnet
Comment Utility
naughton:

i am unsure why you do not understand the specific questions i asked previously?

i continue to ask for verification of this:
1/ an Internet server site domain name must resolve to a specific IP - correct???
2/ If i go to the site by name successfully, i should be able to go to the site by IP - correct??
3/ The name resolves on the Internet to a certain IP - If opened on my firewall, i connect - correct?
4/ Why does the IP assoicated with the site name - not work????

The site changed its IPs & now i cannot connect to the site.
i have added the new IPs to the Firewall (the domain name resolves to these IPs)

i previously was able to connect to this site.  In order to do lthis, i had set my firewall to allow unrestriced access to their IP & particular port.

If i open the firewall and give the connecting PC unrestricted access to the Internet - i connect to the site with no problem.  Do you see my question & problem?  The new IP should work as the old one did - correct???

The site IP change is the only variation between when things conected & worked.
0
 
LVL 7

Expert Comment

by:naughton
Comment Utility
1/ an Internet server site domain name must resolve to a specific IP - correct???

generally, yes.  however, it may resolve to a different ip depending upon the DNS server configuration in question. i.e. during propagation of changes, region/location, -

2/ If i go to the site by name successfully, i should be able to go to the site by IP - correct??

yes and no.  no, it would depend on the hosting server/services used by the company that is hosting the site.  a number of them use a single IP address for mulitple sites, with virtual servers for each site running under that IP address.  Yes, you may be able to under some circumstances - i.e. a static NAT translation to single web server.

3/ The name resolves on the Internet to a certain IP - If opened on my firewall, i connect - correct?

the name resolves based upon a static entry in a DNS server with either hosting company, your ISP or your own DNS Server.

4/ Why does the IP assoicated with the site name - not work????

refer point 1.

You should not have to configure yoru firewall in any way for you to make a connection to them through it from a more secure interface to a less secure interface unless you have restricted otugoing access.

Their web site may not be running on Port 80, and it also may have redirections to another IP Address.

an alternative to ip address management on the firewall would be a product similar to Websense, where you can use the URL vs the IP.  this may also help with your problem.


0
 
LVL 16

Author Comment

by:kbbcnet
Comment Utility
naughton:

Your comments are much appreciated; however, you describe some very basic web hosting environments.  This is not a web hosting app; if it was this would not be an issue.  i do not have probelms with my web based host customers.
Also, we do this support pro bono for the non-profit folks and the enterprise IT folks are not very cooperative.

*This particular situation envolves a enterprise ISP like HP & a enterprise win32 application.
*Customers buy the claims software app and install at their locations.
*Each customer has his on partition in the Enterprise server farms.
*Customer win32 app stores claims info and then encrypts the info and uploads files to Enterprise Server Farm.
*After enterpise processes claims, the info is encrypted & downloads updated files to customer.
*The connection between the Server farms & the customers is accomplished inside of the win32 app comm drvier which is hard coded with the public access point domain name and use Java to handle the connection process.
*All uploads & downloads are initiated from customers app and Java goes out to the Internet to connect to the enterprise site.
*The connection between the apps over the Internet work excellent.
***The occasional problem is some customers more robust firewalls block the Java going out.  The resolve over time has been to of course unrestrict the Jave thru port 443 and to unrestrict the enterprise site IP.   This has been fiarly effective workaround to the more cumbersome win32 app.

Now, the enterprise folks have made some change in their environment which we will not be privy to.
The only apparent change is the IPs for the site; however, adding those IPs has not allowed the app to connect.  Since the app does all of the authenication, security, etc. from within, i only need to get out to the Internet.  So it is a wierd issue and i am brainstorming to get out of my box.  
0
 
LVL 16

Accepted Solution

by:
kbbcnet earned 0 total points
Comment Utility
Solution, and then close the question by clicking "Accept as Solution" on your own post.

i have verifified the info i was looking for.

The simple answer i was looking to verify is that a large corp as this one could not de-publish, nor spoof their IP.  
The the dns name would always resolve to some IP which then could be added to a Firewall if needed.

Also, many firewalls can use the dns name &/or filter by packet at the higher layers allowing the server name thru and yes filtering, CBAC & Anonymizer could come into play; however, they did not in this environment.  In fact, this would have eliminated the issue in this case.

Once the Firewall & Networks cached info & routes were cleared; things worked as expected.  As it turns out just the usual kind of Windows DNS issues.

The simple answer was Yes, Yes and Yes!

This is why the Ip did not work.
*The confusion occurred here - when the main site went down off & on; the realtime failover site had different a IP; so Dig would give back the IP that was available when the main site was not.   When the Main site was up the other IP would be returned by a DNS lookup.

Thanks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now