Strange issues accessing youtube

We have a network where no one can access YouTube.  DNS is returning a bogus IP address and I cannot figure out where it is coming from (see nslookup below).  The response is not from Google's Public DNS server but from something else that must be in the middle of the lookups.  How can we determine where this bogus address is being returned from?  The firewall is a Cisco ASA, but I see nothing enabled there that would cause these types of issues.

C:\Users\Administrator>nslookup -debug www.youtube.com 8.8.8.8
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        8.8.8.8.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  8.8.8.8.in-addr.arpa
        name = google-public-dns-a.google.com
        ttl = 21599 (5 hours 59 mins 59 secs)

------------
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        www.youtube.com, type = A, class = IN
    ANSWERS:
    ->  www.youtube.com
        internet address = 208.70.74.21
        ttl = 0 (0 secs)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.youtube.com, type = AAAA, class = IN

------------
Name:    www.youtube.com
Address:  208.70.74.21

Open in new window

LVL 1
bdhtechnologyAsked:
Who is Participating?
 
bdhtechnologyAuthor Commented:
In turns out the filtering system we use, iBoss, was rewriting the DNS queries.  I finally was able to track it back to that.  Still would be helpful if there was a way to look at DNS response and figure out where it came from.  Would a packet trace reveal info like that?
0
 
Craig BeckCommented:
If you use 4.2.2.2 instead of 8.8.8.8 what do you get?  The nslookup looks fine from my PC...

C:\Users\User>nslookup -debug www.youtube.com 8.8.8.8
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        8.8.8.8.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  8.8.8.8.in-addr.arpa
        name = google-public-dns-a.google.com
        ttl = 21599 (5 hours 59 mins 59 secs)

------------
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 9,  authority records = 0,  additional = 0

    QUESTIONS:
        www.youtube.com, type = A, class = IN
    ANSWERS:
    ->  www.youtube.com
        canonical name = youtube-ui.l.google.com
        ttl = 21599 (5 hours 59 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.187
        ttl = 299 (4 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.186
        ttl = 299 (4 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.182
        ttl = 299 (4 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.184
        ttl = 299 (4 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.181
        ttl = 299 (4 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.185
        ttl = 299 (4 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.180
        ttl = 299 (4 mins 59 secs)
    ->  youtube-ui.l.google.com
        internet address = 31.55.167.183
        ttl = 299 (4 mins 59 secs)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:
        www.youtube.com, type = AAAA, class = IN
    ANSWERS:
    ->  www.youtube.com
        canonical name = youtube-ui.l.google.com
        ttl = 21599 (5 hours 59 mins 59 secs)
    ->  youtube-ui.l.google.com
        AAAA IPv6 address = 2a00:1450:400b:c02::5b
        ttl = 299 (4 mins 59 secs)

------------
Name:    youtube-ui.l.google.com
Addresses:  2a00:1450:400b:c02::5b
          31.55.167.187
          31.55.167.186
          31.55.167.182
          31.55.167.184
          31.55.167.181
          31.55.167.185
          31.55.167.180
          31.55.167.183
Aliases:  www.youtube.com

Open in new window

0
 
Craig BeckCommented:
Also, out of interest, are you doing DNS rewrite at the ASA??
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Pete LongTechnical ConsultantCommented:
Mmmmm http://208.70.74.21/ (your response, is google?)

I Get

C:\Users\pete.long>nslookup -debug www.youtube.com 8.8.8.8
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        8.8.8.8.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  8.8.8.8.in-addr.arpa
        name = google-public-dns-a.google.com
        ttl = 6304 (1 hour 45 mins 4 secs)

------------
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        www.youtube.com.itps.co.uk, type = A, class = IN
    AUTHORITY RECORDS:
    ->  itps.co.uk
        ttl = 1799 (29 mins 59 secs)
        primary name server = ns1.itps.uk.net
        responsible mail addr = hostmaster.itps.uk.net
        serial  = 2012100306
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 1209600 (14 days)
        default TTL = 38400 (10 hours 40 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        www.youtube.com.itps.co.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  itps.co.uk
        ttl = 1799 (29 mins 59 secs)
        primary name server = ns1.itps.uk.net
        responsible mail addr = hostmaster.itps.uk.net
        serial  = 2012100306
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 1209600 (14 days)
        default TTL = 38400 (10 hours 40 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        www.youtube.com.co.uk, type = A, class = IN
    AUTHORITY RECORDS:
    ->  co.uk
        ttl = 1799 (29 mins 59 secs)
        primary name server = ns1.nic.uk
        responsible mail addr = hostmaster.nominet.org.uk
        serial  = 1303946126
        refresh = 900 (15 mins)
        retry   = 300 (5 mins)
        expire  = 2419200 (28 days)
        default TTL = 10800 (3 hours)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        www.youtube.com.co.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  co.uk
        ttl = 1799 (29 mins 59 secs)
        primary name server = ns1.nic.uk
        responsible mail addr = hostmaster.nominet.org.uk
        serial  = 1303946126
        refresh = 900 (15 mins)
        retry   = 300 (5 mins)
        expire  = 2419200 (28 days)
        default TTL = 10800 (3 hours)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 12,  authority records = 0,  additional = 0

    QUESTIONS:
        www.youtube.com, type = A, class = IN
    ANSWERS:
    ->  www.youtube.com
        canonical name = youtube-ui.l.google.com
        ttl = 21576 (5 hours 59 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.73
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.68
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.70
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.78
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.64
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.69
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.66
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.65
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.71
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.72
        ttl = 276 (4 mins 36 secs)
    ->  youtube-ui.l.google.com
        internet address = 74.125.230.67
        ttl = 276 (4 mins 36 secs)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:
        www.youtube.com, type = AAAA, class = IN
    ANSWERS:
    ->  www.youtube.com
        canonical name = youtube-ui.l.google.com
        ttl = 21599 (5 hours 59 mins 59 secs)
    ->  youtube-ui.l.google.com
        AAAA IPv6 address = 2a00:1450:4009:800::1003
        ttl = 299 (4 mins 59 secs)

------------
Name:    youtube-ui.l.google.com
Addresses:  2a00:1450:4009:800::1003
          74.125.230.73
          74.125.230.68
          74.125.230.70
          74.125.230.78
          74.125.230.64
          74.125.230.69
          74.125.230.66
          74.125.230.65
          74.125.230.71
          74.125.230.72
          74.125.230.67
Aliases:  www.youtube.com


C:\Users\pete.long>


So given my response is different to Craigs, I suspect the responses are geo-specific (I'm in the UK).

PL
0
 
Craig BeckCommented:
I'm in UK too.
0
 
bdhtechnologyAuthor Commented:
In turns out the filtering system we use, iBoss, was rewriting the DNS queries.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.