PapaLuciani
asked on
LAN Clients being blocked from one site only
We have one particular website that our client computers that are inside our network are now being blocked from(Which is to say that they just won't load - No error codes). The site has always loaded but suddenly stopped. This site can be accessed via other networks outside of our LAN with no issue. It's just one site but it's a webhosting site so we cannot login from the office to manage our websites so it's important to us. There were no changes on any server or firewall. We can get to all other websites but this one.
Environment:
DNS Server: Small Business Server 2008 - This is the only DNS server and is the only computer that can still access the site in question
steps taken:
-Checked DNS Config - using forwarders to the ISP DNS servers. It's been working for over 5 years
-Cleared DNS Cache
-Restarted DNS Service
-Restarted Server
-Ran the "fix my network" wizard from the SBS console but it didn't find anything to fix
Clients: Windows 7 Pro and MAC OSX
steps taken:
-Configured properly to the local DNS Server via DHCP or Manually configured IP but no go
-DHCP working properly
-Flushed DNS
-Checked Windows firewall - configured for DNS
-Uninstalled Antivirus
ISP
steps taken:
-Opened a ticket and they checked their end out and it was clear
-Unplugged our firewall appliance from the ISP equipment and replaced it with just a laptop configured with the ISP addressing and the site worked.
Gateway(Firewall Appliance Sonicwall NSA)
steps taken:
-Verified that the DNS server itself which has the same addressing as the clients can access the site and it does.
-Checked logs - no indication of the site being blocked. These servers are in the USA and we don't content filter anything from the USA but went ahead and made this site a safe site but still no go.
-Went ahead and made a rule to allow traffic to this domains address but still no go
: It seems to be an issue with the DNS server service itself but I cannot find anything wrong. The clients can get to all other websites but only the DNS server itself can get to this one website(netjelly.com)
Any insight would be appreciated.
Environment:
DNS Server: Small Business Server 2008 - This is the only DNS server and is the only computer that can still access the site in question
steps taken:
-Checked DNS Config - using forwarders to the ISP DNS servers. It's been working for over 5 years
-Cleared DNS Cache
-Restarted DNS Service
-Restarted Server
-Ran the "fix my network" wizard from the SBS console but it didn't find anything to fix
Clients: Windows 7 Pro and MAC OSX
steps taken:
-Configured properly to the local DNS Server via DHCP or Manually configured IP but no go
-DHCP working properly
-Flushed DNS
-Checked Windows firewall - configured for DNS
-Uninstalled Antivirus
ISP
steps taken:
-Opened a ticket and they checked their end out and it was clear
-Unplugged our firewall appliance from the ISP equipment and replaced it with just a laptop configured with the ISP addressing and the site worked.
Gateway(Firewall Appliance Sonicwall NSA)
steps taken:
-Verified that the DNS server itself which has the same addressing as the clients can access the site and it does.
-Checked logs - no indication of the site being blocked. These servers are in the USA and we don't content filter anything from the USA but went ahead and made this site a safe site but still no go.
-Went ahead and made a rule to allow traffic to this domains address but still no go
: It seems to be an issue with the DNS server service itself but I cannot find anything wrong. The clients can get to all other websites but only the DNS server itself can get to this one website(netjelly.com)
Any insight would be appreciated.
ASKER
Arnold, thanks for the info. The website(Netjelly.com) works fine outside of our network. from inside our network the site will load from one node and that's the DNS server itself. All the clients that look to that server for DNS can no longer load the website. I can nslookup from both the clients and the dns server and get the right info. The tracert is over 30 hops but like I said the DNS server itself can still load this site. I can take my laptop from work home or another network and the page will load fine. It's just inside our LAN it seems to be a problem.
Compare the traceroute from the working server to the ones that do not.
Do you have a single or multiple external connections?
Whatismyip.com from DNS sever and one of the non-working systems.
Do you have a proxy server through which all workstations go but the DNS server goes out directly?
Do you have a single or multiple external connections?
Whatismyip.com from DNS sever and one of the non-working systems.
Do you have a proxy server through which all workstations go but the DNS server goes out directly?
Are you using the SPAM service or RBL's on the Sonicwall?
ASKER
We only have one external IP for WAN traffic. The DNS server that can load the site has the same configuration for network addressing that the clients(which cannot load this site) do. Traffic goes straight to the firewall and out the WAN interface via the same external IP. Not using the SPAM service on the FW. RBLs we do filter out some sites but not this one.
The issue is not inside the LAN since you say the DNS server which is presumably on your LAN is not having this issue.
Could you double check the browser configuration on the workstations for users and the one on the DNS server to make sure one does not go through a proxy or is more restrictive than the other.
Presumably your DNS server has a static IP on the LAN, your LAN,firewall, proxy might exempt the statically assigned IP block (servers, etc.) from the DHCP assigned user space which is the only possible thing I can see at this time.
One WAN, single LAN space, one DNS server has no issue accessing site, all workstations can not access/display site.
If you want to try the IP check, have one workstation that can not access site, use a static IP within the same range as one used by the DNS server. and see if the issue clears up. If it does, you need to look at your proxy or firewall rules to see the rule that matches this domain or the Ip range.
See if you can browse to a site dvl.com within the same IP space as netjelly.com one is 233 the other is 234.
If the issue DNS can, workstations can't your issue is likely IP range restrictions.
presumably your LAN ips do not use 216.245.199.0/24 IP space.
Try accessing by IP .233 for netjelly.
Could you double check the browser configuration on the workstations for users and the one on the DNS server to make sure one does not go through a proxy or is more restrictive than the other.
Presumably your DNS server has a static IP on the LAN, your LAN,firewall, proxy might exempt the statically assigned IP block (servers, etc.) from the DHCP assigned user space which is the only possible thing I can see at this time.
One WAN, single LAN space, one DNS server has no issue accessing site, all workstations can not access/display site.
If you want to try the IP check, have one workstation that can not access site, use a static IP within the same range as one used by the DNS server. and see if the issue clears up. If it does, you need to look at your proxy or firewall rules to see the rule that matches this domain or the Ip range.
See if you can browse to a site dvl.com within the same IP space as netjelly.com one is 233 the other is 234.
If the issue DNS can, workstations can't your issue is likely IP range restrictions.
presumably your LAN ips do not use 216.245.199.0/24 IP space.
Try accessing by IP .233 for netjelly.
When the site won't load from a client using the URL, have you tried loading it using the ip address (216.245.199.133)?
Also, as an exercise when it is not loading from a client using your internal dns server, change the dns setting to google public dns servers (8.8.8.8 and 8.8.4.4) and see what happens.
Post back with the results.
Also, as an exercise when it is not loading from a client using your internal dns server, change the dns setting to google public dns servers (8.8.8.8 and 8.8.4.4) and see what happens.
Post back with the results.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I believe you received assistance to get to the point reaching out. Ref. DNS server and non working System inquiry about IPs. As well as traceroutes.
ASKER
We resoled this issue internally
Without the site ...
What you need to look on your router is to trace the route to the host?
Is this site accessible off site?
Use external traceroute.org to see if it can see the path.
Any changes on your ISP external connection prior to when this issue began, I.e. Your router has a routing policy to send requests for this site via a route that no longer exists. Your IPP changed and access is IP based.
Look at your routers routing table to make sure there is no issues there.
If this is a secure site, you may have packet size that fragments which is not ssl compliant in some cases,
Packet capture to see whether responses are received but the issue is with the web browser not being able to display an updated version.........