Google Chrome Fails to search with This site can't be reached error

If you'll post the results of the following from a workstation it may help in diagnosing the problem:
ipconfig /all
nslookup
google.com
server 1.1.1.1
google.com

How many users does this effect? If only a couple, it could be some sort of malware. Try searching in Safe mode with network.

Also try pinging google.com

Is a single server and no DNS being provided by the router?

See if this helps - GRC Benchmark

This is often useful with DNS issues - DNS Stuff Tools

What do the DNS settings look like for the workstations?

There is only 1 computer that google.com works. That is the computer where I manually configured IP settings so that both DNS  and Gateway points to my router 192.168.1.1. In other words, if I bypass SBS2011 (192.168.1.2) for DNS, google works fine.

Here is the result of ipconfig /all and nslookup google.com in one of the workstations.

ipconfig /all

   Connection-specific DNS Suffix  . : domain.local
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : A0-48-1C-AC-7D-9B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1c66:4300:eb77:b9cc%6(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.158(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, October 1, 2019 11:43:28 AM
   Lease Expires . . . . . . . . . . : Tuesday, October 8, 2019 11:43:27 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.2
   DHCPv6 IAID . . . . . . . . . . . : 60835868
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-23-3B-FC-A0-48-1C-AC-7D-9B
   DNS Servers . . . . . . . . . . . : 192.168.1.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\User1>nslookup google.com
Server:  DC1.domain.local
Address:  192.168.1.2

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4009:80f::200e
          172.217.12.238

Have you tried Fix My Network Wizard (FNCW)?

I will try fix my network wizard this evening and report back.

At a guess, this is an EDNS issue on the DNS service.

This is rather odd.  Based on your results of nslookup, the SBS IS able to resolve the domain.

I would try disabling IPv6 on the workstation to eliminate it as a potential problem.

I disabled IPv6 on a workstation. It seems to be working for a few minutes. But then after a while, same problem.
I ran Fix My Network wizard, but to no avail.

One thing that is clear is that if I set Preferred DNS server to Router IP address(192.168.1.1), then google.com comes up fine and I can do searches.
But as long as Preferred DNS server is set to SBS2011 (192.168.1.2), then it does not work.
So what I can gather so far is that something has gone wrong in the past few days in SBS2011.
I will apply some updates 2019-09 Monthly Rollup this weekend to see if it solves the problem.

Are all your workstations using static ips rather than DHCP? Have you tried flushing DNS on the workstation when you make changes?

Workstations using AD should not get DNS outside the domain.

ipconfig /flushdns

Select allOpen in new window

If it is working in your system this way then things are messed up.  You should only have your DC's DNS server address here.

"One thing that is clear is that if I set Preferred DNS server to Router IP address(192.168.1.1), then google.com comes up fine and I can do searches.
But as long as Preferred DNS server is set to SBS2011 (192.168.1.2), then it does not work.
So what I can gather so far is that something has gone wrong in the past few days in SBS2011."

Yes, this clearly points to an issue with getting DNS through your SBS, though that is the way you should do it.  Doesn't matter if you get the DNS from DHCP or from static.

What I find so odd is that DNS works correctly when you do nsconfig.

Randy makes an excellent point about /flushdns.  After running that, confirm that you are pointing only at 192.168.1.2 for DNS (ipconfig /all) and run nslookup google.com again.

In the DNS server you can do a test lookup.  How does it respond for google.com?

One other test... try entering https://google.com in the browser window and see what happens.

I like to resolve this issue today if possible:
Here is the result of nslookup:


C:\Windows\system32>nslookup google.com
Server:  UnKnown
Address:  fe80::5376:8aa3:7531:1c82

Name:    google.com
Addresses:  2607:f8b0:4004:804::200e
          172.217.5.238

Again, the only URL that does not work is google.com. NO ONE is complaining about any other website or any other server related issue what-so-ever. It is just when they bring up Google.com in their browser, it fails.

As it is, google.com does not work on any computer on the network.  We know the problem is with SBS2011, but no solution is found so far.

If I change the DNS server addresses
from 192.168.1.2
to     192.168.1.1
         192.168.1.2
then google search works just fine on workstation PCs.

Do you think this change will cause other issues?

Have you tried nslookup set debug or d2? Do you get the same results from nslookup on SBS2011? SBS2011 fully updated?

Do you have another Microsoft server on the network that you could run DNS on?

Using the router DNS is not a good practice on Microsoft networks. Is there another router between your and network & the Internet?

The only issue with static ips/DNS is that all the changes have to be done on each workstation rather than getting them from the central server.

Note that extended support for SBS2011 components (SQL Server 2008 and Windows Server 2008 ) will expire 1/14/2020

I am aware of the fact that SBS2011 support will end in Jan of 2020. There is no 2nd DNS server on the network, although I may have to create one if no fix is found. There are only 12 PCs on the network if I have to change DNS server addresses on each computer’s TCP/IP, it is no big deal.
I applied all windows updates today, but to no avail.
It is very strange that ONLY google.com is the problem, not yahoo, BING, or MSN.
Why???

Since you see the correct values with nslookup the SBS2011 DNS should work. I assume that you have checked those with just the SBS2011 as the DNS server. Note that you might need to ipconfig /flushdns to ensure you are not seeing old values.

SBS2011 should be forwarding outside network address resolution to the router. You could try another router.

You could try a hosts file as a workaround.

If we assume that it's something that broke in SBS2011, there may not be a fix on the horizon since it's set to expire anyway.

"Do you think this change will cause other issues?"
Yes.. it will likely cause all sorts of problems with resolving local names.  Depending on your router, it may not keep proper track of local name resolution.

One other test... try entering https://google.com in the browser window and see what happens.

Also... try disabling IPv6 on a workstation and see if that makes a difference.

Lastly, the fact that nslookup comes up with Server: unknown indicates that you likely don't have Reverse Lookup Zones set up on your DNS server.  Not a huge problem, but one that should be corrected.

you have 8.8.8.8 and 8.8.4.4 in the dns forwarders on the sbs server and unchecked use root hints?

I tried 8.8.8.8 in forwarder, but to no avail.
Now removed and only using Root Hints.

@CompProbSolv
I added google.com entry in hosts file, but to no avail.

That's strange. Did you run ipconfig /flushdns? The hosts file should have priority.

Host name resolution generally uses the following sequence:

The client checks to see if the name queried is its own.
The client then searches a local Hosts file, a list of IP address and names stored on the local computer.

NOTE: The Hosts file location depends on the operating system:

   Windows NT                  %Systemroot%\System32\Drivers\Etc
   Windows 95                  <drive>\<Windows folder>
   Windows for Workgroups      <drive>\<Windows folder>
   Windows 3.1                 <drive>\<Windows folder>
   MS-Client 3.0               <Boot volume>\Net
   Lan Manager 2.2c Client     <Boot volume>\Net
 
Where %Systemroot% is the folder in which Windows NT is installed, <drive> is the drive on which the OS is installed, and <boot volume> refers to a boot floppy disk or drive C.

A sample hosts file, Hosts.sam, is installed with the TCP/IP protocol showing the proper format.
Domain Name System (DNS) servers are queried.
If the name is still not resolved, NetBIOS name resolution sequence is used as a backup. This order can be changed by configuring the NetBIOS node type of the client.

Yes I ran ipconfig /flushdns, but still the same problem.
The host file that I edited is located in C:\Windows\System32\drivers\etc.
Also whatever IP address that I put in in host file for Google.com, it returns that ip address when I ping google.com.

I am wondering why GOOGLE.COM is the only search engine that is not working? why not BING, MSN or YAHOO?

If you bypass the router, do things work?

Have you tried either of these?

One other test... try entering https://google.com in the browser window and see what happens.

Also... try disabling IPv6 on a workstation and see if that makes a difference.

@masnrock
If you bypass the router, do things work? ---> if I bypass SBS2011, then yes I can search in google.com.

try disabling IPv6 on a workstation  --> same problem
try entering https://google.com  --> same problem

Try using the ip in the browser for google.com. That would require no name resolution.

If the ip works, you could create shortcuts for your workstations as a work around.

This is a rather odd one.

Compare nslookup google.com results with your SBS 2011 server as the only DNS to the result with the router as the only DNS.  Clearly, something different is coming through here.  It may even require using packet capture (Wireshark, for example) to see all of what is different in the responses.

In IE, if you enter google.com, does it get changed to https://www.google.com ?

@Randy Downs
here is the screenshots by IP address.

@CompProbSolv

Going thru SBS2011 (192.168.1.2):
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
C:\Users\admin>ipconfig /all

Windows IP Configuration

   IPv4 Address. . . . . . . . . . . : 192.168.1.131(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.2
   DNS Servers . . . . . . . . . . . : 192.168.1.2  
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\admin>nslookup google.com
Server:  domain1.domain.local
Address:  192.168.1.2

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4004:804::200e
          172.217.5.238

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Going thru ASUS Router (192.168.1.1)
******************************************
C:\Users\admin>nslookup google.com
Server:  router.asus.com
Address:  192.168.1.1
******************************************

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4009:80c::200e
          172.217.1.46

This shows that something else is going on.  Your system isn't accepting the certificate when you use the IP address.  That may also be the issue when you go to google.com.

This page may provide some help:
https://aboutssl.org/quick-steps-fix-google-chrome-ssl-certificate-errors/

I'd be looking into SSL issues.  For example, in IE, look at Settings (gear in upper-right corner), Internet Options, Advanced.  Scroll down and let us know how the "Use SSL..." and "Use TLS..." settings are configured.

try https://  with the ip. I get a warning here the 1st time i use it but it seems OK after I use advanced & proceed in Chrome.

@Randy Downs
When I enter https://172.217.5.238, it immediately changes to "Not Sure: 172.217.5.238" which is the screenshot that I posted with red exclamation mark.

Sorry ... it should have been "Not Secure: 172.217.5.238" "

@CompProbSolv
"Your system isn't accepting the certificate when you use the IP address" -->  When I use  https://172.217.5.238 in "working" network, it still displays "Your connection is not secure", but when you choose "go to the web page anyway", it brings up Google.com, but in "non working" network, it eventually end up with an error like it always does.

I get that warning too the 1st time I access https://172.217.8.174. After accepting the risk via Advanced  (Firefox & Chrome) it seems to works even after restarting the browser. Not sure if it would be flagged again after a period of time. Almost certainly would get flagged if you clear cache.

Actually Chrome seems to work after restart but Firefox doesn't. The issue is that the certificate doesn't match the Common Name which is an IP in this case.  Once you actually get to Google the certificate is fine.

@Randy Downs
I know what you were saying in two previous posts. But it does not work that way in this particular network.

Using the IP in the browser should not require DNS to intervene. Have you tried clearing Cached Lookups from the server?

Administrative tools > DNS
View > Advanced
Actions Clear Cache

I cleared the cache per "Administrative tools > DNS View > Advanced Actions Clear Cache ", but the result is the same.

I assume that the 2nd picture is what you get when you proceed.

At this point, I would probably bring up another Microsoft DNS server and disable DNS on SBS2011. You will need to do that in a couple of months anyway.

Apparently the only work around is to let the router run DNS which is not a best practice an could slow down your network as external DNS could try resolving your network hosts.

Trying another router is another option if you can throw one in temporarily when folks are not accessing the network.

Update:
I rebooted Spectrum internet modem and the problem went away.
I just can’t believe that could happen but it did. I have not had time to talk to technician at Spectrum about the problem.
It is just weird.

Glad you got it working. You might want to replace that modem.

That is so odd!  What would make the difference to the modem (I'm assuming it's actually a modem/router) between google.com and other sites?

In any case, great that you got it working!

My general rule on modem/routers is that if you have to reboot them more often than every couple of months, they should be replaced.  If less often, then decide if it is worth the cost and effort to change it.

I am going to call Spectrum in coming days and discuss about my experience.

I only suspected SBS2011 DNS in the past and this time too because that was a logical place.