How wrong DNS record can block access to the Web site

I had very interesting experience few days ago. I received compliance that the Facebook site is inaccessible from corporate network. Although that doesn’t sounds like big problem from my perspective, many people found this as a serious problem with the Internet. Our job as SysAdmins is to keep users happy.

This is something which is almost impossible, as we’re speaking about one of most visited sites on the Internet. Therefore, I made short investigation and found a root of the problem. This was very trivial failure – an ISP’s DNS server returned bad IP address for this site.

We can fix this using static DNS resolving with hosts file. The mechanism described here can be used sometimes as an protection against some sites with the bad reputation. In that case, we will deliberately block access to the site, altering a DNS record and giving false IP address to it’s name. Unfortunately, this is also technique that malicious people can use to trick you, redirecting your Web queries to the servers that they control.

Before we begin, I must warn you that any improper change in system files can render your system non-operational. Any change you made on your computer system is on your own responsibility. Don’t blame me if you do something wrong or this doesn’t works as you expected. Further more, using this information and technique to block other users from network access can be considered as serious offense and/or breaking of internal corporate policies or even local law regulations. Please, do not misuse any information in this or any other post.

 

Investigating the problem

First step is to investigate this anomaly. In this case we have a report that the Web site is not accessible. There fore, I will try to open this site in Internet Explorer. You can use any browser you want.

Liceknjiga 01

 

The result is expected – we can’t open this site. We can try to fix this problem, but Internet Explorer can’t do that for us.

In case that we have problem with e-mail or database server, procedure will be very similar. We’ll just use different tools for server access.

Next step is to check if we can reach this site. Usually, we would use a ping command. However, for the ping command we need an IP address of the site. If we don’t know IP address, then we should find it with a DNS resolution of the server name.

There fore, our next step is to obtain the IP address. We can do that using command nslookup. This is a command line interface tool.

We will try to resolve a site name to the IP address:

C:\>nslookup http://www.facebook.com
Server:  server01.company.com
Address:  192.168.88.10

Non-authoritative answer:
Name:    star-mini.c10r.facebook.com
Addresses:  2a03:2880:f007:1e:face:b00c:0:25de
0.0.0.0
Aliases:  http://www.facebook.com

 

As we can see, our command uses local DNS server to resolve a name of the server in it’s IP address. A name of the DNS server and it’s IP address are correct. All other data seams fine, but wait. Something is wrong.

Line marked as red is an IP v4 address. It’s 0.0.0.0 and that means any IP address. Now we have some clue what is a problem.

I must admit that I don’t have a clue how ISP’s DNS server lost the IP address of one of most frequently visiting sites in the World. This can be internal DNS problem, for example. However, as our workstation asking local DNS server for this information and, further, local DNS server asking ISP’s DNS server, we can see where problem lies.

Now, we will use some other DNS server. I’m mostly using Google DNS server (on the IP address of 8.8.8.8) for such purpose, but any other publicly accessible and trustworthy DNS server is fine. It’s very handy that you can type an IP address or a server name for the DNS server as a parameter to the nslookup command.

C:\>nslookup http://www.facebook.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    star-mini.c10r.facebook.com
Addresses:  2a03:2880:f01c:1e:face:b00c:0:25de
31.13.93.36
Aliases:  http://www.facebook.com

 

Now we can see the real IP address for this site.  As second DNS server returned correct IP address, we knew that something is wrong on our side. Particularly, with DNS server. As I already mention, we querying our DNS server, it querying ISP’s DNS server and so on. That means that we rely on our ISP and their network services. However, our ISP solved issue and their DNS became operational again in some 48 hours or so.

We can contact our ISP and report this problem or we can solve it on our way. Second way is more interesting.

 

Fixing an issue with the static DNS record

Now I will show you how you can use a static DNS record. You can add it in hosts file of your workstation, DNS server or DNS forwarder server. A DNS forwarder is a server (or other device, like a router) with DNS service on itself, whose role is to accept DNS queries and forward them to other DNS server, often one managed by your ISP.

We need to manually edit hosts file on our workstation. In Windows systems this file is on path C:\Windows\System32\drivers\etc. From Windows 7, this path is protected and you can edit files in system folder only if you run Notepad as Administrator. That will elevate your rights and allow you to change file content.

If you’re using Linux system, then this file should be in /etc directory. Location may vary between Linux distributions.

You should use Notepad for such operations, as this utility is designed to be very simple and to works only with plain text files. There fore, you can’t mess with some extra characters or codes for text formatting.

Liceknjiga 03 - HOSTS file in Notepad

 

You can see on our screenshot that we need to add one line to this file:

31.13.93.36         http://www.facebook.com

We can use at least one blank character between an IP address and a name. Alternatively, you can use tab for separation.

Now, we should save file on disk. Be aware that this file doesn’t have extension. So, full name is hosts. and nothing behind period. Notepad saving text files by default (extension .txt), so be aware that it can save this file as hosts.txt instead of just hosts., as we need.

If you have some good antivirus on your system, you can see warning that something or someone trying to change you hosts. file.

Liceknjiga 02 - Defender warning

 

We will accept this, as we want to change this settings. However, if you’re not changing anything by yourself, including installation of a new application, you should block this action immediately.

Now, we will go back to the our Browser and refresh content. As we expecting, the Web page is now available.

Liceknjiga 04 - it works

 

We should use this only as workaround

You saw how we can use this technique to redirect our workstation to access site, even if our main DNS server can’t resolve a site name. This mechanism is not suitable for everyday work and I strongly advising to use DNS service for daily operations.

There are millions of sites on the Internet. You can’t enter all and every site in your file. Further more, many operating systems and their network stacks can’t process too big hosts. file.

We can consider this approach in case that we want to have continuous access to some specific servers, like our company e-mail servers. Then we’ll never rely on external DNS servers and their name resolution. If we distribute our own hosts. file on all workstations, then we can allow them to access every public server in out DMZ zone without need to publish them in our public DNS zone.

Another example of using DNS resolution through hosts file is when we have some servers with very limited network integration and we want to allow them to access just a few other servers. If we’re not using DNS servers and without a default gateway, such server are isolated from many network treats. Their world will be limited on that few servers described in hosts file.

Be aware that if you set the IP address of some site to 127.0.0.1, then any device in our network can’t access that server or a site. The IP address 127.0.0.1 is the loopback address and every device in the world resolve it as “go back to myself”. This IP address is used for testing proper operation of the TCP/IP stack inside device. Every packet sent to this IP address is returned back from the stack.

Luckily, in most cases DNS servers will works fine and without any issues. It’s not too hard to protect your DNS infrastructure from attacks. However, if you think that something is wrong with DNS name resolution, you can use this procedure to check results against alternate servers.

Advertisements

3 thoughts on “How wrong DNS record can block access to the Web site

    • Unfortunately, I cannot name the ISP. However, I found that the DNS service with many ISP’s is not well administered. Therefore, I saw many customers who using Google DNS servers instead of local ones.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s