Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorlancer
    • CommentTimeMay 8th 2007 edited
     permalink
    Okay - not me. I use Linux, this is to do with my dad on Windows XP.

    When I was at my Dad's (he uses Windows XP) I noticed a very slow response in his web browser to initially retrieve pages (he's cable) so I went into his TCP/IP settings and switched from "automatic" to the 208.67.222.222 and 208.67.220.220 DNS alternatives.

    ...it fixed the problem. Now web surfing was heaps faster! :smile:

    But that was a few days ago. Dad contacted me with a new problem. Microsoft Updates (Windows XP) just hang there. I instructed him over the phone (frustrating because I have no XP in front of me) on how to get DNS back to automatic, just to see if that was the issue.

    ...Microsoft updates now worked properly.

    Is there a problem with OpenDNS and Microsoft Updates? I searched your forum and found nothing on it. I'll get Dad to read this forum for your thoughts.

    Cheers - Lancer.
    • CommentAuthorahoier
    • CommentTimeMay 8th 2007 edited
     permalink
    Not that I've seen....and I have 2 Windows XP boxes on this network...though, you could probably try looking up windows update at cache.opendns.com...using the query update.microsoft.com, v4.windowsupdate.microsoft.com, or windowsupdate.microsoft.com...there's just too many "Microsoft Update" hostnames, and I cant recall which one XP uses by default off hand.....infact, you (or really anyone...me included) should be able to goto the cache and refresh the cache for the above 3 hostnames...if that really is the problem.

    Edit: I just went and updated the cache for those 3 domains, from cache.opendns.com so have your dad try using Windows Updates now.
    • CommentAuthorpencoyd
    • CommentTimeMay 8th 2007
     permalink
    Never heard of such a thing. We've got several Windows machines around here, and we're using OpenDNS (surprise, I know :bigsmile: ) and never seen anything like what you report.

    If you have more details (URLs, traceroutes, etc.), please share -- I realize that may be difficult given your remote status from your father.
    • CommentAuthorpdabr
    • CommentTimeMay 9th 2007
     permalink
    are you referring to the automatic updates or manual windows updates, if the computer has ever been a member of a domain that uses a SUS or WSUS or had the automatic updates intranet location set in group policy then the DNS resolution of the intranet hostname for automatic scheduled update locaiton may fail.

    If initiating a manual update through the Windows Updates website using IE then the intranet location is bypassed and the updates come direct from Microsoft (or the closest akami mirror as calculated by ping times!)

    ... The setting of an intranet update location can be removed through editing the local group policy.

    -----

    somewhat related to this is using WSUS for Vista clients - if the intranet locaiton is set then the windows update application will never access microsoft - only the intranet location so a quick warning for all admins out there who run local WSUS make sure that your roaming users can access your intranet WSUS from outside otherwise they will never be updated.
    • CommentAuthorlancer
    • CommentTimeMay 10th 2007
     permalink
    Thanks for your replies everyone. Yes it is frustrating that I don't have Dads computers at the ready. If it were up to me I'd just switch everyone to Linux and they wouldn't even need to bother about Microsoft Updates, but then that would take away their freedom of choice wouldn't it?

    I will try my Dad using the newer cached OpenDNS when I get the chance and see if the issue has been resolved.

    He has a couple of computers on the internet. Both of them went "down" as far as updates were concerned when changed to OpenDNS. With one changed back to "automatic" instead of OpenDNS servers, only the automatic one could update. He has a broadband connection.

    THe Updates program Dad was trying to use was a manual one where he goes to Start Menu >> Programs >> Microsoft Updates (or similar - this was over the 'phone). He said it hangs just before the essential Active X stage. Dad also mentioned that "Windows One Care", a website in his favourites in Internet Explorer would not work, and neither would "Defender" another Microsoft(?) update freebie.

    Sorry, I don't know what SUS or WSUS is and I didn't set up his internet connection to begin with. I imagine he's not on it.

    I was at a mates place yesterday who had also tried OpenDNS on my advice and wanted to get rid of the new settings. In his case, while internet websites were located and therefore loaded noticeably faster, his AVG antivirus updates would not get through. He is on the same broadband provider as Dad (paradise.net.nz) with standard broadband internet, although his DNS setting are static (203.96.152.4 and 203.96.152.12), not automatic like Dads. I do not know whether he has had any problem with manual Microsoft Updates, or if he'd even tried.

    I'm assuming I don't need to give away their personal IP address / gateway settings on this public forum.
    • CommentAuthorpencoyd
    • CommentTimeMay 11th 2007 edited
     permalink
    Someone else who was complaining about this went to downloads.microsoft.com (which is WRONG). download.microsoft.com is the URL for the updates.
    • CommentAuthorpdabr
    • CommentTimeMay 11th 2007
     permalink
    even easier is to start IE, then the menu selection Tools>Windows Update
    • CommentAuthorlancer
    • CommentTimeMay 11th 2007
     permalink
    I think we're starting to go on tangents here.

    Simply: Dad is updating the right way. It works. He is comfortable with it. But switch to OpenDNS and it does not work. He's still updating the *right* way which worked before OpenDNS.

    I don't think the solution is to suggest that Dad should use his computer differently once he is on OpenDNS. It should be a transparent changeover. He thinks OpenDNS is at fault. Until we figure out what's really going on, he has a vaild point. Suggesting he should do anything differently is more likely to put him off OpenDNS altogether. The initial problem will most likely be a setup issue, whether at Dad's end or on the OpenDNS servers.

    Dad just wants what he considers "normal functionality" but with OpenDNS for the extra speed on accessing websites.

    I will go to see him when I can, and may get a chance to test out a few things like traceroute etc. However I'm more of a Linux user and aren't that familiar with the native Windows tools available to use. Anyone got some ideas that I should try when I am next down there? What's the DOS equivalent to the Linux traceroute command or any others that I might need? Is there a "trusted services and sites" part in Windows XP that might be worth looking into?
    • CommentAuthorahoier
    • CommentTimeMay 11th 2007
     permalink
    I dont know exactly what the Start > Windows Update feature in Windows does...but in Windows Vista Home Basic, it points to %SystemRoot%\system32\wuapp.exe...

    Someone wanna run it alongside a packet logger, and see what hostnames it is querying, and potentially "failing" on?
    • CommentAuthorlancer
    • CommentTimeMay 12th 2007
     permalink
    Okay - I'm at Dad's computer right now.


    Turns out Dad's instruction for doing the update was "Start Menu >> All Programs >> Windows Update". Essentially this opens up Internet Explorer to the following site...

    http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

    ...the update feature on this site is now *working* (without OpenDNS but on "automatic" DNS servers) so I decide to run a tracert (That would be "traceroute" for Linux-people like myself)...


    ==================
    C:\DOCUME~1\WINSTO~1>tracert update.microsoft.com

    Tracing route to update.microsoft.com.nsatc.net [65.55.192.93] over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 192.168.1.1
    2 12 ms 12 ms 13 ms 203-97-107-1.cable.telstraclear.net [203.97.107.1]
    3 12 ms 15 ms 12 ms ge-9-0-947.u22.telstraclear.net [218.101.61.50]
    4 20 ms 20 ms 20 ms ge-1-2-0-819.ie1.telstraclear.net [203.98.23.1]
    5 23 ms 21 ms 20 ms ge-0-2-0-1.xcore1.acld.telstraclear.net [203.98.50.251]
    6 21 ms 21 ms 20 ms 203.167.128.1
    7 151 ms 151 ms 151 ms i-4-0.wil-core02.net.reach.com [202.84.142.129]
    8 151 ms 152 ms 152 ms i-1-1.wil-core03.net.reach.com [202.84.140.33]
    9 163 ms 163 ms 163 ms i-10-0.sjc-core01.net.reach.com [202.84.143.34]
    10 163 ms 162 ms 161 ms w3_3-sjc02.net.reach.com [202.84.251.90]
    11 163 ms 166 ms 163 ms unknown.net.reach.com [134.159.62.166]
    12 162 ms 162 ms 162 ms ge-6-3-0-55.sjc-64cb-1b.ntwk.msn.net [207.46.37.197]
    13 163 ms 161 ms 161 ms ge-0-0-0-0.sjc-64cb-1a.ntwk.msn.net [207.46.37.57]
    14 236 ms 236 ms 235 ms ge-1-0-0-0.blu-64c-1a.ntwk.msn.net [207.46.33.210]
    15 236 ms 237 ms 237 ms ge-0-0-0-0.blu-64c-1b.ntwk.msn.net [207.46.33.178]
    16 385 ms 357 ms 405 ms ten9-2.blu-76c-1b.ntwk.msn.net [207.46.33.238]
    17 237 ms 236 ms 236 ms ten2-1.blu-6nf-mcs-1a.ntwk.msn.net [65.55.226.150]
    18 * ten2-1.blu-6nf-mcs-1a.ntwk.msn.net [65.55.226.150] reports:

    Destination net unreachable.
    Trace complete.

    C:\DOCUME~1\WINSTO~1>
    ==================




    Well, okay, it says "unreachable" at the last point but it does work (for the updates). Dad is able to successfully run Microsoft Updates through Internet Explorer from the site that comes up.

    Now I'm going to change the DNS settings from "automatic" to the OpenDNS servers... 208.67.222.222 and 208.67.220.220 and then run Dad's favourite way of updating... "Start Menu >> All Programs >> Windows Update" Here's the interesting thing: it brings up the same website but the main body of the page changes to an html report saying...

    ****************
    Checking if your computer has the latest version of Windows updating software for use with the website...
    The website uses ActiveX controls to determine which version of the software your computer is running. If you see an AcrtiveX warning, make sure the control is digitally signed by Microsoft before installing or allowing it to run.
    ****************


    ...at this point Internet Expolorer *completely freezes* and needs to be shut down manually. No menus or anything go at all within Internet Explorer (sorry - can someone please tell me how to stack-trace within Windows?)

    After closing Internet Explorer, I decide to run the tracert again (remember OpenDNS is now enabled)...
    • CommentAuthorlancer
    • CommentTimeMay 12th 2007
     permalink
    (continued from above)

    After closing Internet Explorer, I decide to run the tracert again (remember OpenDNS is now enabled)...

    ==================
    C:\DOCUME~1\WINSTO~1>tracert update.microsoft.com

    Tracing route to update.microsoft.com.nsatc.net [207.46.209.122] over a maximum of 30 hops:

    1 1 ms <1 ms <1 ms 192.168.1.1
    2 22 ms 14 ms 12 ms 203-97-107-1.cable.telstraclear.net [203.97.107.1]
    3 16 ms 12 ms 30 ms ge-9-0-947.u22.telstraclear.net [218.101.61.50]
    4 21 ms 20 ms 41 ms ge-1-2-0-819.ie1.telstraclear.net [203.98.23.1]
    5 28 ms * * ge-0-2-0-1.xcore1.acld.telstraclear.net [203.98.50.251]
    6 21 ms 20 ms 20 ms 203.98.4.7
    7 151 ms 151 ms 152 ms i-4-1.wil-core02.net.reach.com [202.84.142.133]
    8 152 ms 151 ms 151 ms i-15-2.wil-core03.net.reach.com [202.84.143.109]
    9 163 ms 163 ms 163 ms i-10-0.sjc-core01.net.reach.com [202.84.143.34]
    10 164 ms 162 ms 163 ms i-3-2.sjc02.net.reach.com [202.84.251.82]
    11 210 ms 203 ms 203 ms unknown.net.reach.com [134.159.62.166]
    12 162 ms 162 ms 162 ms ge-6-3-0-55.sjc-64cb-1b.ntwk.msn.net [207.46.37.197]
    13 180 ms 179 ms 179 ms pos6-1.tuk-76cb-1b.ntwk.msn.net [207.46.34.170]
    14 180 ms 180 ms 180 ms ten2-3.tuk-76c-1a.ntwk.msn.net [207.46.35.73]
    15 181 ms 180 ms 179 ms po2.tuk-6ns-mcs-2b.ntwk.msn.net [207.46.39.41]
    16 * * * Request timed out.
    17 * * * Request timed out.
    18 * * po2.tuk-6ns-mcs-2b.ntwk.msn.net [207.46.39.41] reports:
    Destination net unreachable.

    Trace complete.

    C:\DOCUME~1\WINSTO~1>
    ==================


    As you can see the route is different! I decided to give it another spin but this time with OpenDNS settings…


    ==================
    Microsoft(R) Windows DOS
    (C)Copyright Microsoft Corp 1990-2001.

    C:\DOCUME~1\WINSTO~1>tracert update.microsoft.com

    Tracing route to update.microsoft.com.nsatc.net [64.4.21.89] over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 192.168.1.1
    2 23 ms 13 ms 12 ms 203-97-107-1.cable.telstraclear.net [203.97.107.
    1]
    3 19 ms 13 ms 12 ms ge-9-0-947.u22.telstraclear.net [218.101.61.50]
    4 21 ms 21 ms 22 ms ge-1-2-0-819.ie1.telstraclear.net [203.98.23.1]
    5 20 ms 22 ms 23 ms ge-0-2-0-1.xcore1.acld.telstraclear.net [203.98.50.251]
    6 22 ms 20 ms 22 ms 203.98.4.7
    7 151 ms 151 ms 151 ms i-4-1.wil-core02.net.reach.com [202.84.142.133]
    8 152 ms 152 ms 151 ms i-6-2.wil-core03.net.reach.com [202.84.140.213]
    9 162 ms 162 ms 162 ms i-10-0.sjc-core01.net.reach.com [202.84.143.34]
    10 163 ms 162 ms 162 ms i-3-1.sjc02.net.reach.com [202.84.251.58]
    11 * * * Request timed out.
    12 * * * Request timed out.
    13 * * * Request timed out.
    14 * * * Request timed out.
    15 * * * Request timed out.
    16 * * * Request timed out.
    17 * * * Request timed out.
    18 * * * Request timed out.
    19 * * * Request timed out.
    20 * * * Request timed out.
    21 * * * Request timed out.
    22 * * * Request timed out.
    23 * * * Request timed out.
    24 * * * Request timed out.
    25 * * * Request timed out.
    26 *
    ==================

    ....at which point I got bored waiting for Dad's super fast OpenDNS enabled cable and quit the process.
    • CommentAuthorlancer
    • CommentTimeMay 12th 2007
     permalink
    (continued again)

    ....at which point I got bored waiting for Dad's super fast OpenDNS enabled cable and quit the process.

    Interesting that is chose a different route, although perhaps expected given the nature of nodes on the internet?

    I then put Dad's DNS settings back to manual and the Update feature was once again working. A final tracert on the working-automatic-NOT-OpenDNS settings...


    ==================
    Microsoft(R) Windows DOS
    (C)Copyright Microsoft Corp 1990-2001.

    C:\DOCUME~1\WINSTO~1>tracert update.microsoft.com

    Tracing route to update.microsoft.com.nsatc.net [64.4.21.61]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 192.168.1.1
    2 13 ms 12 ms 14 ms 203-97-107-1.cable.telstraclear.net [203.97.107.1]
    3 13 ms 11 ms 31 ms ge-9-0-947.u22.telstraclear.net [218.101.61.50]
    4 20 ms 20 ms 20 ms ge-1-2-0-819.ie1.telstraclear.net [203.98.23.1]
    5 21 ms 20 ms 25 ms ge-0-2-0-1.xcore1.acld.telstraclear.net [203.98.50.251]
    6 21 ms 21 ms 23 ms 203.167.128.1
    7 151 ms 151 ms 151 ms i-4-1.wil-core02.net.reach.com [202.84.142.133]
    8 150 ms 152 ms 150 ms i-15-2.wil-core03.net.reach.com [202.84.143.109]
    9 163 ms 163 ms 162 ms i-10-0.sjc-core01.net.reach.com [202.84.143.34]
    10 163 ms 163 ms 163 ms i-3-2.sjc02.net.reach.com [202.84.251.82]
    11 * * * Request timed out.
    12 * * * Request timed out.
    13 * * * Request timed out.
    14 * * * Request timed out.
    15 * * * Request timed out.
    16 * * * Request timed out.
    17 * * * Request timed out.
    18 * * * Request timed out.
    19 * * * Request timed out.
    20 * * * Request timed out.
    21 * * * Request timed out.
    22 * * * Request timed out.
    23 *
    ==================


    ...and at that point I quit. At least it is working again as far as Dad’s Update program is concerned. (now that it is NOT on OpenDNS settings that is)


    There are TWO start menu icons leading to update program in Dad's Start menu. When I check the properties of the shortcut icon, I get...

    Icon: Start Menu >> All Programs >> Microsoft Updates:
    …has the target: C:\Windows\system32\rundll32.exe C:\WINDOWS\system32\muweb.dll,LaunchMUSite

    …and there is also …

    Icon: Start Menu >> All Programs >> Windows Update:
    …which has the target: %SystemRoot%\system32\wupdmgr.exe

    Dad also reports that the webpage http://onecare.live.com/site/en-us/default.htm freezes in a similar way when OpenDNS is enabled.


    Okay - that's about all I know how to do at this point. Anyone know what's wrong with OpenDNS to not be allowing the Windows Update to function?

    My head hurts now but thanks to anyone who can read this and let me know what’s going wrong when we use OpenDNS.
    • CommentAuthorahoier
    • CommentTimeMay 12th 2007
     permalink
    just a thought, but is your dad using Firefox, or any other "3rd party" browser (meaning, something other than Internet Explorer)? I dont know what would cause this...but my updates work fine on all of my XP machines...
    • CommentAuthorlancer
    • CommentTimeMay 12th 2007
     permalink
    He's using Internet Explorer. He may have Firefox as an "extra browser" on one of his three machines. Aside from the possibilty of opting to use Firefox as "default" browser, I don't think it otherwise interferes with DNS available to Internet Explorer. This thing stops working once OpenDNS settings are used, starts working when they are not.
    • CommentAuthornoeldude
    • CommentTimeMay 13th 2007
     permalink
    It's not surprising the traceroutes are different given that the IPs are different. It's not surprising the IPs are different given that update.microsoft.com isn't a single host, but rather a dynamically load-balanced virtual destination with potentially thousands of IPs.

    You need to use something like linux tcping to see if the host is reachable - there are versions for windows, search google. Too many routers and hosts are configured to ignore ICMP echo to make traceroute (or plain old ping) useful to see if a host is reachable.

    I tried the IPs you posted and they are all reachable from the two ISPs I have access to, BellSouth and Comcast (southeast US).

    Windows update with OpenDNS seems to work fine for everyone else. It certainly works for me and the dozens of computers I have access to.

    What ISP are you using? Maybe they're doing something screwy.
    • CommentAuthorlancer
    • CommentTimeMay 13th 2007
     permalink
    I'm glad people haven't given up on this thread. Dad's ISP is paradise.net.nz.

    The thing with the updates is that the update website *is* reached and even loads when using OpenDNS, up to the point where ActiveX is used. Something seems to block his computer from reaching the scans etc, via the OpenDNS route, whereas it does not stop the traffic via "automatic DNS" route.

    I can think of two possibilities:
    1. That paradise.net.nz somehow detect when alternate DNS are being used and thereby block "potentially malicious" traffic for things like ActiveX. Can an ISP do this? I have another friend on the same ISP whose AVG antivirus refuses updates while he is on OpenDNS.
    2. Dad's broadband router may have its own DNS settings whereby it forwards raw internet traffic to the computers it works as a gateway for, but denies anything else, perhaps on application specific policy (e.g. websites at port 80 would work whereas ActiveX may be trying to access another port?) Still does not make sense to me that Dad would have successful connection through the Applications when using DNS other than OpenDNS if this were the case.

    ...I don't know where to begin troubleshooting from this point.
    • CommentAuthornoeldude
    • CommentTimeMay 13th 2007
     permalink
    It might be helpful to download wireshark and capture the TCP traffic when he is trying to do an update. Then compare responses between the ISP DNS and OpenDNS.

    It's very possible the ISP mangles "foreign" DNS traffic. Some ISPs disallow alternate DNS servers, some silently redirect it to their own servers, some just act silly.

    At any rate, if it's the ISP fiddling with the responses, you don't have much alternative.

    While I understand that you only have these problems when using OpenDNS, I doubt it's an OpenDNS problem.
    • CommentAuthorhiddenlogik
    • CommentTimeMay 14th 2007 edited
     permalink
    "Someone else who was complaining about this went to downloads.microsoft.com (which is WRONG). download.microsoft.com is the URL for the updates."

    That someone would have been me.

    and download.microsoft.com is not for the updates he's talking about.

    And if I remember I was very tired from configuring the load balancing at a remote site, and I was confuzzled when it showed up as a blocked page (testing on production servers are we? :tongue:), instead of an error page. The person on aim was very helpful, and handled my "tired network administrator" brain very well.

    To prevent this from happening again, I set up a shortcut on my account that links to http://www.microsoft.com/downloads/

    Just wanted to clarify :tongue:

    Speaking of Windows Update, this site has 60 WINXP PRO SP2 machines, all of which update just fine both automatically and through the web interface; but I don't set dns per machine - It's set on my router.

    I'll be moving to WSUS soon, since the 3.0 release is flexible enough for my needs.

    -HL

    P.S. A possible solution is to use Firefox for his web browsing, since it shouldn't affect IE (which is depended on for the updater). You could then also improve his browsing speed even more, by installing extensions like adblock plus & fasterfox.
    • CommentAuthorahoier
    • CommentTimeMay 14th 2007
     permalink
    Definately sounds like the ISP doing filtering of it's own...is this one of those "bargain ISPs" which require you to run their custom "dialer" software when you are connected to the Internet?

    Im kinda confused when you mentioned:
    "2. Dad's broadband router may have its own DNS settings whereby it forwards raw internet traffic to the computers it works as a gateway for, but denies anything else, perhaps on application specific policy (e.g. websites at port 80 would work whereas ActiveX may be trying to access another port?) Still does not make sense to me that Dad would have successful connection through the Applications when using DNS other than OpenDNS if this were the case."

    Does he know his router's password? To setup OpenDNS addresses in the router...?

    The whole activeX thing, makes me think it's a security application that he has running, that may be blocking that particular domain....I dont know if Windows Updates uses activex.microsoft.com or not, but I've seen that mentioned before....I'll try and refresh it in the cache and we'll see what happens when you're dad tries Windows Updates with OpenDNS activated.

This discussion has been inactive for longer than 30 days, and is thus closed.