Support

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.

Domain blocking: Cannot ssh into remote server

Bottom of Page

1 to 14 of 14

  1.  
    • CommentAuthorsijis
    • CommentTimeJul 2nd 2009 edited
     permalink
    Hi all,

    I've been using OpenDNS for a few days now. I haven't had any issues accessing any websites or getting on my corporate vpn. However, I'm having an issue ssh'ing into one of my friends linux server (docsmooth.isa-geek.net), which is believe he's using dyndns. The DNS resolves correctly with the tool provided here and other systems not using opendns.

    I've tried setting that domain to the whitelist, set the filtering to non and unchecked all advance settings but i'm still unable to access it. The moment i remove the openDNS DNS entries on my Fedora workstation, it works immediately.

    Any clues on what might be the problem?

    Thanks.

    Sijis

    edit: set to incorrect category.
    • CommentAuthorjoe262
    • CommentTimeJul 2nd 2009
     permalink
    I dunno.

    I tried running dig on that domain using both OpenDNS, and Level 3 DNS. Both returned the same answer.

    joe@epinephrine ~ $ dig @208.67.222.222 docsmooth.isa-geek.net.

    ; <<>> DiG 9.3.6-P1 <<>> @208.67.222.222 docsmooth.isa-geek.net.
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1507
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;docsmooth.isa-geek.net. IN A

    ;; ANSWER SECTION:
    docsmooth.isa-geek.net. 60 IN A 75.49.223.174

    ;; Query time: 23 msec
    ;; SERVER: 208.67.222.222#53(208.67.222.222)
    ;; WHEN: Thu Jul 2 02:09:03 2009
    ;; MSG SIZE rcvd: 56


    joe@epinephrine ~ $ dig @4.2.2.1 docsmooth.isa-geek.net.

    ; <<>> DiG 9.3.6-P1 <<>> @4.2.2.1 docsmooth.isa-geek.net.
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1933
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;docsmooth.isa-geek.net. IN A

    ;; ANSWER SECTION:
    docsmooth.isa-geek.net. 60 IN A 75.49.223.174

    ;; Query time: 896 msec
    ;; SERVER: 4.2.2.1#53(4.2.2.1)
    ;; WHEN: Thu Jul 2 02:10:52 2009
    ;; MSG SIZE rcvd: 56


    If OpenDNS were somehow blocking it, the results would differ.

    Let me ask you this: When youre changing the DNS settings on your Fedora box, is anything else being changed at the same time? Or just your resolv.conf

    I also tried ssh from my laptop (which uses OpenDNS) to that server, and it had no trouble finding it.

    My guess is something else is weird on your Fedora box. Happy troubleshooting : )
  3.  permalink
    You may need to enter the domain as a VPN exception. (I am entirely unsure about this.) Dashboard > Settings > Advanced settings > See Domain Typos - Exceptions for VPN users > Manage

    Whitelisting, etc., will do nothing, as this domain is not tagged (and only submitted by you as Soft./Tech. :wink:). Neither the second- or third-level domain is listed in PhishTank, either.

    "I'm having an issue ssh'ing into one of my friends linux server"
    Please describe the issue or point of failure or error message.

    Checking the cache http://www.opendns.com/support/cache/ reports a valid answer for all locations. I get the same IP from a different source as well.
    • CommentAuthorrotblitz
    • CommentTimeJul 2nd 2009 edited
     permalink
    A reverse lookup returns adsl-75-49-223-174.dsl.emhril.sbcglobal.net, but none of these levels seems to be tagged either.
    http://www.opendns.com/community/domaintagging/search/?q=sbcglobal.net
    • CommentAuthorsijis
    • CommentTimeJul 2nd 2009
     permalink
    The only thing i'm doing is commenting out the 2 opendns servers in my resolv.conf file
    --
    #nameserver 208.67.222.222
    #nameserver 208.67.220.220
    nameserver 192.168.0.1
    --

    I didn't exactly mean to submit the site to be tagged since it doesn't have a website but oh well.

    I did add "docsmooth.isa-geek.net" to the VPN exceptions list but didn't seem to help.

    This is very odd as the DNS name does resolve correctly but i cannot ssh into that system.

    When I get home I'll do a verbose ssh connect and post it.

    Thanks.
  6.  permalink
    Firewall somewhere?
    • CommentAuthorrotblitz
    • CommentTimeJul 2nd 2009
     permalink
    Also, try a "traceroute docsmooth.isa-geek.net".
  8.  permalink
    Hmm I just saw that it behaves correctly once you remove opendns.


    make sure the IP returned is the same on Opendns and off Opendns..
    also Tracert from settiings or a computer it works at might help narrow something down as well..
    • CommentAuthorrotblitz
    • CommentTimeJul 2nd 2009 edited
     permalink
    @sijis
    "The only thing i'm doing is commenting out the 2 opendns servers in my resolv.conf"
    Also @infinity360: "Hmm I just saw that it behaves correctly once you remove opendns."
    These two sentences brought up a new idea with me.
    This might be the problem. Any chance to configure the OpenDNS servers on the router, and leave your resolv.conf pointing to the router? You may then be able to reach your domain docsmooth.isa-geek.net from within.
    I don't have a clear explanation about why this could solve your issue, just a feeling...
    Beside the "tracert docsmooth.isa-geek.net", can you also post the output of "route print".
    • CommentAuthorsijis
    • CommentTimeJul 8th 2009
     permalink
    Here's the info i've been meaning to post

    ==============
    Not working
    ==============
    [sijis@laptop ~]$ traceroute docsmooth.isa-geek.net
    traceroute to docsmooth.isa-geek.net (75.49.223.86), 30 hops max, 60 byte packets
    1 10.0.0.1 (10.0.0.1) 3.219 ms 13.950 ms 14.440 ms
    2 192.168.0.1 (192.168.0.1) 21.167 ms 21.631 ms 22.039 ms
    3 adsl-69-209-223-254.dsl.chcgil.ameritech.net (69.209.223.254) 54.012 ms 56.980 ms 63.431 ms
    4 dist1-vlan62.chcgil.sbcglobal.net (99.164.169.130) 64.562 ms 66.428 ms 70.417 ms
    5 bb1-g7-0.chcgil.ameritech.net (151.164.242.208) 73.494 ms 76.318 ms 80.343 ms
    6 bb2-p3-0.emhril.ameritech.net (151.164.240.192) 84.149 ms 48.867 ms 49.056 ms
    7 dist1-g2-3.emhril.sbcglobal.net (151.164.94.165) 52.605 ms 55.576 ms 60.315 ms
    8 rback19-g1-0.emhril.sbcglobal.net (68.22.72.87) 64.981 ms 65.852 ms 68.953 ms
    9 * * *
    ...
    30 * * *
    [sijis@laptop ~]$ route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.0.0.0 * 255.255.255.0 U 2 0 0 wlan0
    192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
    default 10.0.0.1 0.0.0.0 UG 0 0 0 wlan0
    [sijis@laptop ~]$


    ==============
    Working (no openDNS)
    ==============
    [sijis@laptop ~]$ traceroute docsmooth.isa-geek.net
    traceroute to docsmooth.isa-geek.net (75.49.223.86), 30 hops max, 60 byte packets
    1 10.0.0.1 (10.0.0.1) 2.935 ms 11.895 ms 12.334 ms
    2 192.168.0.1 (192.168.0.1) 18.175 ms 18.489 ms 18.876 ms
    3 adsl-69-209-223-254.dsl.chcgil.ameritech.net (69.209.223.254) 53.161 ms 56.224 ms 59.616 ms
    4 dist1-vlan62.chcgil.sbcglobal.net (99.164.169.130) 62.957 ms 65.857 ms 69.812 ms
    5 bb1-g7-0.chcgil.ameritech.net (151.164.242.208) 73.371 ms 76.640 ms 79.658 ms
    6 bb2-p3-0.emhril.ameritech.net (151.164.240.192) 83.668 ms 50.377 ms 49.367 ms
    7 dist1-g2-3.emhril.sbcglobal.net (151.164.94.165) 51.917 ms 55.402 ms 58.565 ms
    8 rback19-g1-0.emhril.sbcglobal.net (68.22.72.87) 62.116 ms 64.837 ms 67.427 ms
    9 * * *
    ...
    30 * * *
    [sijis@laptop ~]$ route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.0.0.0 * 255.255.255.0 U 2 0 0 wlan0
    192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
    default 10.0.0.1 0.0.0.0 UG 0 0 0 wlan0
    [sijis@laptop ~]$

    This oddness continues. The IPs match and the routes are identical. I have noticed that i experience the same issues on my Windows computer.
    I'm starting to think something is wrong with my setup.

    DSL Modem (192.168.0.1) -> Router (10.0.0.1) -> my laptop (10.0.0.101)

    OpenDNS is setup on the Router. I used these instructions: https://www.opendns.com/start/device/linksys
    I cannot configure DNS on the DSL modem. There is no option for it.
    • CommentAuthorrotblitz
    • CommentTimeJul 8th 2009
     permalink
    @sijis
    "The IPs match and the routes are identical." - Surprisingly, isn't it?

    "OpenDNS is setup on the Router. I used these instructions"
    Well done!
    And you are using OpenDNS now? http://welcome.opendns.com/

    "I have noticed that i experience the same issues on my Windows computer."
    Yes, this doesn't seem to be related to your computers, but something else, like the router, or the SSH client, see below.

    "I've tried setting that domain to the whitelist, set the filtering to non and unchecked all advance settings"
    This was the wrong approach, as the domain is not blocked or tagged. You can remove it from your whitelist.
    Here is a better approach: http://www.opendns.com/support/article/164 and http://www.opendns.com/support/article/148
    This was already recommended by @maintenance above. However, I'm not really sure what to enter as VPN exception(s), certainly not an external domain.

    It could be that your SSH client uses an own method for DNS lookups. You may test this out by appending the following line to your hosts file:
    75.49.223.174 docsmooth.isa-geek.net (or whatever the current IP address is)
    (Due to the nature of dynamic IP addresses, this can only be a test and not a permanent solution.)

    Also, what happens if you use telnet or ftp on port 22 instead of SSH:
    telnet docsmooth.isa-geek.net 22
    ftp> open docsmooth.isa-geek.net 22
    • CommentAuthorsijis
    • CommentTimeJul 10th 2009
     permalink
    @rotblitz
    I went to the welcome page and it came up OK.
    I visited the two support links you supported and they were identical. However, i had already added the hostname to that list.
    I tried putting the new IP in the hosts files and retried again. That did not help.

    Here's my output of telneting to port 22.

    [sijis@laptop ~]$ telnet docsmooth.isa-geek.net 22
    Trying 75.49.223.86...
    Connected to docsmooth.isa-geek.net.
    Escape character is '^]'.
    SSH-1.99-OpenSSH_3.9p1

    Protocol mismatch.
    Connection closed by foreign host.
    [sijis@laptop ~]$ telnet 75.49.223.86 22
    Trying 75.49.223.86...
    Connected to 75.49.223.86.
    Escape character is '^]'.
    SSH-1.99-OpenSSH_3.9p1

    Protocol mismatch.
    Connection closed by foreign host.
    [sijis@laptop ~]$ ssh 75.49.223.86
    Connection closed by 75.49.223.86
    [sijis@laptop ~]$


    Could it be reverse DNS? Could it be that i'm not getting access because my reverse DNS is not matching or incorrect and that's why i'm not able to get the login prompt?
    • CommentAuthorrotblitz
    • CommentTimeJul 10th 2009 edited
     permalink
    "I tried putting the new IP in the hosts files and retried again. That did not help."
    This proves that your problem is DNS related in no way. It is also not to do with reverse lookups. You are searching in the wrong direction.

    Also your Telnet connects prove this. You can fully reach the SSH server, the "Protocal mismatch" is totally normal if you use Telnet instead of SSH. So your issues cut down to pure SSH client and server configuration or compatibility.

    I would like to suggest to put full logging on, on the client and on the server, to see what is reported and what needs to be corrected.
    • CommentAuthorsijis
    • CommentTimeJul 10th 2009
     permalink
    Once the telnet worked, my last thought was reverse DNS and if that had anything to do with this. I knew the 'protocol mismatch' was normal, i wasn't concerned about that.

    I'll contact the host admin and see if they have any 'special' setup which might be the issue.
    Although the thing that is confusing is once i disable openDNS, the issue is resolved.

1 to 14 of 14

  1.  

This discussion has been inactive for longer than 30 days, and is thus closed.