Domain name resolution issue

[Jailer]

Ping 67.209.241.26

That's my public IP. The results:

Code:

C:\Users\Desktop>ping 67.209.241.26

Pinging 67.209.241.26 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 67.209.241.26:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Pinging google.com or 8.8.8.8 works as expected.

Code:

C:\Users\Desktop>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=27ms TTL=119
Reply from 8.8.8.8: bytes=32 time=40ms TTL=119
Reply from 8.8.8.8: bytes=32 time=30ms TTL=119
Reply from 8.8.8.8: bytes=32 time=37ms TTL=119

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 40ms, Average = 33ms

C:\Users\Desktop>ping google.com

Pinging google.com [172.253.114.113] with 32 bytes of data:
Reply from 172.253.114.113: bytes=32 time=44ms TTL=107
Reply from 172.253.114.113: bytes=32 time=38ms TTL=107
Reply from 172.253.114.113: bytes=32 time=31ms TTL=107
Reply from 172.253.114.113: bytes=32 time=38ms TTL=107

Ping statistics for 172.253.114.113:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 31ms, Maximum = 44ms, Average = 37ms

 

[Ericloewe]

So, are you pinging your public IP from some other place that's known-good?

From your connection (that's being debugged), can you ping something at your ISP?

 

[Jailer]

So, are you pinging your public IP from some other place that's known-good?

No that was from my desktop here at home. I can ping my public IP when I connect my desktop through my phone using the mobile hotspot and I do get a response so it works from outside my home network just fine.

From your connection (that's being debugged), can you ping something at your ISP?

Yes I can ping my ISP upstream gateway and get a response.

Code:

C:\Users\Desktop>ping 172.23.116.1

Pinging 172.23.116.1 with 32 bytes of data:
Reply from 172.23.116.1: bytes=32 time=1ms TTL=63
Reply from 172.23.116.1: bytes=32 time=1ms TTL=63
Reply from 172.23.116.1: bytes=32 time=1ms TTL=63
Reply from 172.23.116.1: bytes=32 time=1ms TTL=63

Ping statistics for 172.23.116.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

In pfsense I have gateway monitoring enabled and I use another address further upstream (216.111.200.49) that it pings every 5 minutes and it also gets a response.

 

[Ericloewe]

Let me see if I got this right:

From the outside your public IP address is inaccessible (I tried to ping it to no avail, but that's not a bulletproof indicator).

From the inside, you can ping up to something at your ISP but nothing beyond that. E.g. Google's DNS at 8.8.8.8 won't respond.

If I got that right, I'm afraid you're going to have to press your ISP until they transfer you to someone who will solve the problem, because you're cut off from the internet. Maybe try telling them that you can't get past wherever on their network.

 

[Jailer]

Let me see if I got this right:

From the outside your public IP address is inaccessible (I tried to ping it to no avail, but that's not a bulletproof indicator).

From the inside, you can ping up to something at your ISP but nothing beyond that. E.g. Google's DNS at 8.8.8.8 won't respond.

If I got that right, I'm afraid you're going to have to press your ISP until they transfer you to someone who will solve the problem, because you're cut off from the internet. Maybe try telling them that you can't get past wherever on their network.

Actually it's the other way around. From the outside everything is accessible without issue. From the inside I can't connect to my domain but everything else is working fine. I can connect to everything except my domain. I used to be able to connect to my domain for the last 5 years up until about a month ago and that's when it stopped working for me.

I'm sorry if I haven't explained that clearly.

Just try to connect to my domain, showersnet.com, and it will work just fine for you. For me from my desktop nothing.

 

[rvassar]

Interesting... I can resolve it just fine. What tools are you using? Have you poked at it using "dig", "nslookup", etc...? Are you running "split horizon", with a public zone and a private zone that includes stuff inside your house? There's been a lot of problems in the DNS world with UDP amplification attacks, etc... There's been a lot of subtle tuning regarding the size of valid responses, etc... If your domain is sending a EDNS packet back that's too large, your ISP may be dropping it on the floor, etc...

This is one of the reasons I run my own BIND 9 servers is so I can publish exactly what I want, using exactly the config I want. It's a complete PITA, but I climbed that mountain of knowledge of my own free will, and I guess it's my hill to die on. :)

BTW -Since you seem to be hosting from your wireless end point... It pains me to suggest this, as I absolutely despise them with every fiber of my being... But... Oracle Cloud offers a free tier. You can run a small DNS / Web server in a Linux VM for $0/month. If you set it up in Phoenix, you might even get a 129.146.x.x IP address that was Sun Microsystems SF Bay Area class B from back in the day...

 

[Jailer]

Interesting... I can resolve it just fine.

So can anyone else except me. That's the problem.

What tools are you using? Have you poked at it using "dig", "nslookup", etc...?

My skill set is limited so I'm open to suggestions. pfSense has an dnslookup function and I did use that and it reported back with the correct information. Don't even know what "dig" is but if I can somehow use it I will. I'll do some research.

Are you running "split horizon", with a public zone and a private zone that includes stuff inside your house?

Nope, one network for everything.

BTW -Since you seem to be hosting from your wireless end point... It pains me to suggest this, as I absolutely despise them with every fiber of my being... But... Oracle Cloud offers a free tier. You can run a small DNS / Web server in a Linux VM for $0/month. If you set it up in Phoenix, you might even get a 129.146.x.x IP address that was Sun Microsystems SF Bay Area class B from back in the day...

Thank you, that may end up being my only option at some point. We are also looking at other options such as moving (not just because of internet) so I'm exploring everything I can right now.

 

[Jailer]

Well I found a workaround so I can at least access my website now. It doesn't neccesarily fix the issue but it's working. I just added entries for all my sites that I access ecternally in my host file on my desktop and pointed them all to the jail with the reverse proxy that funnels the traffic. It's working so I'm giving up on this for now.

 

[rogerh]

Well I found a workaround so I can at least access my website now. It doesn't neccesarily fix the issue but it's working. I just added entries for all my sites that I access ecternally in my host file on my desktop and pointed them all to the jail with the reverse proxy that funnels the traffic. It's working so I'm giving up on this for now.

I suspect this is how it's supposed to work. If you want to access servers internally on your LAN you would need to use the private 172.x.x.x address, not your public IP address.

 

[Jailer]

I suspect this is how it's supposed to work. If you want to access servers internally on your LAN you would need to use the private 172.x.x.x address, not your public IP address.

I'm not accessing them via IP address I'm accessing them via FQDN.

 

[dak180]

My skill set is limited so I'm open to suggestions. pfSense has an dnslookup function and I did use that and it reported back with the correct information.

The best way to solve this is to use Pfsense's internal dns server and just use a host override for your domain(s). A bonus is that if you force the use of the local dns server you can make all outgoing dns traffic encrypted even if the other devices on your network do not natively support this.

 

[Jailer]

The best way to solve this is to use Pfsense's internal dns server and just use a host override for your domain(s)

Tried that and couldn't get it to work.

 

[Constantin]

I am glad you got it to work via the hosts file. I don’t know much about DNS / routing but it sounds as if the ISP isn’t allowing the equivalent of hairpin NAT within their network?

Hence, if you configure your internal Hosts file, the packets never leave your LAN, hence arrive at the servers in question. Allow the packets into the ISP domain and the gateway / router there says thanks but no thanks and black holes them.

That could explain the sudden switch from working to not working.