This is an updated [yesterday] F17/64 bit computer. Suddenly Newegg.com produces errors:
Error. Page cannot be displayed. Please contact your service provider for more details. (4)
Error. Page cannot be displayed. Please contact your service provider for more details. (11)
I receive their e-mail messages but have been unable to display the html or switch to the browser as I usually do when I want to read their ads.
I've inquired of opendns and waiting for response there. So far I've only seen this with Newegg but the problem began before I did the yum update yesterday. I believe it was working up 'til Monday.
Am I the only one with a problem? Suggestions what to do welcome,
Bob
--
box9
On 10/18/2012 05:32 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
This is an updated [yesterday] F17/64 bit computer. Suddenly Newegg.com produces errors:
Error. Page cannot be displayed. Please contact your service provider for more details. (4) Error. Page cannot be displayed. Please contact your service provider for more details. (11)I receive their e-mail messages but have been unable to display the html or switch to the browser as I usually do when I want to read their ads.
I've inquired of opendns and waiting for response there. So far I've only seen this with Newegg but the problem began before I did the yum update yesterday. I believe it was working up 'til Monday.
Am I the only one with a problem? Suggestions what to do welcome,
No problems here....
clear your cache and try again?
On Thu, 18 Oct 2012 05:32:28 -0400 "Bob Goodwin - Zuni, Virginia, USA" bobgoodwin@wildblue.net wrote:
This is an updated [yesterday] F17/64 bit computer. Suddenly Newegg.com produces errors: Error. Page cannot be displayed. Please contact your service provider for more details. (4) Error. Page cannot be displayed. Please contact your service provider for more details. (11) I receive their e-mail messages but have been unable to displaythe HTML or switch to the browser as I usually do when I want to read their ads.
I've inquired of opendns and waiting for response there. So farI've only seen this with Newegg but the problem began before I did the yum update yesterday. I believe it was working up 'til Monday.
Am I the only one with a problem? Suggestions what to do welcome, Bob -- http://www.qrz.com/db/W2BOD box9
Are you using firefox with the http everywhere addon or something similar? If so try disabling it. I found using that addon with Newegg often would cause problems until I disabled it for newegg. Noscript is another addon the has problems with newegg occasionally. Peter
On Thu, 18 Oct 2012 06:54:33 -0600 Peter Reed peterreed@gmx.com wrote:
On Thu, 18 Oct 2012 05:32:28 -0400 "Bob Goodwin - Zuni, Virginia, USA" bobgoodwin@wildblue.net wrote:
This is an updated [yesterday] F17/64 bit computer. Suddenly Newegg.com produces errors: Error. Page cannot be displayed. Please contact your service provider for more details. (4) Error. Page cannot be displayed. Please contact your service provider for more details. (11) I receive their e-mail messages but have been unable to displaythe HTML or switch to the browser as I usually do when I want to read their ads.
I've inquired of opendns and waiting for response there. So farI've only seen this with Newegg but the problem began before I did the yum update yesterday. I believe it was working up 'til Monday.
Am I the only one with a problem? Suggestions what to dowelcome,
Bob -- http://www.qrz.com/db/W2BOD box9Are you using firefox with the http everywhere addon or something similar? If so try disabling it. I found using that addon with Newegg often would cause problems until I disabled it for newegg. Noscript is another addon the has problems with newegg occasionally. Peter
I meant https everywhere addon.^^ Peter
I once had bits of newegg stop working until I went into the about:config in firefox and disabled IPv6 (of course the IPv6 guys all say this is absolutely impossible and couldn't have any effect, but despite that, there was a 100% correlation between newegg working and the IPv6 flag in firefox being turned off :-).
On Thu, 2012-10-18 at 09:12 -0400, Tom Horsley wrote:
I once had bits of newegg stop working until I went into the about:config in firefox and disabled IPv6 (of course the IPv6 guys all say this is absolutely impossible and couldn't have any effect, but despite that, there was a 100% correlation between newegg working and the IPv6 flag in firefox being turned off :-).
If you try to use IPv6 over a network that doesn't support it (that means everything within your LAN, your link to your ISP, and its link to the outside world), then failures are going to happen. Particularly when the software thinks that it can use IPv6. i.e. It asks for an IP, gets given an IPv6 one, then is unable to make an IPv6 connection.
In my opinion, you either have to turn off IPv6, or ensure that it's fully working (you have a completely IPv6 capable network, or a working IPv6 over IPv4 proxy). Leaving it up to its own devices is asking for trouble.
On 18/10/12 09:12, Tom Horsley wrote:
I once had bits of newegg stop working until I went into the about:config in firefox and disabled IPv6 (of course the IPv6 guys all say this is absolutely impossible and couldn't have any effect, but despite that, there was a 100% correlation between newegg working and the IPv6 flag in firefox being turned off :-).
No, that doesn't help. I don't see anything in my DD-WRT router filters that would account for it and this has always worked. My ISP tech support, Wildblue, denies they filter anything, however I know that I get very little spam so I have little confidence in that denial.
I remember subscribing to something at Opendns that I paid for and believe that they can filter also.
I don't want to start disabling stuff at random simply because one site is blocked ... However I did disable IPv6 as you suggested.
Isn't there a scheme for running Firefox with all the add-ons disabled? I haven't been able to find anything there and I haven't changed any recently.
Thanks for the suggestions,
Bob
On 10/18/2012 10:13 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
On 18/10/12 09:12, Tom Horsley wrote:
I once had bits of newegg stop working until I went into the about:config in firefox and disabled IPv6 (of course the IPv6 guys all say this is absolutely impossible and couldn't have any effect, but despite that, there was a 100% correlation between newegg working and the IPv6 flag in firefox being turned off :-).
No, that doesn't help. I don't see anything in my DD-WRT router filters that would account for it and this has always worked. My ISP tech support, Wildblue, denies they filter anything, however I know that I get very little spam so I have little confidence in that denial.
I remember subscribing to something at Opendns that I paid for and believe that they can filter also.
I don't want to start disabling stuff at random simply because one site is blocked ... However I did disable IPv6 as you suggested.
Isn't there a scheme for running Firefox with all the add-ons disabled? I haven't been able to find anything there and I haven't changed any recently.
Thanks for the suggestions,
Did you try....
telnet newegg.com 80
On 18/10/12 10:24, Ed Greshko wrote:
Did you try.... telnet newegg.com 80
telnet newegg.com 80 paralyzes the terminal, just sits there:
bobg@box9 ~]$ telnet newegg.com 80 Trying 208.91.197.27... Connected to newegg.com. Escape character is '^]'. ^C^[\
[bobg@box9 ~]$ telnet newegg.com Trying 208.91.197.27... telnet: connect to address 208.91.197.27: Connection timed out
[bobg@box9 ~]$ ping -c 2 newegg.com PING newegg.com (208.91.197.27) 56(84) bytes of data. 64 bytes from 208.91.197.27: icmp_req=1 ttl=245 time=691 ms 64 bytes from 208.91.197.27: icmp_req=2 ttl=245 time=667 ms
I phoned Newegg customer service and they mentioned recent problems that had been solved and asked that I try the following in Firefox and give them the resulting number.
It too was blocked as I suspected it would be, wget is the same:
[bobg@box9 ~]$ wget http://secure.newegg.com/test.aspx --2012-10-18 10:53:18-- http://secure.newegg.com/test.aspx Resolving secure.newegg.com... 208.91.197.27 Connecting to secure.newegg.com|208.91.197.27|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 271 [text/html] Saving to: `test.aspx'
100%[===================================================>] 271 --.-K/s in 0s
2012-10-18 10:53:19 (6.03 MB/s) - `test.aspx' saved [271/271]
[bobg@box9 ~]$ cat test.aspx <html> <head> <meta name="robots" content="noarchive" /> <meta name="googlebot" content="nosnippet" /> </head> <body> <div align=center> <h3>Error. Page cannot be displayed. Please contact your service provider for more details. (7)</h3> </div> </body> </html>
I haven't found a phone number for opendns but filed a second inquiry on-line. They claim to respond within 72 hours!
I guess I can live without Newegg ad's for a while but it will bug me until it's fixed!
Thanks,
Bob
Bob Goodwin wrote:
bobg@box9 ~]$ telnet newegg.com 80 Trying 208.91.197.27...
That is not Newegg's IP address:
$ dig +short www.newegg.com 204.14.213.185
$ dig +short secure.newegg.com 216.52.208.188
$ dig +short newegg.com 204.14.213.187 216.52.208.187
Try putting "nameserver 8.8.8.8" (one of Google's public DNS servers) at the top of the name server list in "/etc/resolv.conf". If that fixes it then the problem lies with the DNS servers you were previously using.
Regards,
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
On 10/18/2012 11:35 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
On 18/10/12 10:24, Ed Greshko wrote:
Did you try.... telnet newegg.com 80telnet newegg.com 80 paralyzes the terminal, just sits there:
bobg@box9 ~]$ telnet newegg.com 80 Trying 208.91.197.27... Connected to newegg.com. Escape character is '^]'. ^C^[\
This is *correct* behavior. It shows you can connect to port 80 (http) of newegg. You should simply do CTRL-] to "un-paralyse" your terminal.
[bobg@box9 ~]$ telnet newegg.com Trying 208.91.197.27... telnet: connect to address 208.91.197.27: Connection timed out
That too is normal...since you would not expect them to accept telnet service connects on the default port of 23.
[bobg@box9 ~]$ wget http://secure.newegg.com/test.aspx --2012-10-18 10:53:18-- http://secure.newegg.com/test.aspx Resolving secure.newegg.com... 208.91.197.27 Connecting to secure.newegg.com|208.91.197.27|:80... connected. HTTP request sent, awaiting response... 200 OK
OK.... Now this I find "interesting" ....
On your system secure.newegg.com seems to resolve to 208.91.197.27 while on my system it resolves to 204.14.213.188.
and....
[egreshko@meimei ~]$ host 208.91.197.27 ;; connection timed out; no servers could be reached
what is your resolv.conf set to?
On 18/10/12 12:01, Ed Greshko wrote:
On 10/18/2012 11:35 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
On 18/10/12 10:24, Ed Greshko wrote:Did you try.... telnet newegg.com 80telnet newegg.com 80 paralyzes the terminal, just sits there: bobg@box9 ~]$ telnet newegg.com 80 Trying 208.91.197.27... Connected to newegg.com. Escape character is '^]'. ^C^[\This is *correct* behavior. It shows you can connect to port 80 (http) of newegg. You should simply do CTRL-] to "un-paralyse" your terminal.
[bobg@box9 ~]$ telnet newegg.com Trying 208.91.197.27... telnet: connect to address 208.91.197.27: Connection timed outThat too is normal...since you would not expect them to accept telnet service connects on the default port of 23.
[bobg@box9 ~]$ wget http://secure.newegg.com/test.aspx --2012-10-18 10:53:18-- http://secure.newegg.com/test.aspx Resolving secure.newegg.com... 208.91.197.27 Connecting to secure.newegg.com|208.91.197.27|:80... connected. HTTP request sent, awaiting response... 200 OKOK.... Now this I find "interesting" ....
On your system secure.newegg.com seems to resolve to 208.91.197.27 while on my system it resolves to 204.14.213.188.
and....
[egreshko@meimei ~]$ host 208.91.197.27 ;; connection timed out; no servers could be reached
what is your resolv.conf set to?
Normally set to 208.67.220.220, 208.67.222.222, 208.67.220.222
I just tried 8.8.8.8 as suggested and 12.189.32.61 which is the Wildblue dns. the error still occurs.
I also tried the address you found:
[bobg@box9 ~]$ wget 204.14.213.188 --2012-10-18 12:13:39-- http://204.14.213.188/ Connecting to 204.14.213.188:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.newegg.com/Index.aspx [following] --2012-10-18 12:13:40-- http://www.newegg.com/Index.aspx Resolving www.newegg.com... 208.91.197.27 Connecting to www.newegg.com|208.91.197.27|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 271 [text/html] Saving to: `index.html'
100%[===================================================>] 271 --.-K/s in 0s
2012-10-18 12:13:41 (7.21 MB/s) - `index.html' saved [271/271]
[bobg@box9 ~]$ cat index.html <html> <head> <meta name="robots" content="noarchive" /> <meta name="googlebot" content="nosnippet" /> </head> <body> <div align=center> <h3>Error. Page cannot be displayed. Please contact your service provider for more details. (6)</h3> </div> </body>
Of course it errors in Firefox as well.
Bob
Bob Goodwin wrote:
[bobg@box9 ~]$ wget 204.14.213.188 --2012-10-18 12:13:39-- http://204.14.213.188/ Connecting to 204.14.213.188:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.newegg.com/Index.aspx [following] --2012-10-18 12:13:40-- http://www.newegg.com/Index.aspx Resolving www.newegg.com... 208.91.197.27
Newegg responded with a 302 redirect with "www.newegg.com" in the location and that was resolved to 208.91.197.27. Something is definitely wrong with your DNS resolution, but it doesn't seem to be specific to your computer since your daughter is having similar problems.
What is the output of the following commands?
$ dig @8.8.8.8 +short www.newegg.com $ dig @208.67.220.220 +short www.newegg.com $ dig @12.189.32.61 +short www.newegg.com
For reference, I get:
$ dig @8.8.8.8 +short www.newegg.com 216.52.208.185 $ dig @208.67.220.220 +short www.newegg.com 216.52.208.185 $ dig @12.189.32.61 +short www.newegg.com ;; connection timed out; no servers could be reached
Regards,
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
Bob,
It turns out that you're not the only one having this problem.
Newegg isn't working - Overclockers Australia Forums http://forums.overclockers.com.au/showthread.php?p=14825407
The person in that thread solved the problem by switching to Google's public DNS server. That may not work for you if Google responds with different DNS records based on geolocation. The dig output I requested in the previous email would clear that up.
If all else fails, just stick the following line in "/etc/hosts":
204.14.213.188 newegg.com www.newegg.com secure.newegg.com
These types of DNS problems tend to sort themselves out over time, so every couple of days you can try accessing Newegg without it. I'd wager that everything will be back to normal within a week.
Regards,
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
On 18/10/12 13:07, Matthew J. Roth wrote:
If all else fails, just stick the following line in "/etc/hosts":
204.14.213.188 newegg.comwww.newegg.com secure.newegg.com
Ok that got me through to their "secure" site and I obtained the number they requested and sent it back to them. I'll see what they come up with.
Thanks,
Bob
Bob,
I get [using the opendns name servers again]:
[bobg@box9 ~]$ dig @8.8.8.8 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @208.67.220.220 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @12.189.32.61 +short www.newegg.com 208.91.197.27
The @IP tells dig which DNS server to query, so those commands are querying Google (@8.8.8.8), OpenDNS (@208.67.220.220), and Wild Blue (@12.189.32.61). The fact that they all return 208.91.197.27 means that your computers and your network are fine.
You're probably just encountering a stale DNS record. DNS is a distributed system with a lot of caching involved. Due to that, changes to DNS records do not propagate throughout the Internet immediately.
Perhaps they respond differently as a function of the inquiring address?
That's a plausible explanation.
Ok that got me through to their "secure" site and I obtained the number they requested and sent it back to them. I'll see what they come up with.
Very good. You may also want to let them know about the 208.91.197.27 response that your DNS queries were receiving. It will work itself out if it's a DNS change that hasn't propagated yet, but it could also be something that they need to fix like a misconfiguration of their authoritative name servers.
Remember to periodically try to access newegg.com without that line in "/etc/hosts". It's more of a workaround than an actual solution and it will stop working if they drop the IP it references.
Regards,
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
On 19/10/12 09:29, Matthew J. Roth wrote:
Bob,
I get [using the opendns name servers again]:
[bobg@box9 ~]$ dig @8.8.8.8 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @208.67.220.220 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @12.189.32.61 +short www.newegg.com 208.91.197.27
The @IP tells dig which DNS server to query, so those commands are querying Google (@8.8.8.8), OpenDNS (@208.67.220.220), and Wild Blue (@12.189.32.61). The fact that they all return 208.91.197.27 means that your computers and your network are fine.
You're probably just encountering a stale DNS record. DNS is a distributed system with a lot of caching involved. Due to that, changes to DNS records do not propagate throughout the Internet immediately.
Perhaps they respond differently as a function of the inquiring address?
That's a plausible explanation.
Ok that got me through to their "secure" site and I obtained the number they requested and sent it back to them. I'll see what they come up with.
Very good. You may also want to let them know about the 208.91.197.27 response that your DNS queries were receiving. It will work itself out if it's a DNS change that hasn't propagated yet, but it could also be something that they need to fix like a misconfiguration of their authoritative name servers.
Remember to periodically try to access newegg.com without that line in "/etc/hosts". It's more of a workaround than an actual solution and it will stop working if they drop the IP it references.
Regards,
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
Yes, your explanation seems to fit the symptoms exactly, the Newegg customer service rep seemed to be right on top of the problem and it would have been nice if she suggested the probable cause as you have but unfortunately our society seems to dumb down everything on the assumption that it's "too complicated." And maybe they are right, if nothing else explanations take time ... I certainly appreciated yours.
As you suggest, I commented out the added line in /etc/hosts. Their page had begun to work normally this morning and it is still working with that line removed and Firefox restarted. I haven't rebooted ...
I sent them the number which she said identified a server per her request but received no acknowledgment, whatever, the problem is gone after providing an interesting and educational episode for me.
Thanks for the help.
Bob
On 18/10/12 12:36, Matthew J. Roth wrote:
Bob Goodwin wrote:
[bobg@box9 ~]$ wget 204.14.213.188 --2012-10-18 12:13:39-- http://204.14.213.188/ Connecting to 204.14.213.188:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.newegg.com/Index.aspx [following] --2012-10-18 12:13:40-- http://www.newegg.com/Index.aspx Resolving www.newegg.com... 208.91.197.27
Newegg responded with a 302 redirect with "www.newegg.com" in the location and that was resolved to 208.91.197.27. Something is definitely wrong with your DNS resolution, but it doesn't seem to be specific to your computer since your daughter is having similar problems.
What is the output of the following commands?
$ dig @8.8.8.8 +short www.newegg.com $ dig @208.67.220.220 +short www.newegg.com $ dig @12.189.32.61 +short www.newegg.com
For reference, I get:
$ dig @8.8.8.8 +short www.newegg.com 216.52.208.185 $ dig @208.67.220.220 +short www.newegg.com 216.52.208.185 $ dig @12.189.32.61 +short www.newegg.com ;; connection timed out; no servers could be reached
Regards,
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
I get [using the opendns name servers again]:
[bobg@box9 ~]$ dig @8.8.8.8 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @208.67.220.220 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @12.189.32.61 +short www.newegg.com 208.91.197.27
Perhaps they respond differently as a function of the inquiring address?
On 10/19/2012 01:17 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
I get [using the opendns name servers again]:
[bobg@box9 ~]$ dig @8.8.8.8 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @208.67.220.220 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @12.189.32.61 +short www.newegg.com 208.91.197.27Perhaps they respond differently as a function of the inquiring address?
FYI, one thing you should check with your ISP is if they are using a DNS Proxy. If so, you may "think" you are sending queries to the @IP servers but in fact are not....
http://www.dnsleaktest.com/what-is-transparent-dns-proxy.php
Has a link to see if your ISP is doing this....
On 19/10/12 23:55, Ed Greshko wrote:
On 10/19/2012 01:17 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
I get [using the opendns name servers again]: [bobg@box9 ~]$ dig @8.8.8.8 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @208.67.220.220 +short www.newegg.com 208.91.197.27 [bobg@box9 ~]$ dig @12.189.32.61 +short www.newegg.com 208.91.197.27 Perhaps they respond differently as a function of the inquiring address?FYI, one thing you should check with your ISP is if they are using a DNS Proxy. If so, you may "think" you are sending queries to the @IP servers but in fact are not....
http://www.dnsleaktest.com/what-is-transparent-dns-proxy.php
Has a link to see if your ISP is doing this....
Ok, this is what I see. What is it telling me?
We detected the 2 DNS servers listed below.
WARNING: If you are connected to an anonymity/privacy service and ANY of the servers listed below are from your ISP then your DNS is leaking. (You should be able to recognize them based on the hostname and location).
IP: 184.63.128.68 Hostname: 184.63.128.68 ISP: Wildblue Communications Country: United States
IP: 184.63.128.69 Hostname: 184.63.128.69 ISP: Wildblue Communications Country: United States
DNS should be set for opendns 208.67.220.220 and 222. The dns address they provided me six years ago is 12.189.32.61. I don't see either here, just a Wildblue address,different from the one my router thinks it is connected to [WAN IP: 184.20.151.17].
Bob
On Sat, 2012-10-20 at 04:08 -0400, Bob Goodwin - Zuni, Virginia, USA wrote:
Ok, this is what I see. What is it telling me?
We detected the 2 DNS servers listed below. WARNING: If you are connected to an anonymity/privacy service and ANY of the servers listed below are from your ISP then your DNS is leaking. (You should be able to recognize them based on the hostname and location). IP: 184.63.128.68 Hostname: 184.63.128.68 ISP: Wildblue Communications Country: United States IP: 184.63.128.69 Hostname: 184.63.128.69 ISP: Wildblue Communications Country: United StatesDNS should be set for opendns 208.67.220.220 and 222. The dns address they provided me six years ago is 12.189.32.61. I don't see either here, just a Wildblue address,different from the one my router thinks it is connected to [WAN IP: 184.20.151.17].
Going from what I read of their site, that means that they've figured out the DNS servers you're getting answers from are the ones listed above, not the ones that you're hoping to use. Therefore, your ISP is acting as a transparent proxy, intercepting all your DNS requests and answering them, themselves, no matter what you do.
In my case, it comes back with my public IP address. Which, kind of, makes sense. I run my own DNS servers, on my LAN, which is behind a router doing NAT.
I'd like to know how they're doing their discovery.
I can understand why ISPs might do proxying, though I don't think it's a brilliant idea (likewise with HTTP proxying). There's customers that badly configure their computers, so intercepting is a simplistic way to work around that. Some ISPs might try protecting their users from malicious content on the internet, though they could do that with their own servers without proxying, allowing you to make your own mind up to use their censored servers or your own choice of servers. And some ISPs are obligated to censor children's access, again they could do that other ways.
On 20/10/12 05:20, Tim wrote:
On Sat, 2012-10-20 at 04:08 -0400, Bob Goodwin - Zuni, Virginia, USA wrote:
Ok, this is what I see. What is it telling me?
We detected the 2 DNS servers listed below. WARNING: If you are connected to an anonymity/privacy service and ANY of the servers listed below are from your ISP then your DNS is leaking. (You should be able to recognize them based on the hostname and location). IP: 184.63.128.68 Hostname: 184.63.128.68 ISP: Wildblue Communications Country: United States IP: 184.63.128.69 Hostname: 184.63.128.69 ISP: Wildblue Communications Country: United StatesDNS should be set for opendns 208.67.220.220 and 222. The dns address they provided me six years ago is 12.189.32.61. I don't see either here, just a Wildblue address,different from the one my router thinks it is connected to [WAN IP: 184.20.151.17].
Going from what I read of their site, that means that they've figured out the DNS servers you're getting answers from are the ones listed above, not the ones that you're hoping to use. Therefore, your ISP is acting as a transparent proxy, intercepting all your DNS requests and answering them, themselves, no matter what you do.
In my case, it comes back with my public IP address. Which, kind of, makes sense. I run my own DNS servers, on my LAN, which is behind a router doing NAT.
I'd like to know how they're doing their discovery.
I can understand why ISPs might do proxying, though I don't think it's a brilliant idea (likewise with HTTP proxying). There's customers that badly configure their computers, so intercepting is a simplistic way to work around that. Some ISPs might try protecting their users from malicious content on the internet, though they could do that with their own servers without proxying, allowing you to make your own mind up to use their censored servers or your own choice of servers. And some ISPs are obligated to censor children's access, again they could do that other ways.
I was afraid that's what it meant and that explains some of the odd results I've been seeing when changing my dns settings. It also means that I am not getting the services I paid Opendns for which raises a question of ethics. Should Opendns have known that a particular ISP operates this way? Wildblue/Viasat is a major ISP!
Wildblue shut down their mail servers several years ago and routed e-mail through Google, we are actually on gmail.com servers for e-mail and I wonder if the dns service did not become what it is at that time?
I will inquire of Opendns about this. Perhaps they can offer a solution ... I am pretty well tied to my ISP since it is the only reasonably fast service available here in this rural area, we don't even have cable TV. There is dial-up but no DSL.
At dnsleaktest.com they describe a packaged solution for Windows VPN:
3 basic steps to fix the problem;
1. Before connecting to the VPN, set static IP address properties if you are using DHCP 2. After connecting, remove DNS settings for the primary interface 3. After disconnecting, switch back to DHCP if neccessary or reapply original static DNS servers
Which leaves wondering if there's a Linux solution available for my non-VPN system?
Thanks,
Bob
Bob Goodwin:
I was afraid that's what it meant and that explains some of the odd results I've been seeing when changing my dns settings. It also means that I am not getting the services I paid Opendns for which raises a question of ethics. Should Opendns have known that a particular ISP operates this way? Wildblue/Viasat is a major ISP!
I can't see any DNS service being able to keep track of the hundreds, or thousands, of ISPs around, to know what they're up to. Sure, if they're informed of known ISPs, they could forewarn customers about problems. But that would depend on some automatic system being created, and they'd have separately ask what ISP you use, or presume what your ISP is based on your email address (which don't have to be related).
I'd enquire of your ISP if there's a way around their proxying. Perhaps they have per-user preferences, some ISPs do (different network settings for certain classes of users, or users have a control panel to adjust some features, for themselves).
Which leaves wondering if there's a Linux solution available for my non-VPN system?
The only other way I could see of circumventing this, by yourself, would be if you had an external DNS server that could be queried on non-standard ports. Your ISP is, probably, only proxying requests over the usual DNS server ports.
Yes, it's a major pain when you have a limited choice of ISPs. We're lucky to have choices where I am. But for a long time, it was often a choice of ludicrously expensive ISPs (that weren't always that good), versus various little ISPs (which were often over sold - too many customers, not enough incoming lines or bandwidth). Now, we tend to have quite a few reasonable ones to choose from.
I suppose I should ask why you want to use alternative DNS servers. Are your ISP's not good enough/censoring/filtering?
I started running my own DNS servers due to having two or three ISPs, in a row, with awfully slow DNS servers. One of them, which is the main backbone for the whole country, couldn't even get their own DNS records to stay working for their own news server. I always had to put its IP in my hosts file.
On 20/10/12 09:12, Tim wrote:
Bob Goodwin:
I was afraid that's what it meant and that explains some of the odd results I've been seeing when changing my dns settings. It also means that I am not getting the services I paid Opendns for which raises a question of ethics. Should Opendns have known that a particular ISP operates this way? Wildblue/Viasat is a major ISP!
I can't see any DNS service being able to keep track of the hundreds, or thousands, of ISPs around, to know what they're up to. Sure, if they're informed of known ISPs, they could forewarn customers about problems. But that would depend on some automatic system being created, and they'd have separately ask what ISP you use, or presume what your ISP is based on your email address (which don't have to be related).
A bit of googling reveals that this change apparently came about with our move to the higher speed Viasat Exede service in March of this year and I've only just discovered it. Opendns worked until then and I gather from one item I read that they weren't aware of this either, are now though I imagine.
I'd enquire of your ISP if there's a way around their proxying. Perhaps they have per-user preferences, some ISPs do (different network settings for certain classes of users, or users have a control panel to adjust some features, for themselves).
I found the following at http://www.wildblueworld.com/forum/showthread.php?t=6148&highlight=opend...
If you don't use the WB DNS then your downloads will be far slower and your bandwidth usage much higher, in fact as much as three times higher. Using a different DNS bypasses Exede's AcceleNet technology.
Quote: ViaSat’s solution to the space-based delay was to invest in a fast, efficient ground network system. On a typical network, when a computer requests a website, it gets an inventory of Web-based objects to call up and assemble. If the computer is wired to the Web, that assembly happens so quickly that the user doesn’t notice. But if the computer is linked to the Web via satellite broadband, every object request has to go through the half-second call-and-response routine. A page like CNN.com can have hundreds of objects, and the computer has to call each one individually.
ViaSat, however, does most of the back-and-forth work for the subscriber’s computer in advance. When an Exede subscriber accesses a website, ViaSat’s ground network preassembles it and beams it up in a tight package, reducing lag time to the half-second minimum. The company calls this system AcceleNet. Not only does it speed a subscriber’s Web experience, it conserves bandwidth on the satellite by sending the Web page in a single shot.
You can't change the DNS settings on the modem but you can change them in the router or in your operating system.
Which leaves wondering if there's a Linux solution available for my non-VPN system?
The only other way I could see of circumventing this, by yourself, would be if you had an external DNS server that could be queried on non-standard ports. Your ISP is, probably, only proxying requests over the usual DNS server ports.
Yes, it's a major pain when you have a limited choice of ISPs. We're lucky to have choices where I am. But for a long time, it was often a choice of ludicrously expensive ISPs (that weren't always that good), versus various little ISPs (which were often over sold - too many customers, not enough incoming lines or bandwidth). Now, we tend to have quite a few reasonable ones to choose from.
I suppose I should ask why you want to use alternative DNS servers. Are your ISP's not good enough/censoring/filtering?
At the time we had fair but not great speeds and I was casting about for anything that claimed to improve things and opendns offered additional protection against malware. I really had no complaint with the provided dns ...
I started running my own DNS servers due to having two or three ISPs, in a row, with awfully slow DNS servers. One of them, which is the main backbone for the whole country, couldn't even get their own DNS records to stay working for their own news server. I always had to put its IP in my hosts file.
So it looks like my ISP is what it is and I probably can't change things without degrading the service I have now which is quite good when it works. Their are minor glitches that I have not been able to assign the blame for, it occasionally requires re-booting either the Viasat "modem" or my router, or both amidst a lot of confusion with my daughter trying to do something important to her on her Mac downstairs.
If nothing else this has been a learning experience.
Thanks,
Bob
On Sat, 20 Oct 2012 10:30:00 -0400 Bob Goodwin - Zuni, Virginia, USA wrote:
If nothing else this has been a learning experience.
You could set up dnsmasq, which will cache your dns queries, saving a small amount of bandwidth but more importantly speeding things up some.
On 20/10/12 12:51, Frank Cox wrote:
On Sat, 20 Oct 2012 10:30:00 -0400 Bob Goodwin - Zuni, Virginia, USA wrote:
If nothing else this has been a learning experience.
You could set up dnsmasq, which will cache your dns queries, saving a small amount of bandwidth but more importantly speeding things up some.
I find that dnsmasq is already installed but I assume needs configuration.
One you will probably want to do is tell dnsmasq which ethernet interface it can and cannot listen on, as we really don't want it listening on the internet. Around line 69 of the /etc/dnsmasq.conf file, you will see:
#interface=
Uncomment the line and specify which ethernet interface(s) you want it server IPs to. For example, if I want it to listen on eth1 (my DMZ) and eth2 (my local network), then it s
should look like
interface=eth1 interface=eth2
I'm already confused. If I don't want it listening on the internet and our LAN [eth0] on this computer where do I tell it to go? Ideally it should work for all computers on the LAN but that may not be possible. I'm looking at: http://wiki.debian.org/HowTo/dnsmasq
The dd-wrt wireless router is normally the dhcp server so I don't want another dhcp function, just whatever help it might provide with dns. Actually the dns I have is probably adequate but you've aroused my curiosity.
Bob
On Sat, 20 Oct 2012 13:22:19 -0400 Bob Goodwin - Zuni, Virginia, USA wrote:
I'm already confused. If I don't want it listening on the internet and our LAN [eth0] on this computer where do I tell it to go?
# If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP on it. no-dhcp-interface=eth0
Bob Goodwin:
So it looks like my ISP is what it is and I probably can't change things without degrading the service I have now which is quite good then it works. Their are minor glitches that I have not been able to assign the blame for, it occasionally requires re-booting either the Viasat "modem" or my router, or both amidst a lot of confusion with my daughter trying to do something important to her on her Mac downstairs.
Proxying, of one kind or another, seems to be a common approach for dealing with an inadequate network (network bandwidth, latency, et cetera), rather than improving the actual problem. In your ISP's case, it sounds like having to go through satellites is the main reason - they have a significant propagation delay. I've use an ISP that went through one, before, and it was quite awful. Using my own DNS helped, because their DNS serving was even slower than the rest of their traffic.
Proxying can only speed things up, for you, if you access something that someone else has already accessed before you. *And* if that data is cacheable. If it's not cacheable, or you're always getting new data, then it can't speed things up. In fact, you get an even slower response, as the proxy has to fetch it, first, then you get it next.
I've been on ISPs that have introduced transparent proxies, and my experience is that it doesn't improve things. Much of the web isn't cacheable. On the other hand, they can be useful in a LAN. Windows updates, for instance, were a hell of a lot quicker on the second PC to do its updates. The first one dragged them into the proxy's cache, the second PC got them from the cache. And when you're in an office where someone passes around a link for others to look at, they get the same speed benefit.
Your LAN is generally much faster than your connection to your ISP, so that bottleneck is avoided with your own caching proxy, but not with an external one. Even more so if the external one is badly implemented, or overloaded with too many clients.
Chances are that if your ISP is proxying DNS, then they may be proxying HTTP traffic. So, if you were to bypass their DNS proxy, you might also have to bypass their HTTP one. That'd require an external, better, proxy. The technique being how dissidents bypass government filtering.
If it's just one or two specific sites that are continual problems with the proxying, you might try mentioning them to your ISP. Dynamic sites, ones where the content of the pages are continually changing, like those doing sales and auctions, shouldn't be cached. Your ISP may be able to change parameters for how they handle such things. They've probably, already, had to treat sites like ebay differently than other static sites. But they won't know about other more obscure sites.
If you're resigned to having to reset every now and then, why not schedule it regularly? e.g. Unplug your modem and/or router for a few minutes while your making breakfast, each morning. Or some other time that you're highly unlikely to be using the internet. See if that makes any difference to network reliability over a few weeks.
On 21/10/12 00:48, Tim wrote:
Bob Goodwin:
So it looks like my ISP is what it is and I probably can't change things without degrading the service I have now which is quite good then it works. Their are minor glitches that I have not been able to assign the blame for, it occasionally requires re-booting either the Viasat "modem" or my router, or both amidst a lot of confusion with my daughter trying to do something important to her on her Mac downstairs.
Proxying, of one kind or another, seems to be a common approach for dealing with an inadequate network (network bandwidth, latency, et cetera), rather than improving the actual problem. In your ISP's case, it sounds like having to go through satellites is the main reason - they have a significant propagation delay. I've use an ISP that went through one, before, and it was quite awful. Using my own DNS helped, because their DNS serving was even slower than the rest of their traffic.
The propagation delay may seem awful but the end result is a system an order of magnitude better than our other option which was wired dial-up. We suffered with that for several years until this became available to us and switched, never looked back! The delay is not normally apparent once you understand that stuff like telephone conversations will not run smoothly with a couple seconds of delay. The cell phones work, cheap international calling would be nice but we do without that now.
Proxying can only speed things up, for you, if you access something that someone else has already accessed before you. *And* if that data is cacheable. If it's not cacheable, or you're always getting new data, then it can't speed things up. In fact, you get an even slower response, as the proxy has to fetch it, first, then you get it next.
I've been on ISPs that have introduced transparent proxies, and my experience is that it doesn't improve things. Much of the web isn't cacheable. On the other hand, they can be useful in a LAN. Windows updates, for instance, were a hell of a lot quicker on the second PC to do its updates. The first one dragged them into the proxy's cache, the second PC got them from the cache. And when you're in an office where someone passes around a link for others to look at, they get the same speed benefit.
Your LAN is generally much faster than your connection to your ISP, so that bottleneck is avoided with your own caching proxy, but not with an external one. Even more so if the external one is badly implemented, or overloaded with too many clients.
Yes, our LAN is much faster than the internet connection using fast routers and access devices and "gigabit" Ethernet. Wildblue claims to provide 12 Mbps service and they usually do, I often see better than 20 Mbps on small [12 meg] files when running one of the on-line tests. The main disadvantage is the limitation on usage, if it goes over 25 gigs per month the cost rises exponentially. My daughter has one "cloud" account and managed to suck up 7 gigs in a couple of hours last month, but normally we are comfortable with our b.w. allotment.
Chances are that if your ISP is proxying DNS, then they may be proxying HTTP traffic. So, if you were to bypass their DNS proxy, you might also have to bypass their HTTP one. That'd require an external, better, proxy. The technique being how dissidents bypass government filtering.
If it's just one or two specific sites that are continual problems with the proxying, you might try mentioning them to your ISP. Dynamic sites, ones where the content of the pages are continually changing, like those doing sales and auctions, shouldn't be cached. Your ISP may be able to change parameters for how they handle such things. They've probably, already, had to treat sites like ebay differently than other static sites. But they won't know about other more obscure sites.
All things considered, the ISP people are professionals, I am an amateur and it seems unlikely that I will beat them at their game. So what it boils down to is I am doing things for my own amusement, and just need to be careful not to leave the system in bad shape out of consideration for other users. When here alone I can do what I want but need to keep things working at other times.
If you're resigned to having to reset every now and then, why not schedule it regularly? e.g. Unplug your modem and/or router for a few minutes while your making breakfast, each morning. Or some other time that you're highly unlikely to be using the internet. See if that makes any difference to network reliability over a few weeks.
Yes, that would be the sort of approach I might take if I am bothered enough with system failures, I haven't reached that point yet.
Thanks for the help,
Bob
Bob Goodwin:
All things considered, the ISP people are professionals, I am an amateur and it seems unlikely that I will beat them at their game. So what it boils down to is I am doing things for my own amusement, and just need to be careful not to leave the system in bad shape out of consideration for other users. When here alone I can do what I want but need to keep things working at other times.
You are paying for a service. If they're not doing it right, or good enough, it is fair to ask them to fix something up. If you have a particular problem site, ask them about it.
On 21/10/12 08:28, Tim wrote:
You are paying for a service. If they're not doing it right, or good enough, it is fair to ask them to fix something up. If you have a particular problem site, ask them about it.
Yes I will and do ask when I have trouble. When I do call tech support they accept the fact that I run Linux without protest.
This thread began when I was unable to get to the Newegg page and in the process discovered that I no longer used the Opendns service. Other than the problem with that one web site I have no recognized problems with the ISP, their dns server seems to work well enough while I have been using it for the last six months thinking it was Opendns ... Assuming the Newegg problem was due to an address change, should the Wildblue dns have caught up with it sooner? Perhaps instead of calling Newegg I should have called the ISP, that never occurred to me because I thought I was using Opendns and was going to ask them, but had trouble finding a telephone number ...
Bob Goodwin:
Assuming the Newegg problem was due to an address change, should the Wildblue dns have caught up with it sooner?
That depends... DNS records have time-to-live data, that says how long records should be cached for. So, if a website's record say cache me for 15 days, then that's what the downstream servers, and clients, should do. Of course, that time period begins from the first access. So if one server accesses it last Tuesday, and another accessed it on Saturday, the absolute dates of expiry will be different, between them.
Lump on top of that, intermediate DNS servers which may be between you and them, that each cache the records. And lump, on top of that, too, servers which cache things for longer than told to (bad administration practices), and it becomes even messier.
That's the simplistic explanation. There's four time periods in DNS records. I've used just one of them, in the explanation above. In all, there's:
* How long before trying to "refresh" the records.
* How long to wait before trying to get new records ("retry"), if the master server didn't respond.
* How long to serve stale records for (i.e. after they expire, how much longer to keep serving them, in the absence of being able to acquire new data). After this, /no answer/ is returned for the query, it doesn't exist anymore ("retire").
* How long other servers/clients should use the information provided to them from this server (time-to-live, "TTL"), if they're not able to get fresh data from another master server.
There are some other interpretations of what those four time periods mean, they're not brilliantly explained in some text books, and that's been my best guess at interpreting the explanation I read (long ago), so you'll find some servers and clients behaving differently. Some just blatantly ignore the data, and do whatever they damn well feel like. There'll be servers which cache them for a set time period, no matter what. And clients, such as some web browsers, have their own settings for caching (the Opera web browser gives you some choices about this in the preferences, or used to).
Changing IPs is a bad thing, best avoided. If you must do it, then the only way to attempt to do it cleanly, is well ahead of your expiry date. So that things just switch over. If you're hoping to change over quicker than that, you really can't expect it to work. And, in the meantime, your services should be listening out on both IPs.
So, it's rarely a good idea to give lengthy times for records. Admins faced with a looming change may try shortening the time periods ahead of the date, but it's no good trying to set a 1 day period if the rest of the world has cached your records for 30 days, they're going to use what they learnt the first time around (that this data is good for 30 days). Admins anticipating that there might be a need to change records may set shortish time periods from the get-go. It's not unusual to see records that only live for a day, for ordinary websites. And for records tied to dynamic addresses, that they know will change at the drop of the hat, or want to spread across multiple servers, may have records set to last just a few minutes, or even seconds (seems a bit overzealous, to me).
Tim wrote:
Proxying can only speed things up, for you, if you access something that someone else has already accessed before you. *And* if that data is cacheable.
In general, true.
It doesn’t sound as though this service is conventional proxying, though. It sounds like they’re dynamically rewriting web pages to reduce the number of TCP/IP round trips. Since a round trip via a satellite takes about half a second, there’s a lot of scope for speeding things up.
I’ve been involved with a similar problem, with a site with lots of small graphics hosted in the UK, and customers in Australia. Putting the graphics on a content delivery network with Australian servers knocked five seconds off page load time. Fedora netem was very useful in demonstrating the effect of the ~0.3s round trip time.
James.
On 23/10/12 02:14, James Wilkinson wrote:
I’ve been involved with a similar problem, with a site with lots of small graphics hosted in the UK, and customers in Australia. Putting the graphics on a content delivery network with Australian servers knocked five seconds off page load time. Fedora netem was very useful in demonstrating the effect of the ~0.3s round trip time.
James.
"netem" I haven't seen this before?
Yum produces: "No package netem available. Error: Nothing to do"
Is it not an application?
Bob
On 23/10/12 03:54, Bob Goodwin - Zuni, Virginia, USA wrote:
On 23/10/12 02:14, James Wilkinson wrote:
I’ve been involved with a similar problem, with a site with lots of small graphics hosted in the UK, and customers in Australia. Putting the graphics on a content delivery network with Australian servers knocked five seconds off page load time. Fedora netem was very useful in demonstrating the effect of the ~0.3s round trip time.
James.
"netem" I haven't seen this before?
Yum produces: "No package netem available. Error: Nothing to do"
Is it not an application?
Bob
I Googled it. A network emulator. Don't think I'm interested in that presently.
Tim wrote:
Proxying can only speed things up, for you, if you access something that someone else has already accessed before you. *And* if that data is cacheable.
James Wilkinson:
In general, true.
It doesn’t sound as though this service is conventional proxying, though. It sounds like they’re dynamically rewriting web pages to reduce the number of TCP/IP round trips. Since a round trip via a satellite takes about half a second, there’s a lot of scope for speeding things up.
Even pre-fetching is still dependent on the data being cacheable. Some sites just don't work well with any sort of proxying, and some are deliberately hostile to it.
I have no qualms with opt-in proxying, it can have significant advantages. But I don't care for any form of transparent proxying, because it can be nearly impossible to avoid it when you need to.
Tim wrote:
Proxying can only speed things up, for you, if you access something that someone else has already accessed before you. *And* if that data is cacheable.
I replied:
In general, true.
It doesn’t sound as though this service is conventional proxying, though. It sounds like they’re dynamically rewriting web pages to reduce the number of TCP/IP round trips. Since a round trip via a satellite takes about half a second, there’s a lot of scope for speeding things up.
Tim wrote:
Even pre-fetching is still dependent on the data being cacheable.
It’s not really pre-fetching, either: it’s just a translation layer. As you note, though:
Some sites just don't work well with any sort of proxying, and some are deliberately hostile to it.
it’s not something the sites expect.
I should note, though, that Opera Mini does something rather similar (this time, to reduce bandwidth requirements and CPU requirements on mobile phones), so it’s not that unusual.
James.
On 10/18/2012 10:13 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
Isn't there a scheme for running Firefox with all the add-ons disabled? I haven't been able to find anything there and I haven't changed any recently.
Thanks for the suggestions,
Bob
Firefox options -h or -help Print this message. -v or -version Print Firefox version. -P <profile> Start with <profile>. -migration Start with migration wizard. -ProfileManager Start with ProfileManager. -no-remote Do not accept or send remote commands; implies -new-instance. -new-instance Open new instance, not a new window in running instance. -UILocale <locale> Start with <locale> resources as UI Locale. -safe-mode Disables extensions and themes for this session. -jsconsole Open the Error console. -browser Open a browser window. -new-window <url> Open <url> in a new window. -new-tab <url> Open <url> in a new tab. -preferences Open Preferences dialog. -search <term> Search <term> with your default search engine. -private Enable private browsing mode. -private-toggle Toggle private browsing mode. -setDefaultBrowser Set this app as the default browser.
-safe-mode
is what you want....
On 18/10/12 10:30, Joe Zeff wrote:
On 10/18/2012 07:13 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
Isn't there a scheme for running Firefox with all the add-ons disabled? I haven't been able to find anything there and I haven't changed any recently.Click on Help->Restart with Addons Disabled.
Yes, thank you, that's what I must have seen but could not recall.
The add-ons are not causing the problem, no surprise though since my daughters OSX system got the same error message when she tried the Newegg site.
Tnx,
Bob
On 10/18/2012 11:43 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
On 18/10/12 10:30, Joe Zeff wrote:
On 10/18/2012 07:13 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
Isn't there a scheme for running Firefox with all the add-ons disabled? I haven't been able to find anything there and I haven't changed any recently.Click on Help->Restart with Addons Disabled.
Yes, thank you, that's what I must have seen but could not recall.
The add-ons are not causing the problem, no surprise though since my daughters OSX system got the same error message when she tried the Newegg site.
Tnx,
Bob
I just accessed the Newegg site from PCLOS 32-bit without any trouble. Using Firefox 16.0.1. Don't know if this is any help. . . .
--doug