Solved The DNS resolver does not works correctly from some computers

kerogaz

kerogaz

Good afternoon. Today I encountered a problem that the Unbound DNS server does not work from some Windows computers on the local network. Google.com ping does not work, but ping 8.8.8.8 works. When I ping Google.com, its address is not 8.8.8.8 but something like 192.0.4.123. I was thinking maybe this is a virus on Windows computers?In one room, three computers work fine, but one doesn’t. I tried overloading the switch, swapping the connectors, but it didn’t help. In the rules table, all these computers are allowed.This started this morning, and previously all computers worked with the Internet through this DNS server for 10 years without a single error
 
kerogaz said:
When I ping Google.com, its address is not 8.8.8.8 but something like 192.0.4.123.
Click to expand...
8.8.8.8 is one of Google's DNS servers, why would google.com (a website) resolve to the address of their DNS server?
 
I wanted to say that ping only goes to site's numeric address values. google.com is 216.58.215.110 but not 192.0 etc
 
An individual computer on your network doesn't access 8.8.8.8 for DNS requests, it queries the IP address of your local Unbound server, that in turn might send the query to 8.8.8.8.

If all your individual hosts on your network query 8.8.8.8 directly your local Unbound doesn't do anything. Set the DNS servers on these computers to the IP address of your unbound server.
 
When pinging google.com the address is 216.58.215.110 is replaced with 192.0 etc and ping to 216.58.215.110 works from this computer
 
google.com resolves to multiple addresses, mainly based on your location in the world and through round-robin.
 
SirDice said:
google.com resolves to multiple addresses, mainly based on your location in the world and through round-robin.
Click to expand...
When pinging google.com the address 216.58.215.110 is replaced with 192.0... but ping to 216.58.215.110 normally works from this computer ((192.0.0.0 – 192.0.0.255) This is another small range that can be used for personal purposes, just like 10.0.0.0.0.0.0.0.0.0.0 – 192.0.0.255.
 
192.0 is not a private range address, 192.168.0.0/16 is.

RFC-1918 defines what private ranges are. Those are 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12. There's also 127.0.0.0/8 (localhost) and 169.254.0.0/16 (link-local) but everything else is usually a valid Internet IP address. There are a few other exceptions but these are the important ones you might run into.
 
I don’t care, the point is that the DNS server does not translate addresses but transfers them to a private subnet.
Since this machine is on Windows, I suspect that a virus is doing this.So I'm asking if anyone can tell me what it could be
 
kerogaz said:
I don’t care, the point is that the DNS server does not translate addresses but transfers them to a private subnet.
Click to expand...
No, it doesn't. 192.0 is NOT a private subnet. I'll give you a hint. On your FreeBSD host use the command whois 192.0.x.x (use that IP address). It will tell you who owns that range. I'm pretty sure it's owned by Google and it's just one of the many, many subnets they own.
 
Not for me.
Code: 
dice@maelcum:~ % dig google.com

; <<>> DiG 9.18.27 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3446
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1b8d577127190b820100000066a8ea5c2a7c8ebd82e69a96 (good)
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       142.250.27.101
google.com.             300     IN      A       142.250.27.138
google.com.             300     IN      A       142.250.27.113
google.com.             300     IN      A       142.250.27.100
google.com.             300     IN      A       142.250.27.139
google.com.             300     IN      A       142.250.27.102

;; Query time: 4 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Tue Jul 30 15:27:56 CEST 2024
;; MSG SIZE  rcvd: 163

What don't you seem to understand? Google is a world-wide company, they have servers all over the world. Google.com gets translated to lots of different IP addresses, lots of them are spread all over the world in order to provide a fast service to your part of the world.
 
google.com is based on geo location which is hosted on your ISP or the closest ISP next to you it's not a fixed IP address.
 
Don’t you understand. I gave Google as an example. Any site is loaded in browser only by the numerical value IP address. No site is loaded from the Internet by name.And ping in command line is only in numerical value of ip
 
I'll try to install as (for computer of LAN ) DNS server 8.8.8.8 instead of local unbound dns server tomorrow. If it works then it's unbound that's acting up.Besides this, the unbound log is not created . Although I have registered it in the unbound settings.
 
It's easy to check with nslookup on the windows computer and see if your dns respond or not. In your initial post you state that it don't work for some computers not all of them. Check if the DNS settings are correct for those computers.
 
the prefix 192.0.4.0/22 belongs to AS6639 CWCAYMAN:

192.0.4.0/22 - CWCAYMAN - Autonomous System Numbers (ASN) & IP Lookup

Quickly lookup updated information about specific Autonomous System Number (ASN), Organization, CIDR, or registered IP addresses (IPv4 and IPv6) among other relevant data. Free API access available!
asnlookup.com asnlookup.com

Is your ISP messing with DNS queries? Did you configure unbound to be a recursive resolver or is it only forwarding to some other DNS (e.g. your ISPs that is hijacking some domains?)
 
Everything went wrong today. I was told that the Internet disappeared on some computers. I scanned the local network using nmap and it turned out that 70% of the computers on the network were not visible. Then I rebooted the server freebsd 14. The entire network appeared, but on some computers there is such a situation with DNS
 
kerogaz said:
I scanned the local network using nmap and it turned out that 70% of the computers on the network were not visible.
Click to expand...
That sucks. How are those computers getting an IP address? Do you have a DHCP server running? Or do they get their IP addresses from somewhere else?

Have you considered a rogue DHCP server on your network? That happened at $DAYJOB I had 20 or so years ago. Somebody had a LAN party during the weekend, used his laptop as a "gateway". Forgot to turn that stuff off and plugged that laptop in the company's network on Monday morning. Almost took out the entire network by serving DHCP addresses from a completely different range. Took a while for we figured out what was going on.
 
VladiBG said:
That's why there's DHCP Snooping on the switches.
Click to expand...
Their network was one big flat subnet for all workstations back then. It happened before a thorough redesign, needed to be done too because the company grew from a few hundred to several thousand in a fairly short time span.

That big flat subnet is still quite common for small business networks. Especially if it's been set up by a friend of a friend who happens to know a guy that knows a few networking basics.
 
In a wired network, all addresses are static , the gateway with NAT on freebsd on Tyan server.But in LAN are Wi-Fi routers, although they have a static wired network address, distribute Wi-Fi addresses dynamically(DHCP).
 
kerogaz said:
In a wired network, all addresses are static.
Click to expand...
For servers sure, but do you also have wired workstations or only mobile (wifi) clients (tablets, laptops, phones, etc)? Which hosts disappeared from the network? If the wired (and thus static IPs) disappeared you definitely have other problems.
 
Hosts with wired connection with static address dont have internet(4 computers from a network of 300 wired connected computers do not connect to the Internet, but NMAP sees them)For some reason, their requests to connect to the DNS server are sent to IP addresses of some Cayman Islands .
 
I changed the address of the DNS server of the local network computer to 8.8.8.8 - it did not help. Although ping 8.8.8.8 comes from this computer.The Internet through a browser works only based on the numeric value of the site’s IP address
 
You must log in or register to reply here.
Back
Top