Why is this single website not available from my home?
March 14, 2006 9:57 PM Subscribe
I'm having trouble resolving a single website. My home internet connection in general is fine, but one website recently hasn't been coming up with anything. When we try it from work it shows up fine.
The site is www.mcgill.ca (McGill university in Canada). From a couple days ago, any time we tried to access the site firefox comes back with a local page describing a "TCP_ERROR", but the site is fine from other computers. It's only from home that this error appears. I can't reproduce the problem with any other sites, even other .ca domains. Any idea what could be blocking our access? Is it our ISP's DNS server? We live in Taiwan so our ISP is a small-time cable company. It's kind of important that we can access it as my SO is going there this fall.
The site is www.mcgill.ca (McGill university in Canada). From a couple days ago, any time we tried to access the site firefox comes back with a local page describing a "TCP_ERROR", but the site is fine from other computers. It's only from home that this error appears. I can't reproduce the problem with any other sites, even other .ca domains. Any idea what could be blocking our access? Is it our ISP's DNS server? We live in Taiwan so our ISP is a small-time cable company. It's kind of important that we can access it as my SO is going there this fall.
Also, do you know the name/IP of your ISP's DNS server(s)?
posted by IshmaelGraves at 10:01 PM on March 14, 2006
posted by IshmaelGraves at 10:01 PM on March 14, 2006
You will have to probe a little further. It doesn't sound to me like a DNS problem because DNS uses UDP, not TCP (at least in all the non-pathological cases) and Firefox will explicitly say that it had a problem resolving the domain if that is the case.
Open a command prompt and type "nslookup www.mcgill.ca". You should see the domain resolved to an ip address (132.216.177.140). If there is an error then you will have to complain to your ISP that their DNS server is broken, and as a workaround you should use a different DNS server or hardcode the domain in your hosts file.
Assuming however that there is no DNS problem, you should next try "ping www.mcgill.ca". If you don't see any reply packets then there is either a connectivity problem or their site is dropping ICMP ping packets. In either case you should follow up with a traceroute ("tracert www.mcgill.ca") and email the results to your ISP -- tell them there is a connectivity issue accessing that site.
If ping and tracert both work, but you still can't access the site then that means that the site is probably blocking you. Web access and ping use completely different protocols (ICMP vs. TCP port 80) so it's not impossible that you could ping a site but not access it over HTTP, and vice versa. If this is the case (ping works but can't access :80) then you probably need to get in touch with the webmaster of the site and tell them that they are blocking you. Tell them your IP address and give them the output of the traceroute.
posted by Rhomboid at 11:47 PM on March 14, 2006
Open a command prompt and type "nslookup www.mcgill.ca". You should see the domain resolved to an ip address (132.216.177.140). If there is an error then you will have to complain to your ISP that their DNS server is broken, and as a workaround you should use a different DNS server or hardcode the domain in your hosts file.
Assuming however that there is no DNS problem, you should next try "ping www.mcgill.ca". If you don't see any reply packets then there is either a connectivity problem or their site is dropping ICMP ping packets. In either case you should follow up with a traceroute ("tracert www.mcgill.ca") and email the results to your ISP -- tell them there is a connectivity issue accessing that site.
If ping and tracert both work, but you still can't access the site then that means that the site is probably blocking you. Web access and ping use completely different protocols (ICMP vs. TCP port 80) so it's not impossible that you could ping a site but not access it over HTTP, and vice versa. If this is the case (ping works but can't access :80) then you probably need to get in touch with the webmaster of the site and tell them that they are blocking you. Tell them your IP address and give them the output of the traceroute.
posted by Rhomboid at 11:47 PM on March 14, 2006
Best answer: Another possibility that just crossed my mind is that your ISP's netblock was recently assigned from a new pool of allocations, which was previously on the bogons list. If this is the case you will find yourself incorrectly blocked at a lot of sites due to lack of clue on the part of the administrator. This is usually referred to as "stale bogon filters."
The word "bogon" refers to a listing of IP address ranges that are declared unused or are not currently allocated. Blocking these ranges is usually considered a best practive because it can prevent some kinds of abuse. However, when new IP address allocations are made, occasionally one of these "roped off" ranges gets put into service. This means that suddenly a lot of people's bogon filters are now stale, because they are blocking legitimate IP ranges. It really sucks to be assigned an IP address in one of these ranges, and if this is your predicament your best recourse is to contact the site and tell them to get a frickin clue and update their bogon filters. Also, if this is the case then your ISP will probably be aware of the problem and can contact them on your behalf if you tell them.
posted by Rhomboid at 11:54 PM on March 14, 2006
The word "bogon" refers to a listing of IP address ranges that are declared unused or are not currently allocated. Blocking these ranges is usually considered a best practive because it can prevent some kinds of abuse. However, when new IP address allocations are made, occasionally one of these "roped off" ranges gets put into service. This means that suddenly a lot of people's bogon filters are now stale, because they are blocking legitimate IP ranges. It really sucks to be assigned an IP address in one of these ranges, and if this is your predicament your best recourse is to contact the site and tell them to get a frickin clue and update their bogon filters. Also, if this is the case then your ISP will probably be aware of the problem and can contact them on your behalf if you tell them.
posted by Rhomboid at 11:54 PM on March 14, 2006
(sorry to keep posting)
You can check your current IP address against this list of allocations. If you're in Taiwan then you fall under the APNIC jurisdiction I believe. Note that APNIC just allocated 121/8, 122/8, and 123/8 in Jan of 06 according to that site, so if your IP address is in one of those ranges (i.e. the first number is 121, 122, or 123) then there is a very high chance that stale bogon filtering is your problem. Even if it isn't you should check that list and see if your address was made from a recent assignment.
posted by Rhomboid at 12:00 AM on March 15, 2006
You can check your current IP address against this list of allocations. If you're in Taiwan then you fall under the APNIC jurisdiction I believe. Note that APNIC just allocated 121/8, 122/8, and 123/8 in Jan of 06 according to that site, so if your IP address is in one of those ranges (i.e. the first number is 121, 122, or 123) then there is a very high chance that stale bogon filtering is your problem. Even if it isn't you should check that list and see if your address was made from a recent assignment.
posted by Rhomboid at 12:00 AM on March 15, 2006
Response by poster: Update: Ping and tracert both work fine. The full text of the error is:
Problem Report
There was a communication problem.
Message ID: TCP_ERROR
Problem Description: The system was unable to communicate with the server.
Possible Problem Cause:
* The Web server may be down.
* The Web server may be too busy.
* The Web server may be experiencing other problems, preventing it from responding to clients.
* The communication path may be experiencing problems.
Possible Solution: Try connecting to this server later.
Our DNS server is dns.hinet.net, [168.95.1.1]; our ip does not seem to be in the list of allocations.
posted by sudasana at 5:05 AM on March 15, 2006
Problem Report
There was a communication problem.
Message ID: TCP_ERROR
Problem Description: The system was unable to communicate with the server.
Possible Problem Cause:
* The Web server may be down.
* The Web server may be too busy.
* The Web server may be experiencing other problems, preventing it from responding to clients.
* The communication path may be experiencing problems.
Possible Solution: Try connecting to this server later.
Our DNS server is dns.hinet.net, [168.95.1.1]; our ip does not seem to be in the list of allocations.
posted by sudasana at 5:05 AM on March 15, 2006
Best answer: sudasana, what is the first octet of your PC's IP?
You can get your IP by using "ipconfig". In this example IP, the first octet is 4:
4.3.2.1
Another problem you could be having (related to Rhomboid's excellent posts) with hinet's allocations is that people are arbitrarily blacklisting your IP space just because you're in APNIC space. Many ISPs have given up trying to reach abuse personnel in Asia (due either to language barrier issues or crummy abuse staff at government ISPs) and simply blacklist all asian IP space. I do this my self for several of my (abusable) services on my personal www server.
A solution in this case would be for you start using proxy servers when surfing the internet. Google for "proxy server", and start looking at the various firefox extensions that simplify using lots of proxy servers. If this solution works, then some variant of Rhomboid's explanations are to blame.
posted by popechunk at 6:39 AM on March 15, 2006
You can get your IP by using "ipconfig". In this example IP, the first octet is 4:
4.3.2.1
Another problem you could be having (related to Rhomboid's excellent posts) with hinet's allocations is that people are arbitrarily blacklisting your IP space just because you're in APNIC space. Many ISPs have given up trying to reach abuse personnel in Asia (due either to language barrier issues or crummy abuse staff at government ISPs) and simply blacklist all asian IP space. I do this my self for several of my (abusable) services on my personal www server.
A solution in this case would be for you start using proxy servers when surfing the internet. Google for "proxy server", and start looking at the various firefox extensions that simplify using lots of proxy servers. If this solution works, then some variant of Rhomboid's explanations are to blame.
posted by popechunk at 6:39 AM on March 15, 2006
I’ve had similar problems with my ISP. I found that simply unplugging the cable modem, waiting a few seconds, and then plugging it back in seems to restore broken pages.
I can’t speak to the technical issues, but power-cycling the modem always works wonders — it could possibly be a proxy server/cache issue?
posted by snowsuit at 12:53 PM on March 15, 2006
I can’t speak to the technical issues, but power-cycling the modem always works wonders — it could possibly be a proxy server/cache issue?
posted by snowsuit at 12:53 PM on March 15, 2006
First restart your computer and your router, and try it out with other browsers (e.g. Opera, Internet Explorer, Firefox in safe mode).
Next you should try booting with a Knoppix LiveCD, and see if it works with that. If it doesn't work with Knoppix then there's probably nothing you can do about it.
One possible theory is the MTU settings. See the SpeedGuide.net and dslreports.com TCP/IP tweakers.
Another possible theory is that the specific website has experienced a denial of service attack from your ISP, and is now filtering your address.
Also it might be related to spyware that hook onto the network stack.
It would probably be easier to work around the problem with a proxy as popechunk suggested than trying to figure it out.
posted by Sharcho at 2:00 PM on March 15, 2006
Next you should try booting with a Knoppix LiveCD, and see if it works with that. If it doesn't work with Knoppix then there's probably nothing you can do about it.
One possible theory is the MTU settings. See the SpeedGuide.net and dslreports.com TCP/IP tweakers.
Another possible theory is that the specific website has experienced a denial of service attack from your ISP, and is now filtering your address.
Also it might be related to spyware that hook onto the network stack.
It would probably be easier to work around the problem with a proxy as popechunk suggested than trying to figure it out.
posted by Sharcho at 2:00 PM on March 15, 2006
Response by poster: Conecting via a proxy has fixed the problem. Since it's only the one site I'm not going to investigate further, especially since we'll be moving in 6 weeks and chaning ISPs anyway. Thanks for all the helpful comments!
posted by sudasana at 8:49 AM on March 17, 2006
posted by sudasana at 8:49 AM on March 17, 2006
This thread is closed to new comments.
posted by IshmaelGraves at 10:00 PM on March 14, 2006