Can't connect to Web

[Steve Hayes]

This morning I suddenly lost my connection to the web while I was
browsing.

Mail still worked, news still worked, but the web connection did not.

I reset the router, rebooted my computer, but still nothing.

I wondered if it was a browser fault (I use Firefox) so tried Internet
Explorer. It too could not connect, but offered to run diagnostics.
This is what was found:

---- diagnostic report ----
Last diagnostic run time: 05/26/17 09:44:37 HTTP, HTTPS, FTP
Diagnostic
HTTP, HTTPS, FTP connectivity

info HTTP: Successfully connected to www.microsoft.com.
warn HTTPS: Error 12157 connecting to www.microsoft.com: An error
occurred in the secure channel support
warn FTP (Passive): Error 12031 connecting to ftp.microsoft.com: The
connection with the server was reset
warn HTTPS: Error 12029 connecting to www.passport.net: A connection
with the server could not be established
warn FTP (Active): Error 12031 connecting to ftp.microsoft.com: The
connection with the server was reset
error Could not make an HTTPS connection.
error Could not make an FTP connection.
info Redirecting user to support call



DNS Client Diagnostic
DNS - Not a home user scenario

info Using Web Proxy: no
info Resolving name ok for (www.microsoft.com): yes
No DNS servers

DNS failure




Gateway Diagnostic
Gateway

info The following proxy configuration is being used by IE:
Automatically Detect Settings:Disabled Automatic Configuration Script:
Proxy Server: Proxy Bypass list:
info This computer has the following default gateway entry(ies):
192.168.0.1
info This computer has the following IP address(es): 192.168.0.2
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
info TCP port 80 on host 104.92.152.182 was successfully reached
info The Internet host www.microsoft.com was successfully reached
info The default gateway is OK



IP Layer Diagnostic
Corrupted IP routing table

info The default route is valid
info The loopback route is valid
info The local host route is valid
info The local subnet route is valid
Invalid ARP cache entries

action The ARP cache has been flushed



IP Configuration Diagnostic
Invalid IP address

info Valid IP address detected: 192.168.0.2



Wireless Diagnostic
Wireless - Service disabled

Wireless - User SSID

Wireless - First time setup

Wireless - Radio off

Wireless - Out of range

Wireless - Hardware issue

Wireless - Novice user

Wireless - Ad-hoc network

Wireless - Less preferred

Wireless - 802.1x enabled

Wireless - Configuration mismatch

Wireless - Low SNR




WinSock Diagnostic
WinSock status

info IrDA protocol is not found in Winsock catalog.
info All base service provider entries are present in the Winsock
catalog.
info The Winsock Service provider chains are valid.
info Provider entry MSAFD Tcpip [TCP/IP] passed the loopback
communication test.
info Provider entry MSAFD Tcpip [UDP/IP] passed the loopback
communication test.
info Provider entry RSVP UDP Service Provider passed the loopback
communication test.
info Provider entry RSVP TCP Service Provider passed the loopback
communication test.
info Connectivity is valid for all Winsock service providers.



Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection 2, Device=Realtek
PCIe FE Family Controller, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=MSN, Device=, MediaType=PHONE,
SubMediaType=NONE
info Network connection: Name=telkomsa9, Device=WAN Miniport (PPPOE),
MediaType=PPPOE, SubMediaType=NONE
info Ethernet connection selected
Network adapter status

info Network connection status: Connected



HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12031 connecting to ftp.microsoft.com: The
connection with the server was reset
info HTTP: Successfully connected to www.microsoft.com.
warn HTTPS: Error 12157 connecting to www.microsoft.com: An error
occurred in the secure channel support
warn HTTPS: Error 12029 connecting to www.passport.net: A connection
with the server could not be established
warn FTP (Active): Error 12031 connecting to ftp.microsoft.com: The
connection with the server was reset
error Could not make an HTTPS connection.
error Could not make an FTP connection.

--- end diagnostic report ---


Can any of you network gurus suggest what can be done to fix it?


--
Steve Hayes
http://www.khanya.org.za/stevesig.htm
http://khanya.wordpress.com

[rickman]

I've had this problem myself, but I can't remember what I had to do to
fix it. I think I had to reset the network stack. Seems it gets in a
funky state and rebooting the machine doesn't fix it unless you execute
some commands first.

Here is the batch file I use to deal with this if I remember correctly.
Someone gave it to me so it has some stuff commented out that isn't
needed. Also, one comment talks about reinstalling browsers, I've never
had to do that. Resetting the machine is required. This file needs to
be run in a command window with administrative privileges.



:: This problem usually has to do with TCP/IP or Winsock requiring a reset.
:: Winsock entries tells Windows 7 how to access your network services.
:: Additionally, your TCP/IP protocol can be corrupted.
:: The TCP/IP protocol is a stack of 4 layers that includes several
:: transport layers, but when this stack is corrupt you will constantly
:: have connectivity issues.

:: You need Admin access to enter the codes below. Windows button + x,
:: then choose Command Prompt (Admin)

:: reset winsock entries
netsh winsock reset catalog

:: reset TCP/IP stack
netsh int ip reset c:\reset.log

:: You may have to reinstall Chrome and Firefox or reboot to have
:: the chnage take place.
:: netsh int ip uninstall
:: netsh int ip install
::
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}
26

--

Rick C

[VanguardLH]

Microsoft dropped their FTP server and why you cannot connect to it.
That happened long after Windows XP was released and when its
troubleshooter was coded. There seems to be a listener on port 21 on
their host but their FTP server program won't respond.

You can connect via HTTP but not HTTPS. When you use a web browser to
connect to https://www.microsoft.com/, it should report an error but it
should also let you look at the details, like clicking on an icon in the
address bar to get more info. That will tell you more. In IE, and when
going to this HTTPS site, there should be a padlock icon in its address
bar. Click on it.

Do you use something that interrogates your HTTPS traffic? I use Avast
Free and it has its HTTPS scanner. It uses a MITM (man-in-the-middle)
scheme to intercept web traffic: it pretends to your client that it is
the other endpoint (server) and it pretends to the server that it is
your endpoint (client). That works by installing a root certificate
into your certificate store. Windows has its own certificate store that
is used by all web browsers EXCEPT Firefox which has its own private
certificate store and into where Avast must install its root store. If
HTTPS scanning is enabled in Avast but its root cert is missing,
expired, or revoked in whichever cert store your web browser uses then
the cert authentication will fail to its proxy trying to use that cert
for the MITM scheme.

If using Avast (or anything else that interrogates your HTTPS traffic),
is it configured to scan your HTTPS traffic? If you use Firefox, is the
avast cert listed in its private cert store (Options -> Advanced ->
Certificates -> View Certificates)? In Windows' cert store
(certmgr.msc), is the "avast email/web shield" cert listed under Trusted
Root Certificates?

It can also depend on which web browser you use. Google made a change
in version 53 of Chrome that requires the SA (Subject Alternate) field
in a cert be populated. In the past, it was sufficient for a single
domain to just populate the Subject field with the domain name. Still
works okay in Firefox which does not demand the SA field be populated
but Google decided to be assholes. If only one domain is specified, the
Subject field has it and there has never been a requirement the SA field
also be populated. The SA field is only to be used when more than one
host or domain is listed for a cert. That lets sites use one cert for
multiple targets rather than buy a cert for each one.

I have another program (Applian Replay Media Capture aka RMC) that
intercepts HTTPS traffic to capture video streams. It uses the MITM
scheme to grab the HTTPS stream. Since it specifies only one domain,
only the Subject field in the cert is populated. The SA field is empty
(as it should be). I can use Firefox to visit a site and have RMC
capture a video stream. Google Chrome will refuse to allow HTTPS
connects when RMC is loaded (and using its cert for its proxy) because
they require the SA field be populated but which is NOT required when
just one domain is specified in the Subject field. The RMC cert is
self-signed as are all root certs. Google is okay with the other root
certs so I don't know why they don't like RMC's cert. That Google
doesn't like RMC's root cert is why I cannot do anything HTTPS in Chrome
when RMC's proxy is intercepting HTTPS traffic. I have to use Firefox
(in which RMC added its cert to Firefox's private cert store) to use RMC
with HTTPS sites.

So check what you have running. In one case, it could be HTTPS scanning
in some security program. In another case, it could be some software
you use that intercepts HTTPS traffic. For either case, you must have
the program's cert installed in whichever cert store that your program
uses. If I disable HTTPS support in RMC, I cannot capture video streams
from HTTPS sites because I cannot get their proxy to connect to HTTPS
sites. With Avast, I could disable its HTTPS scanning feature but that
means it can no longer inspect the content of a delivered web page to
determine if anything untoward is in there.

[Good Guy]

On 26/05/2017 09:04, Steve Hayes wrote:

Can any of you network gurus suggest what can be done to fix it?

Move your residence to where there is a good network connection!!  South Africa is not known to have a good internet service.

--

With over 500 million devices now running Windows 10, customer satisfaction is higher than any previous version of windows.

[Mynews]

"Steve Hayes" wrote in message
news:m0ofic9sm6v97v17q...@4ax.com...

This morning I suddenly lost my connection to the web while I was
browsing.

Me Too

So I Open
Control Panel

Click On
Windows Updates

And Stop Auto Updates

Restart Pc


It Work For Me Today

[Steve Hayes]

On Fri, 26 May 2017 04:47:44 -0400, rickman <gnu...@gmail.com> wrote:

>Steve Hayes wrote on 5/26/2017 4:04 AM:
>> This morning I suddenly lost my connection to the web while I was
>> browsing.
>>
>> Mail still worked, news still worked, but the web connection did not.
>>
>> I reset the router, rebooted my computer, but still nothing.

>I've had this problem myself, but I can't remember what I had to do to
>fix it. I think I had to reset the network stack. Seems it gets in a
>funky state and rebooting the machine doesn't fix it unless you execute
>some commands first.
>
>Here is the batch file I use to deal with this if I remember correctly.
>Someone gave it to me so it has some stuff commented out that isn't
>needed. Also, one comment talks about reinstalling browsers, I've never
>had to do that. Resetting the machine is required. This file needs to
>be run in a command window with administrative privileges.

Thanks very much.

>:: This problem usually has to do with TCP/IP or Winsock requiring a reset.
>:: Winsock entries tells Windows 7 how to access your network services.
>:: Additionally, your TCP/IP protocol can be corrupted.
>:: The TCP/IP protocol is a stack of 4 layers that includes several
>:: transport layers, but when this stack is corrupt you will constantly
>:: have connectivity issues.
>
>:: You need Admin access to enter the codes below. Windows button + x,
>:: then choose Command Prompt (Admin)
>
>:: reset winsock entries
>netsh winsock reset catalog
>
>:: reset TCP/IP stack
>netsh int ip reset c:\reset.log
>
>:: You may have to reinstall Chrome and Firefox or reboot to have
>:: the chnage take place.
>:: netsh int ip uninstall
>:: netsh int ip install
>::
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}
>26

Are the double colons a necessary part of the command?

[VanguardLH]

Steve Hayes <haye...@telkomsa.net> wrote:

> Are the double colons a necessary part of the command?

Comment lines in a batch file can either begin with "rem " (that's "rem"
followed by a space or tab character) or with "::".

[rickman]

I believe the double colons are comment markers. I just used the file
verbatim. There's really only two commands. Unfortunately you have to
reboot the computer to get it to work. Let us know if this helps.

--

Rick C

[Paul]

No one seems to have made any comments about the registry key at the end.
Am I missing a post ?

There is a picture here, of someone modifying the permissions
on the "26" entry for Full Control, instead of it being just Read.

https://www.eightforums.com/network-sharing/18945-error-when-resetting-tcp-ip-stack-2.html

On later OSes, those two netsh commands are part of the
network troubleshooter.

And I hadn't heard of the 26 thing before. I wonder how
it gets set to just "Read" ?

HTH,
Paul

[rickman]

Maybe the one where I posted the file? The registry key is just a comment.
In later posts it is broken onto a new line by the 72 character limitation.

> There is a picture here, of someone modifying the permissions
> on the "26" entry for Full Control, instead of it being just Read.
>
> https://www.eightforums.com/network-sharing/18945-error-when-resetting-tcp-ip-stack-2.html
>
>
> On later OSes, those two netsh commands are part of the
> network troubleshooter.
>
> And I hadn't heard of the 26 thing before. I wonder how
> it gets set to just "Read" ?

That rings a bell... I didn't remember that.

--

Rick C

[VanguardLH]

rickman <gnu...@gmail.com> wrote:

> Paul wrote on 5/28/2017 2:17 AM:
>
>> No one seems to have made any comments about the registry key at the end.
>> Am I missing a post ?
>
> Maybe the one where I posted the file? The registry key is just a
> comment. In later posts it is broken onto a new line by the 72
> character limitation.
>

>> And I hadn't heard of the 26 thing before. I wonder how it gets set
>> to just "Read" ?
>
> That rings a bell... I didn't remember that.

But a value is worthless (the HKEY) unless added, changed, or deleted by
a program (the registry editor). You entering HKEY... on a command line
is just going to return an error message. You would need to put the key
in a .reg file (along with data names and their values since a key along
doesn't specify anything unless a placeholder for a non-named "*"
default value) and use regedit.exe /s <file>.reg to load the settings
into the registry or use reg.exe for each directive that was in the .reg
file. Something has to use the key. A house key laying beside the door
won't unlock/lock the door. Someone has to use the key.

https://technet.microsoft.com/en-us/library/cc753591(v=ws.10).aspx
https://support.microsoft.com/en-us/help/299357/how-to-reset-tcp-ip-by-using-the-netshell-utility

Since all the netsh programs do is to reset the winsock params to their
defaults and the same for the IP bind, those won't help since the OP
already said they were able to protocols *other* than HTTPS to connect
to other Internet hosts. They could even use HTTP. Sockets are working
just fine. They are used for the other protocols, too. His IP binding
works just fine since he can do e-mail, news[groups], and other
protocols. If his IP binding had expired or no longer permitted by his
ISP, he couldn't get anywhere onto or past his ISP's network no matter
what network protocol he used.

Sans all the comment lines, all that batch file has are:

netsh winsock reset catalog

netsh int ip reset c:\reset.log

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc} 26

^
there was probably supposed to be a backslash here --'

and the command interpreter would puke up an error on the last line
since HKEY...bc} is not a program (external or internal to the cmd.exe
interpreter in its console or shell).

By the way, NSI = Network Store Interface. Go into services (run
services.msc) and read its description.

http://maximumpcguides.com/windows-7/what-is-the-network-store-interface-nsi-service/

If the NSI service was unusable, stopped, or disabled, and according to
its definition, the OP would be incapable of doing e-mail and
new[groups] as he stated, not just problems with HTTPS (but with HTTP
still working).

https://www.windows-security.org/windows-service/network-store-interface-service

If NSI wasn't working, DNS doesn't work. It is unlikely the OP is
specifying IP addresses to connect to web sites but instead uses
hostnames. Humans like names. Computers demand numbers for addressing.
The OP very likely specified hostnames for the e-mail and NNTP servers,
not IP addresses, in his e-mail and newsgroups clients. Without the
DHCP client, his host would not be able to connect to an upstream DHCP
server (in his router/cable modem) that assigns him a dynamic IP address
(but he might be using a static one in his TCP config).

Back in services.msc, go into the properties of the NSI service. Look
under the dependencies tab. You can see all the other services that are
dependent on NSI being available.

Only a value is given in that invalid HKEY line (it's not a command or
program) in your batch file so it is unclear if the original author
meant it to be a value for a data item somewhere under that key or the
name of a key. I went to HKLM\System\CurrentControlSet\Control\NSI and,
for me, under that GUID, there is no "26" named subkey and none of the
data items under any subkey for that GUID-named key have a value of 26.
So the original author had something create that subkey but that doesn't
mean it is applicable to anyone else.

The problem is not with the NSI service nor with IP binding nor with
sockets. The OP said he can do e-mail, news[groups], and the
diagnostics said he can do HTTP. He has a valid IP binding, NSI is
running, DNS works, and sockets work because other network protocols do
work. Looks like "can't connect to web" really means he can go to
http:// sites but not to https:// sites.

Whoever wrote that batch file that you use doesn't know networking.
They just proliferated some babble that they copied from somewhere else.
He recites the OSI networking model he was taught in school or read
somewhere. The author intended his netsh commands to fix something
which is not the problem the OP is experiencing.

[Stef]

On 26/5/2017 01:04, Steve Hayes wrote:

> This morning I suddenly lost my connection to the web while I was
> browsing.
>
> Mail still worked, news still worked, but the web connection did not.
>
> I reset the router, rebooted my computer, but still nothing.
>
> I wondered if it was a browser fault (I use Firefox) so tried Internet
> Explorer. It too could not connect, but offered to run diagnostics.
> This is what was found:
>
> ---- diagnostic report ----

> [snip]

>
>
> DNS Client Diagnostic
> DNS - Not a home user scenario
>
> info Using Web Proxy: no
> info Resolving name ok for (www.microsoft.com): yes
> No DNS servers
>
> DNS failure

I haven't read the entire thread, but this is mostly likely your
problem.

Your default Domain Name Server is down or can't be accessed. When you
can't access "The Web" with your browser, but mail, ftp, etc work
(they don't use DNS), that's where I'd start the troubleshooting.
Here's a couple articles

https://www.lifewire.com/find-the-ip-address-of-a-web-site-818155
https://www.lifewire.com/what-is-the-ip-address-of-google-818153

Google's web site is hardly ever down. It's a good place to test if
your DNS is down using its IP addresses. You may get some kind of
error notice, but as long the number IP address you entered is replaced
with a URL with "google" in it, it's working even if typing in
www.google.com doesn't.

pinging both the domain name of a site and its IP address will test the
DNS, too.

Check your DNS entries in your configs both through the Windows
interface and directly with your router. Windows has a nastly habit of
corrupting configs.


Stef

[Bert]

In news:ogf0kh$sre$1...@gioia.aioe.org Stef <n...@this.address.com> wrote:

> but mail, ftp, etc work (they don't use DNS),

Unless the IP addresses for the servers are hard-coded into the client,
they certanly do.

--
be...@iphouse.com St. Paul, MN

[VanguardLH]

Stef <n...@this.address.com> wrote:

> Steve Hayes wrote:
>
>> This morning I suddenly lost my connection to the web while I was
>> browsing.
>>
>> Mail still worked, news still worked, but the web connection did not.
>>
>> I reset the router, rebooted my computer, but still nothing.
>>
>> I wondered if it was a browser fault (I use Firefox) so tried Internet
>> Explorer. It too could not connect, but offered to run diagnostics.
>> This is what was found:
>>
>> ---- diagnostic report ----
>> [snip]
>>
>>
>> DNS Client Diagnostic
>> DNS - Not a home user scenario
>>
>> info Using Web Proxy: no
>> info Resolving name ok for (www.microsoft.com): yes
>> No DNS servers
>>
>> DNS failure
>
> I haven't read the entire thread, but this is mostly likely your
> problem.
>
> Your default Domain Name Server is down or can't be accessed. When you
> can't access "The Web" with your browser, but mail, ftp, etc work
> (they don't use DNS), that's where I'd start the troubleshooting.

WRONG. Anytime you use a hostname (host.domain.tld) to specify a host,
like for an e-mail or ftp or "etc" server, DNS gets used. Humans like
names. Computers demand numbers. How many times have you encountered a
user that specifies the IP address address for their e-mail server when
configuring an account within their local e-mail client? Look at your
own e-mail config in whatever local e-mail client you use. Did you
enter a hostname or an IP address? Unless you do the DNS lookup when
configuring the e-mail account in your e-mail client, you don't get that
info from the e-mail provider as they give you hostnames. How many web
pages have you visited where absolute references (non-relative or just a
path under the current location) to sources in a web page use IP
addresses instead of hostnames? If DNS were unusable to the OP, he
wouldn't be doing e-mail or newsgroups. If the OP were having to use IP
addresses for everything, he would've mentioned it and maybe how he got
those IP addresses.

> Here's a couple articles
>
> https://www.lifewire.com/find-the-ip-address-of-a-web-site-818155

Requires DNS be working.

> https://www.lifewire.com/what-is-the-ip-address-of-google-818153

Requires DNS be working.

Also, if DNS was unusable, how would the OP get to the lifewire site?
You didn't give him the IP address for that site.

> pinging both the domain name of a site and its IP address will test the
> DNS, too.

That depends on the site. They can disable echo request in ICMP or
block it in their firewall which means ping won't work to there.
Besides, you don't need to rely on ping to convert a hostname to an IP
address. Just use nslookup.

You can also ping by hostname (which obviously requires a DNS server to
get the IP address and then do the actual ping) or ping by IP address.
How is the OP going to get the IP address (to ensure the site actually
responds to echo requests) if DNS is unusable?

The OP said e-mail and newsgroups worked. It is extremely rare a user
enters IP addresses for the server hostnames in the configuration of
their local clients. So DNS is working because the OP said he can do
e-mail and newsgroups. Per the OP's statement, we don't even know HOW
the OP is doing e-mail and newsgroups. He could be using a local client
(in which case, he specified hostnames, not IP addresses) or he could be
using HTTP to a web page (in which case, "can't connect" is misleading
because the OP can get to some sites but it's probably the HTTPS ones he
cannot establish a session).

[Steve Hayes]

On Sun, 28 May 2017 17:16:01 +0000 (UTC), Stef <n...@this.address.com>
wrote:

>Google's web site is hardly ever down. It's a good place to test if
>your DNS is down using its IP addresses. You may get some kind of
>error notice, but as long the number IP address you entered is replaced
>with a URL with "google" in it, it's working even if typing in
>www.google.com doesn't.
>
>pinging both the domain name of a site and its IP address will test the
>DNS, too.

Having read the replies to your post, I think the DNS thing is
unlikely, but last week Google appeared to be down quite a bit, but
only in some places. I had to resort to Bing for searches, and was
quite surprised at how quickly it appeared, much faster than Google,
probably because it has less traffic. Sites that connect to Google
were also much slower to load -- they seemed to hang until the Google
connection timed out.

From people I asked, it seemed that Google's servers in the east of
South Africa and in New Zealand were down, but not in the UK or USA.

[rickman]

Not 100% true. I believe the Eudora email client uses DNS once to lookup
the IP address of the email server(s) when it first accesses them. From
then on it uses that stored IP address. There were times when I have ported
my domain to new hosting and the browser always finds the web site once it
is back up. But the email program seems to continue to access the old
servers until I do something to make to do a DNS lookup again (like restart
it).

--

Rick C

[Stef]

On 28/5/2017 18:53, Steve Hayes wrote:

> On Sun, 28 May 2017 17:16:01 +0000 (UTC), Stef <n...@this.address.com>
> wrote:
>
>>Google's web site is hardly ever down. It's a good place to test if
>>your DNS is down using its IP addresses. You may get some kind of
>>error notice, but as long the number IP address you entered is replaced
>>with a URL with "google" in it, it's working even if typing in
>>www.google.com doesn't.
>>
>>pinging both the domain name of a site and its IP address will test the
>>DNS, too.
>
> Having read the replies to your post, I think the DNS thing is
> unlikely, but last week Google appeared to be down quite a bit, but
> only in some places. I had to resort to Bing for searches, and was
> quite surprised at how quickly it appeared, much faster than Google,
> probably because it has less traffic. Sites that connect to Google
> were also much slower to load -- they seemed to hang until the Google
> connection timed out.

Perhaps, the problem is something other than DNS, but since "it" failed,
it's a good place to start.

Google is a huge, busy site and I'm sure gets lots of DoS attacks, but
it's up the vast majority of the time and good to test if DNS is down or
it's something else. I used to use Yahoo, but it's regularly slow
responding and times out or I get tired of waiting. At least where I am
-- Southwestern US.

I've abandoned Google for searches and now use duckduckgo.com. Fast,
seems up all the time and doesn't profile searchers. I don't and NEVER
will use Bing: Part of my many personal protests against Microsoft and
its business practices. I only use Windows when I have no other
choices.

Stef

[Stef]

NOT ALWAYS. I'm old school. I use traditional, dedicated email, ftp,
usenet clients instead of a browser for all that. And those clients
work just fine even when my DNSes are not reachable which is very,
very rare. FWIW, Even when I enter the server names like
mail.mymailprovider.com in the configs, they still work without a
DNS. I think the client gets the IP and stores and uses it after
that. I never bothered to check and all have been working fine for
almost 5 years without any problems. With the usenet client I enter
the actual IP addresses. PS. Linux is my primary system and Internet
access. Windows runs in a VM on that machine for those times I need
it.

>> Here's a couple articles
>>
>> https://www.lifewire.com/find-the-ip-address-of-a-web-site-818155
>
> Requires DNS be working.

Yes, but the article also includes some IPs for testing.

>> https://www.lifewire.com/what-is-the-ip-address-of-google-818153
>
> Requires DNS be working.

Yes, but the article also includes some IPs for testing.

> Also, if DNS was unusable, how would the OP get to the lifewire site?
> You didn't give him the IP address for that site.

I was going to include it for testing purposes, but when I tested it
myself to be sure it worked, it didn't. Don't know why. Didn't check
why. either. Other IPs for the articles I tested did work though.


Stef

[Stef]

On 28/5/2017 10:48, Bert wrote:

> In news:ogf0kh$sre$1...@gioia.aioe.org Stef <n...@this.address.com> wrote:
>
>> but mail, ftp, etc work (they don't use DNS),
>
> Unless the IP addresses for the servers are hard-coded into the client,
> they certanly do.

I enter IP addresses sometimes. Just enter and save them. But even
when I enter the server "name," I think my email and ftp clients lookup
the IP address on first access and store them for future use, so it
doesn't have to look it up each time. The reason I say this is even
when my DNSes are "down" those clients (and usenet clent, too) still
work. I don't use a web browser for those tasks.

Stef

[Bert]

In news:oghre5$1ctf$1...@gioia.aioe.org Stef <n...@this.address.com> wrote:

> But even when I enter the server "name," I think my email and ftp
> clients lookup the IP address on first access and store them for
> future use, so it doesn't have to look it up each time

If they do, it's a bad idea.

Many large-scale systems (and some small ones) have multiple IP
addresses and rotate the way they appear to DNS requests in order to
balance user load.

They'll also take addresses out of rotation if systems are down.

[VanguardLH]

Steve Hayes <haye...@telkomsa.net> wrote:

> Having read the replies to your post, I think the DNS thing is
> unlikely, but last week Google appeared to be down quite a bit, but
> only in some places. I had to resort to Bing for searches, and was
> quite surprised at how quickly it appeared, much faster than Google,
> probably because it has less traffic. Sites that connect to Google
> were also much slower to load -- they seemed to hang until the Google
> connection timed out.
>
> From people I asked, it seemed that Google's servers in the east of
> South Africa and in New Zealand were down, but not in the UK or USA.

You might also trying to find out if the route you happen to get is
actually usable to you. Routing is not dynamic: when you can't get
through one route to a target, you don't automatically get assigned a
different route to try. Hosts (nodes in a route) go down, become
unresponsive, or get too busy so they are excessively slow and clients
will timeout. Updating the routing tables (once the problem has been
reported and after someone takes action) can take about 4 hours (that's
usually how long I wait for routing problems but they can take a lot
longer).

Run a traceroute (tracert) to see if you can reach the target host. For
example, last night I could not get to boatloadpuzzles.com. The web
browser said the site was unresponsive. Not true. A traceroute should
I wasn't even getting outside my own ISP's network. Something weird was
happening where I kept getting looped back through the same two nodes.
I could get to other sites, like yahoo.com, but not to that one site.
It wasn't a site problem. It was a routing problem so I wasn't even
reaching the site.

You can use public proxies to reach a site using different routes. I
once couldn't reach creative.com for several days. I could get there
okay using a public proxy. Why? The route that I got happened to hit
one of their boundary servers (front end) to their web farm that was
down. The other routes hit different boundary servers so I could get
in. When presented with the various routings (mine that was unusable
and others that worked) to show which boundary host was unresponsive,
they fixed the problem in a day.

Another time I couldn't get to any site on the west coast but I could
get elsewhere. Turns out an entire backbone provider (Sprint) had an
outage so no one could go either direction across most of the Rockies.
I reported the problem but they already knew. That was a short-lived
outage but not when you're sitting at your computer wondering why you
can't get somewhere.

By the way, and back to the DNS topic, there is a possiblity that it
will interfere with visiting a site but not because the DNS server is
down but because the site might've changed their IP address and you're
still trying to use the old lookup from the local DNS client's cache.
TTL (time-to-live) entries for successful lookups (positives) last
longer in the DNS client's cache than those for failed lookups
(negatives). Some users might suggest disabling the DNS Client service
but that means your end has to do more DNS lookups. Without the cache,
every hostname has to be looked up even if it is the same one. A web
page can have hundreds of references requiring a DNS lookup. Having to
send a request to a DNS server and get a response takes time. Looking
it up in a local cache is much quicker. By default in Windows, the TTLs
are:

positive TTL = 24 hours
negative TTL = 5 minutes

You can modify those DWORD values in the registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters

MaxCacheEntryTtlLimit (positive TTL), default = 86400 seconds (24 hours)
NegativeCacheTime (negative TTL), default = 300 seconds (5 minutes)
(if the entries are absent, the defaults get used)

Some folks set the negative TTL to zero to not cache any of the failed
DNS lookups. Their intent is to keep requesting new lookups from the
DNS server until they happen to get one that works. They're hoping to
get to the site as soon as the DNS records get updated. Seems a bit
rude but I can see reducing this to one minute. The positive TTL is a
bit overly long since it is possible a site has changed their IP address
inside of a day. An hour or two seems more appropriate.

If you suspect there is a problem with the Windows DNS cache, you can
flush it so start over with all new DNS lookups and new cachine. Run:

ipconfig /flushdns

Note that web clients can incorporate their own internal DNS cache which
overrides the defaults defined in the registry. The client uses its own
DNS cache instead of relying on the one in Windows. Firefox has its own
DNS cache. I suspect that is partly due to Firefox being
cross-platform: they want to rely on their own DNS cache instead of
hoping there is one (and still functional) back in the OS. I forget why
I ran into problems with Firefox's own DNS cache but back then I
disabled it to resolve whatever was the problem. I have not disabled
the DNS Client in Windows so that DNS caching is available and I don't
want (and ran into problems with) Firefox's own internal DNS cache. In
about:config, Firefox's TTL setting is at:

network.dnsCacheExpiration
default = 3600 (1 hour)
0 (zero) disables Firefox's DNS cache

Setting to zero means disabling the cache which flushes all currently
cached DNS lookups. Apparently Firefox is only caching positive
results, not negative ones. You could then reset back to 3600 or a
value of your choice or just leave it zero (and rely on the DNS Client
in Windows to do both positive and negative DNS caching). There are
add-ons for Firefox to flush Firefox's internal DNS cache, like DNS
Flusher, but I disabled Firefox's internal DNS cache so I don't need an
add-on to fix DNS caching problems within Firefox.

In Firefox, I also set network.dns.disablePrefetch = True but that's for
a different DNS issue: Firefox populating its internal DNS cache for any
resources specified in the currently loaded page. This has Firefox
prefetching IP addresses from the DNS server for resources that you may
never need, like a hyperlink to another site that you won't be visiting
or for ad or tracking sources that can then see your IP address visited
them. You might use an adblocker but prefetching in Firefox partially
cripples the adblocker from doing its job. See:

https://en.wikipedia.org/wiki/Link_prefetching#Issues_and_criticisms

[Stef]

I really don't know for sure. I never bother checking. But I do know,
the few times the Web didn't work and I knew DNS, or lack thereof, was
the problem, I could still get mail, etc.

I think the OP is having a configuration problem more than anything
else. I used to have a side business troubleshooting such things on
Windows machines. Windows has an extraordinary ability to break
itself. When the printer or ethernet or wireless, etc. just stop
working, particularly when they worked fine before the machine was
"turned off" the night before, settings were the first thing I
checked.

Stef

[Steve Hayes]

On Wed, 31 May 2017 15:41:21 -0500, VanguardLH <V...@nguard.LH> wrote:

>If you suspect there is a problem with the Windows DNS cache, you can
>flush it so start over with all new DNS lookups and new cachine. Run:
>
>ipconfig /flushdns
>
>Note that web clients can incorporate their own internal DNS cache which
>overrides the defaults defined in the registry. The client uses its own
>DNS cache instead of relying on the one in Windows. Firefox has its own
>DNS cache.

Thanks for this and lots of other useful information.

Since my problem was with the web and not mail or news, and I use
Firefox, it was probably not caused by the Windows DNS cache, but with
something in Firefox or even in my ISP. It seems to have come right
now, not necessarily because of anything I tried.

[Char Jackson]

On Wed, 31 May 2017 17:51:05 -0000 (UTC), Bert <be...@iphouse.com> wrote:

>In news:oghre5$1ctf$1...@gioia.aioe.org Stef <n...@this.address.com> wrote:
>
>> But even when I enter the server "name," I think my email and ftp
>> clients lookup the IP address on first access and store them for
>> future use, so it doesn't have to look it up each time
>
>If they do, it's a bad idea.

Agreed. Thanks to DNS, if a remote host's IP address needs to change for
any reason, DNS will automatically find the new IP.

>Many large-scale systems (and some small ones) have multiple IP
>addresses and rotate the way they appear to DNS requests in order to
>balance user load.

Typically referred to as "DNS load balancing", it's a free but very
crappy way to make a remote service available. Fortunately, it's pretty
rarely used these days. Instead, most publicly accessible organizations
use actual load balancers, where a remote FQDN resolves to a single IP
address that's configured on the client side of a load balancer. The
actual application servers reside behind the load balancer where they
can't be accessed directly by the public.

>They'll also take addresses out of rotation if systems are down.

The main problem with DNS load balancing (simply adding additional A or
AAAA records for a given FQDN) is that DNS has no way to do application
health checks, so regardless of whether a specific server is up or not,
DNS will happily hand out its IP address. Real load balancers address
that issue by performing periodic application health checks, taking
servers out of rotation if they don't respond properly and then adding
them back into rotation when they start responding again.

[Rene Lamontagne]