Meraki

Community

Server Issue within network

jfuller347
New here
‎Oct 17 2022 11:23 AM
‎Oct 17 2022 11:23 AM

Server Issue within network

nslookup www.lasercutlawncare.com resolves to the correct IP address only when we are not in the office. it shows a different IP when we are behind the firewall. the correct address is 159.203.72.7 but inside the network it resolves to 104.225.8.29 regardless of the DNS server queried. there are no rules on the firewall, and there is no internal network DNS server.

When looking into it further, Meraki stated: As discussed on the call, the wireshark packet capture shows that DNS Query for the mentioned website is reaching to the DNS server and its the server that is responding back from the incorrect IP address i.e., 104.225.8.29 and 104.225.8.28. I have also attached the pcap file for you to investigate further."

0 Kudos
15 Replies 15
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 17 2022 11:26 AM
‎Oct 17 2022 11:26 AM

I agree with Meraki. If the pcap shows that your DNS server did respond to the query with the '104.225.8.29'. 


I would check on the DNS server that is responding to the queries.

In response to RaphaelL
jfuller347
New here
‎Oct 17 2022 1:11 PM
‎Oct 17 2022 1:11 PM

I replied below to cmr.

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Oct 17 2022 11:27 AM
‎Oct 17 2022 11:27 AM

@jfuller347 when you go to a command line and type nslookup, then change the server by typing server 8.8.8.8, what do you get if you then type www.lasercutlawncare.com

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
jfuller347
New here
‎Oct 17 2022 1:10 PM
‎Oct 17 2022 1:10 PM

So we had changed the DNS to 1.1.1.1 and to 8.8.8.8 in Meraki>>Security & SD-WAN>>Appliance Status>>Tools>>DNS Lookup and still got the discrepancy.  Unfortunately I am not behind the network or can utilize a VPN to test remotely.

0 Kudos
In response to jfuller347
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 17 2022 1:12 PM
‎Oct 17 2022 1:12 PM

The packet capture shows 1.1.1.1 / 8.8.8.8 responding to the query ?

 

On google public dig box : 

 

RaphaelL_0-1666037570678.png

 

0 Kudos
In response to RaphaelL
jfuller347
New here
‎Oct 17 2022 1:15 PM
‎Oct 17 2022 1:15 PM

That's what I get at home too.  However, behind the network of the client it is not what we get.

0 Kudos
In response to RaphaelL
cmr
Kind of a big deal
Kind of a big deal
‎Oct 17 2022 1:16 PM
‎Oct 17 2022 1:16 PM

Same here:

cmr_0-1666037795341.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
jfuller347
New here
‎Oct 17 2022 1:18 PM
‎Oct 17 2022 1:18 PM

yep.  its just in the client's network itself.  There are no firewall rules or anything out of the ordinary.  We can't figure it out.

0 Kudos
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 17 2022 1:22 PM
‎Oct 17 2022 1:22 PM

Have you checked to make sure your ISP isn't doing anything weird with your DNS traffic? 

 

Do you live in a country line China that restricts certain traffic?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
jfuller347
New here
‎Oct 18 2022 5:56 AM
‎Oct 18 2022 5:56 AM

I was thinking of reaching out to the ISP.  It is comcast and in the United States.

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Oct 23 2022 11:07 AM
‎Oct 23 2022 11:07 AM

If they have internal DNS servers what forwarders are they using (if any)?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
DraugTheWhopper
Conversationalist
‎Oct 31 2022 11:59 AM
‎Oct 31 2022 11:59 AM

As another person said, check with Comcast. I just ran into this on another site: click.skillpreceptor.info. All DNS requests for it to any DNS server are getting intercepted somewhere beyond my router (not even a Meraki), and replaced with the same IP address:

104.225.8.29
104.225.8.28

 

Testing with other connections (even Comcast at other sites!) shows the correct IP of 13.110.204.15.

 

Going to the site in a browser shows a generic block page, and some source investigation shows references to Akamai's Nominum DNS blocking service. So, sounds like Comcast is doing DNS blocking, though not sure I ever asked them to.

 

On a side note, for your mentioned website, MBAM throws a ransomware warning and blocks it, so clearly there's some kind of website issue going on for multiple security providers to start blocking it.

0 Kudos
In response to DraugTheWhopper
gregbutler_20
Conversationalist
‎Sep 8 2023 10:35 PM
‎Sep 8 2023 10:35 PM

Did you ever figure this out. We are having the exact same issue with the same 2 104.x.x.28 and 29 IPs. For us, its the sites click.mailer.clubhouseonline-e3.com, click.emailcampaigns.net, and trk.cp20.com. They all resolve to the above IPs. If I change the dns servers on my machine, it works. If I leave our internal network, it works. It's been driving me crazy.

0 Kudos
In response to gregbutler_20
DraugTheWhopper
Conversationalist
‎Sep 13 2023 2:47 PM
‎Sep 13 2023 2:47 PM

In our case, we were able to confirm it was Comcast's SecurityEdge feature, and the issues cleared up once we worked with Comcast to disable that.

gregbutler_20
Conversationalist
‎Sep 12 2023 6:16 AM
‎Sep 12 2023 6:16 AM

Did you ever figure this out? W have the exact same issue currently with the site you posted and another site.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.