Tracert tracing to different ip than the one returning from who is

-1

I am trying to figure out why I cannot access a specific website from my office network. If I visit this site from another ip then there is no problem. I can visit also other websites hosted in the same server...

So I tried to tracert that domain:

tracert www.blocked_domain.com and I see that tracert returns:

Tracing route to blocked_domain.com [40.85.93.65] ..... That ip is different from the one that I get when I perform whois on that domain. (The right ip is the one returned from whois)

If i run tracert for another domain which is hosted on the same server like blocked_domain.com I get the correct ip of the hosting server.

Any suggestions why is that hapenning? Why I can't visit this website from my office's ip?

UPDATE

If I configure hosts file with the domain and the correct ip of the hosting server then I can visit the website without any problem

Grawity test results

Here are the results of the nslookups I get:

+-----------------------------------------+-------------------------------+-------------------------------+-------------------------------------------------------------------------------+
|                    *                    |          office-mine          |       office-colleague        |                                      4g                                       |
+-----------------------------------------+-------------------------------+-------------------------------+-------------------------------------------------------------------------------+
| nslookup www.blocked_domain.com         | Wrong                         | Wrong                         | DNS request time out. timeout was 2 seconds. Server Unknown. Address: correct |
| nslookup www.blocked_domain.com 9.9.9.9 | Correct (hosting server's ip) | Correct (hosting server's ip) | DNS request time out. timeout was 2 seconds. Server Unknown. Address: correct |
| nslookup www.blocked_domain.com 1.1.1.1 | Correct (hosting server's ip) | Correct (hosting server's ip) | DNS request time out. timeout was 2 seconds. Server Unknown. Address: correct |
+-----------------------------------------+-------------------------------+-------------------------------+-------------------------------------------------------------------------------+

netdev

Posted 2019-11-13T14:37:34.240

Reputation: 99

Question was closed 2019-11-19T00:51:29.150

Have you asked your IT Administrator for assistance? Are you sure the problem is not the server configuration itself? Just because other sites on the server are properly configure does not mean the site your trying to visit is properly configured. – Ramhound – 2019-11-13T14:43:54.173

@Ramhound the weird thing is that I can visit the website from any other ip than my office's ip. There is no wordfence block or any block on the hosting server for my office's ip – netdev – 2019-11-13T14:45:34.243

Are you using the office network's provided DNS servers? What results do you get from nslookup for that domain? – user1686 – 2019-11-13T15:35:35.647

Answers

2

That ip is different from the one that I get when I perform whois on that domain. (The right ip is the one returned from whois)

First of all – WHOIS is meant to show a completely different thing. The address used by 'tracert' and by web browsers is what the (sub)domain's A/AAAA records resolve to; but WHOIS only tells you what nameservers the domain's DNS data is hosted on. They are two separate kinds of DNS records.

It's certainly possible and common (especially for small personal domains) that these two might be set to the same IP address. But they're still two separate functions, so it's also completely normal for the addresses to be different as well.

And second, blocked_domain.com might easily have a different address from www.blocked_domain.com. They're different domain names and nothing automatically links them. (It's... not uncommon to update one and forget to update the other.)

The real problem, then, isn't that the webserver address used by 'tracert' is different from the nameserver address shown in WHOIS – but that it's different from the webserver address seen from outside.

You should figure out where the differences start:

  1. Run nslookup www.blocked_domain.com on your computer, and note what DNS server it's using.

  2. Run nslookup www.the_domain.com 8.8.8.8 to bypass the configured DNS server and check directly agaisnt Google Public DNS servers. Then do the same with 1.1.1.1 (Cloudflare's public DNS) and 9.9.9.9 (PCH's public DNS).

    Try this at the office and at home (or 4G or some other Internet connection).

    • If you always get the same wrong results from all servers, over all Internet connections, then it's just the domain itself that literally has wrong data in DNS.

    • If you get wrong results at office (from all servers), but correct results at home/etc., then your office router is probably intercepting DNS requests.

    • If you get correct results from all servers (and wrong results only when you don't specify a DNS server), then it's specifically your office's DNS server which either has the wrong data cached, or is deliberately returning wrong data.

      (It could be that the domain had wrong DNS records for a short time and was quickly fixed, but you just happened to visit it when it was broken and the DNS information got cached on the office's DNS server.)

    • If you get mixed results, it could be misconfiguration on the domain itself (e.g. two nameservers desynchronized).

  3. Run nslookup www.blocked_domain.com on some other computer at the office, and compare both the domain's IP address and the DNS server's IP address with the results you get from your own computer.

    • If they both use different DNS servers and give same results, you can suspect either the domain itself having wrong DNS data, or the office's router intercepting all DNS requests.
    • If they both use the same DNS server and give the same results, same as above, but you can also suspect the DNS server itself giving you wrong data.
    • If they both use different DNS servers and give different results, you can suspect the DNS server that you're using – check your computer's DNS configuration.
    • And if they both use the same DNS server but give different results, you can probably suspect some malware on your computer...

user1686

Posted 2019-11-13T14:37:34.240

Reputation: 283 655

Just passing for the first time in a while... Excellent answer, and you sort of address it... however, I have seen a nasty issue recently with some ISPs that have DNS redirection and intercept on the router... I couldn't figure out why I was resolving incorrectly at a client, and then had the same issue when I went to their neighbour (who had moved to the same ISP)... I would suggest you also look at https://dnschecker.org/ or similar services which should also help (other than if the site uses geo-ip or similar services).

– William Hilsum – 2019-11-13T16:11:07.477

thank you for the detailed answer. I posted the results in my op. So most probably is a matter of the office's router? – netdev – 2019-11-14T07:42:05.337

Yes, either the router itself, or whatever upstream DNS server it is using (usually the ISP's DNS server) – but at least you know it's not your computer. It might be wrong data temporarily cached (try nslookup -d www.thedomain and look for "time to live" or "TTL", it might expire after a few hours and start working properly afterwards), or it might be something else. – user1686 – 2019-11-14T08:13:16.693

(Also, regarding the "timeout" you're seeing: that's normal and can be ignored. Nslookup for historical reasons always makes a 2nd query, it tries to show the 'reverse DNS' of the DNS server's own IP. And although that ought to immediately succeed/fail, not timeout, it doesn't really affect the real results either way.) – user1686 – 2019-11-14T08:15:49.903

TTL is 1 day. But its already passed since we had this problem in the office. So I guess is probably the office's router. We will restart it outside office hours and I will get back on it. – netdev – 2019-11-14T08:44:31.890

Asked: 2019-11-13T14:37:34.240

Viewed: 60 times

Active: 2019-11-14T07:41:10.770