Unable to reach facebook.com and linkedin.com

November

Safari is also unable to reach those sites. This got me to realize why Tor may be able to.

November

This post is deleted!

November

linkedin.com and meetup.com are now reachable after I changed my router's DNS to 8.8.8.8 and back (although this latter part may be due to DNS caching).
facebook.com isn't reachable even when my router's DNS is set to 8.8.8.8.

johnpoz

@November said in Unable to reach facebook.com and linkedin.com:

Also, nslookup for both domains comes back fine.

Then you not getting there has nothing to do with dns, so why are you changing it? Do you think the IP returned is bad or something?

Here is a simple test.. Try and go to facebook.com while sniffing on your pfsense wan.. Do you see it send a syn? What do you get back - anything? If you send and don't get anything back its not pfsense problem. If you don't send, then you have something on pfsense or your network that is causing the problem.

November

Changing the order of the firewall rules (such that the whitelist rule is applied before the DNSBLIP rule) fixed the facebook.com issue.

November

@johnpoz , like I said, there's lots to be gained in my understanding. In the past, when a site wasn't reachable, whitelisting the site sometimes allowed it to be reachable.

Some of the confusion also stemmed from assuming the linkedin.com and meetup.com issues were related to the facebook.com issue (since they were both noticed around the same time).

Anyway, changing the precedence of the firewall rules fixed the issue for me.

Thanks for pointing me to the packet capture tool. That'll come in handy in the future.

November

@johnpoz said in Unable to reach facebook.com and linkedin.com:

Do you see it send a syn? What do you get back - anything? If you send and don't get anything back its not pfsense problem. If you don't send, then you have something on pfsense or your network that is causing the problem.

I did the packet sniffing and am not seeing the IPs I'm expecting for linkedin.com or meetup.com. What else can be done to track down this issue?

johnpoz

And what IPs are you seeing?

C:\>dig meetup.com +short
151.101.66.110
151.101.194.110
151.101.2.110
151.101.130.110

C:\>dig linkedin.com +short
108.174.10.10

What is happening in the browser - are you getting a host not found? Can you ping them by name.. etc.. Love to help you but with no info there is nothing to help with.

Keep in mind those sites are going to be served by large CDNs - so yeah IPs could be different where your at in the world, time you query, etc. etc..

NetRange:       108.174.0.0 - 108.174.15.255
CIDR:           108.174.0.0/20
NetName:        LINKEDIN

meetup is hosted via fastly.. which is a huge CDN..

NetRange:       151.101.0.0 - 151.101.255.255
CIDR:           151.101.0.0/16
Organization:   Fastly (SKYCA-3)

Also keep in mind exactly were you going.. for example www.linkedin.com is going to be different than just linkedin.com

C:\>dig www.linkedin.com +short
www-linkedin-com.l-0005.l-msedge.net.
l-0005.l-msedge.net.
13.107.42.14

November

@johnpoz

$ dig meetup.com

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> meetup.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51481
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;meetup.com.			IN	A

;; ANSWER SECTION:
meetup.com.		46	IN	A	151.101.130.110
meetup.com.		46	IN	A	151.101.2.110
meetup.com.		46	IN	A	151.101.194.110
meetup.com.		46	IN	A	151.101.66.110

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Aug 08 21:30:00 PDT 2020
;; MSG SIZE  rcvd: 103

From Chrome:
meetup.com unreachable.png

$ ping meetup.com
PING meetup.com (151.101.130.110) 56(84) bytes of data.
64 bytes from 151.101.130.110 (151.101.130.110): icmp_seq=1 ttl=55 time=11.2 ms
64 bytes from 151.101.130.110 (151.101.130.110): icmp_seq=2 ttl=55 time=12.2 ms

FWIW, meetup.com forwards to www.meetup.com in the browser.

dig www.meetup.com

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.meetup.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2404
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.meetup.com.			IN	A

;; Query time: 6 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Aug 08 21:40:28 PDT 2020
;; MSG SIZE  rcvd: 43

I'd like to focus on investigating what's going on with meetup.com for now. Hopefully I can learn enough to be able to troubleshoot what's going on with linkedin.com.

November

I'm not seeing any of the linkedin.com IP addresses in the packet capture even though currently it's loading in the browser for me so there's something I'm not understanding.

November

Oh, also, one reason I'm thinking this is DNS related is because when I switch my router to use 8.8.8.8 as its DNS server, I'm able to reach both linkedin.com and meetup.com. But my understanding could be missing something that would allow this symptom but the problem is still not with DNS itself.

johnpoz

@November said in Unable to reach facebook.com and linkedin.com:

;; QUESTION SECTION:
;www.meetup.com. IN A

;; Query time: 6 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)

Well your never going to get to www.meetup.com if it doesn't resolve.. you didn't get an answer..

As to why you didn't see anything in your sniff to linked in.. You didn't show how you did your sniff so not sure what your doing wrong.. Are you forcing traffic out a vpn? Did you sniff on the wrong interface? Did you sniff only tcp only and its using quic (udp) etc.

On pfsense do a dig +trace for www.meetup.com

Which has a cname that points to
www.meetup.com. 30 IN CNAME f4.shared.global.fastly.net.

So then do trace to that.. They have horriblely low TTLs - so those IPs most likely going to change all the time..

November

@johnpoz

The following is what I've been using to capture packets:
Interface: WAN
Promiscuous: unset
Address Family: Any
Protocol: Any
Host Address:
Port:
Packet Length: 0
Count: 100
Level of Detail: Normal
Reverse DNS Lookup: unset

The low TTLs for meetup.com explains why they become unreachable after switching my router's DNS server back while linkedin.com continues to resolve for a while.

I'll do the dig and trace when I get a chance.

Thanks so much for the help and guidance.

johnpoz

With such a capture you would be capturing everything but only 100 packets, so you would prob miss your traffic.. Since I would assume lots of traffic is going in and out of your wan. Even just pings would fill that up quickly since you monitor 2 pings every second, etc.

On your sniff set the host to the IP it resolves too so you only see traffic to and from that IP.