Cant Access one specific website

sysadminfromhell

Hi there,

Im back with a weird question what seems to be a Network problem.
I cant access login.yahoo.com.
Howevery i can access mail.yahoo.com (if iam logged in) and yahoo.com.
The DNS Server gives me a valid IP Address but the browser doesnt seem to let it opened.
I tried it on 3 different devices and checked the issue: all the same.

No traffic is blocked in the Firewall and i can reach the Host with ping login.yahoo.com from every device:

C:\>tracert login.yahoo.com

ds-ats.member.g02.yahoodns.net [2a00:1288:110:c104::3000]:

  1    <1 ms    <1 ms    <1 ms  heimdall.fritz.box [2003::[PRIVACY_BLOCK]::5024]
  2    <1 ms    <1 ms    <1 ms  p200300ed870c2a001eed6ffffe81799d.dip0.t-ipconnect.de [2003::[PRIVACY_BLOCK]::799d]
  3     5 ms     4 ms     4 ms  2003::[PRIVACY_BLOCK]::1
  4     *        *        *     Timeout.
  5     9 ms     9 ms     9 ms  e0-50.switch2.fra2.he.net [2001:470:0:5f6::1]
  6    20 ms    20 ms    24 ms  as10310.frankfurt.megaport.com [2001:7f8:8:20:0:2846:0:1]
  7    21 ms    21 ms    20 ms  ae-3.pat1.frz.yahoo.com [2a00:1288:f021:d::1]
  8    37 ms    37 ms    37 ms  ae-2.pat1.iry.yahoo.com [2a00:1288:f020:2::]
  9    35 ms    36 ms    34 ms  2a00:1288:f020:8::1
 10    35 ms    34 ms    34 ms  2a00:1288:110:fc83::1
 11    37 ms    37 ms    36 ms  et28.usw2-1-lba.ir2.yahoo.com [2a00:1288:110:cc25::1]
 12    37 ms    37 ms    37 ms  ats2.member.vip.ir2.yahoo.com [2a00:1288:110:c104::3000]

If I´m in cellular with my phone everything works as expected.

Someone got a clue what else I can check?

Gertjan

@sysadminfromhell said in Cant Access one specific website:

I cant access login.yahoo.com.

Hummm.
Me neither - using IPv6 ....
Visiting www.yahoo.com managed to trigger close to every pfBlockerNG feed I have. What a mess.
Edit Is Yahoo actually Google (owned) now ?

I've placed .yahoo.com. on the pfBlockerNG-devel AAAA (Python mode needed) DNSBL list.
This forces IPv4-only access : now the login pages shows up.

SteveITS

@sysadminfromhell After we switched our office to Hurricane Electric IPv6 I found some Yahoo! sites stopped allowing connections. IPv4 (not through HE) works. I suspect they are blocking "VPN" or other similar proxy sites. I know their sports sites have occasional live TV feeds that are limited by location/country.

Firefox can limit sites by hostname to IPv4, in about:config find setting network.dns.ipv4OnlyDomains.

sysadminfromhell

@gertjan can you give me a work through tutorial on how to do this? funny is that only login.yahoo.com is affected.
I tried to check the Option prefeer IPv4 over IPv6 but this didnt do anything or do i have to restart for that in order to work?

Gertjan

@sysadminfromhell said in Cant Access one specific website:

a work through tutorial.

Yeah.
Install pfBlockerNG-devel.
No need to add any feeds/lists or whatever.
Activate DNSBL.

Enabel "no AAAA" and add ".yahoo.com" in the list :

Save.

Goto FirewallpfBlockerNGUpdate and do a reload => All.

And flush your local device DNS cache - close browsers.

Done. No more IPv6 for everything that is ".yahoo.com'". All yahoo.com access will be IPv4 only.

Btw : he.net is one of the biggest IPv6 peering companies in the world, but their ipv6 tunnel can be considered as a VPN. I'm using it myself, as my ISP doesn't know what IPv6 is (and if they did, they would give me only one IPv6 /64 so totally useless).

@sysadminfromhell said in Cant Access one specific website:

Option prefeer IPv4 over IPv6

That option is there to please the 'antis' ;) The used OS, Freebsd is natevly IPv6 and will do IPv4 if IPv6 doesn't 'work' - that can't be shut down withot a OS recompile.
All serious OS's, routers (like pfSense), ISPs, peering companies, the back bone itself is IPv6 'ready and done'.
Android devices are special case.
The first "IP generation" ('60,70 and '80) learned IPv4 the old school way : "this is it - comments are not appreciated so S.U. - these are the rules and others move to Mars". The new generation has to do the same way, now using Youtube (I guess), and have IPv6 as dessert. Yeah, live is hard.
When the top 500 most visited sites also become IPv6 ready and done, we can start to firewall all IPv4 traffic. Some one will find somewhere a lost IPv4 packet a couple of days later before total extinction. Then we can all start to remove all that 'dead' IPv4 code everywhere.
This will happens .... somewhere around 2030++ ? ;)

Sorry, I was ranting.

sysadminfromhell

@gertjan will it interfere with my DNS in any kind ?

I have natively IPv6 from my ISP but never experienced so much problems with it just since I have the pfsense :(

Gertjan

@sysadminfromhell said in Cant Access one specific website:

much problems

What ?
Not having access stop yahoo.com ?
If it's for their mail, use a client - accessing their mail using a bowser seems a scary thing to do.

If "everything" excepts one site, it's not pfSense with a 99,99 % error margin. The 0,005 % left
Sites do stop functioning. Remember Facebook a will ago. We where close to a "Walking dead" situation - only the zombies didn't check in (yet).

I presume that, (again : IMHO !!) ipv6.he.net doesn't permit yahoo.com to trace you - so people make use of that. because adds can be spammed away, some smart guy blocked/firewall these (your) IPv6.
They will correct that over time. Visit their support forum : you'll see.

@sysadminfromhell said in Cant Access one specific website:

will it interfere with my DNS in any kind ?

If you didn't interfere yourself with the default DNS settings : No.
Installing pfBlockerNG without feeds does -> nothing <-".

@sysadminfromhell said in Cant Access one specific website:

I have natively IPv6 from my ISP but never experienced so much problems with it just since I have the pfsense :(

Remember : ipv6.he.net can be considered as a VPN.
When you use a VPN style connection, the other side, will have more troubles tracking you.
So, I would, and you would 'hinder' them in that case.
Which explains all.

sysadminfromhell

@gertjan thank you for the TuT. I did, its now its working.