Whitelisted Everything.... Website Still Blocked
Why do I still have no access when websites still Whitelisted?
I can access my bank website www.etrade.com fine. All features on this website work. However, whenever I select the Billpay feature of this website it is blocked. There appears to be two websites that operate the Billpay feature of the www.etrade.com website. They are:
billpay.etrade.net
and
saml2-prod.fiservapps.com/sp/ACS.saml2
Doesn't matter. When both are added to the Whitelist. Still bloacked.
-
Did you flush your two local caches ones after the settings change?
https://support.opendns.com/hc/en-us/articles/227988627If it is not this, then copy & paste the complete plain text output of the following diagnostic commands to here:
nslookup -type=txt debug.opendns.com.
nslookup whoami.akamai.net.
nslookup billpay.etrade.com. Edit: nslookup billpay.etrade.net.
nslookup saml2-prod.fiservapps.com.Btw, saml2-prod.fiservapps.com and billpay.etrade.net are not in any category, so whitelisting them is meaningless.
-
Thank you for your help Rotblitz. I did tried flushing the DNS cash at the Command Prompt after your suggestion. It did not work.
Here is what I get when run each of the four nslookup commands. I did an nslookup on a third website, etrade.com just for good measure:
Microsoft Windows [Version 10.0.17134.648]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Users\Todd>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Todd>nslookup -type=txt debug.opendns.com
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
debug.opendns.com text ="server r5.atl1"
debug.opendns.com text ="device 0000729A0D937DE3"
debug.opendns.com text ="flags 422 0 10 180000000000000000003840000140000000000"
debug.opendns.com text ="originid 193468098"
debug.opendns.com text ="actype 1"
debug.opendns.com text ="bundle 193468098"
debug.opendns.com text ="source 71.76.72.72:17560"
C:\Users\Todd>nslookup whoami.akamai.net
Server: UnKnown
Address: 192.168.1.1Name: whoami.akamai.net
Address: 2a04:e4c0:24::70
C:\Users\Todd>nslookup billpay.etrade.com
Server: UnKnown
Address: 192.168.1.1*** UnKnown can't find billpay.etrade.com: Server failed
C:\Users\Todd>nslookup saml2-prod.fiservapps.com
Server: UnKnown
Address: 192.168.1.1*** UnKnown can't find saml2-prod.fiservapps.com: Server failed
C:\Users\Todd>nslookup etrade.com
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
Name: etrade.com
Address: 12.153.224.22
C:\Users\Todd> -
There seems to be more than one issue.
"I did tried flushing the DNS cash at the Command Prompt after your suggestion. It did not work."
It did work, although it may not have helped in your case.
It seems you're using Netgear LPC and OpenDNS Home in parallel. These services are incompatible. You can just use the one or the other. Decide which one you want to use and disable the other!
The other issue is that you get SERVFAIL for the two domains in question. That may be the reason why you think that they are blocked for you. Indeed, they are not, you just cannot resolve them in DNS. They resolve properly for me using OpenDNS Home. I don't know why they don't resolve for you.
Just seeing, the one domain was billpay.etrade.net, not billpay.etrade.com, so nslookup for the latter should have returned NXDOMAIN, not SERVFAIL.
-
"I did tried flushing the DNS cash at the Command Prompt after your suggestion. It did not work."
Yes, what I meant is... it did not work... to resolve the problem.
.....Netgear Live Parental Controls uses OpenDNS, you can't divorce the two. In fact, when you log in to to Netgear LPC it is an OpenDNS splash login page.
The two domains in question DO resolve for me when ALL filtering is turned off in Netgear LPC which is serviced through OpenDNS.
However, there is a twist.
billpay.etrade.net remains unresolvable, which is odd because that's what the browser reports as one of two websites not working when filtering is turned on.
With filtering off the saml2-prod.fiservapps.com is now resolvable.
When I do successfully access the Bill Pay subsite of the www.etrade.com it reports this address:
https://billpay.etrade.net/imm/PaymentCenter/Index/4711
... which is resolvable.
So, my next step is to turn filtering back on and try Whitelisting that specific address which I will paste results in another post.
C:\Users\Todd>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Todd>nslookup billpay.etrade.com
Server: UnKnown
Address: 192.168.1.1*** UnKnown can't find billpay.etrade.com: Server failed
C:\Users\Todd>nslookup saml2-prod.fiservapps.com
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
Name: saml2-prod.fiservapps.com
Address: 192.131.72.191
C:\Users\Todd>nslookup https://billpay.etrade.net/imm/PaymentCenter/Index/4711
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
Name: https://billpay.etrade.net/imm/PaymentCenter/Index/4711
Addresses: 198.105.254.228
198.105.244.228
C:\Users\Todd> -
Update. When trying to add the specific address:
https://billpay.etrade.net/imm/PaymentCenter/Index/4711
Which is resolvable
The Whitelist just saves as: billpay.etrade.net
Which is not resolvable (even with filtering off)
-
"nslookup https://billpay.etrade.net/imm/PaymentCenter/Index/4711"
You cannot do a DNS lookup for a URL, just for a domain.
"Netgear Live Parental Controls uses OpenDNS, you can't divorce the two."
Again, Netgear LPC (powered by OpenDNS) and OpenDNS Home are not compatible. You're most likely using both which is one root cause of your troubles. Disable one of the services. You certainly can divorce the two!
-
Well it may seem as if you can divorce the two, but in practice....
- I know Netgear LPC does not work. When I use this product by itself, I had the issues explained above, that's when I sought out OpenDNS Home... and then this forum.
- OpenDNS Home, when turned on, with Web Content Filtering ON, for my Home IP address AND Netgear LPC turned off.... does not work. I'd say the performance of OpenDNS Home by itself (with Netgear LPC disabled) is even worse than Netgear LPC. I have a few hard Blacklist domains that OpenDNS Home can't even block. The only way they get blocked is to turn on Netgear LPC.
-
Well, when you posted the command outputs above, you still had LPC enabled. It's more than hard to help if diagnostics are not run under defined specific conditions. You definitely must be doing something wrong. It's you, not OpenDNS.
If you still want help here in the community forum, you had to post the command outputs again, under defined conditions.
nslookup -type=txt debug.opendns.com.
nslookup whoami.akamai.net.
nslookup billpay.etrade.net.
nslookup saml2-prod.fiservapps.com.Else you raise a support ticket, link "Submit a request" above, so that staff can look into it.
-
Wow. Love how an end-user gets blamed, for software designed to be GUI intensive and "easy" to use is having some bugs in discrete-well defined.... Yeah, I think this is going to require Level II or Level III tech support (someone who really has the knowledge to look deep in to the problem).
... But.... just for diagnostic fun... Here is the output, this time, with Netgear Live Parental Controls FULLY DISABLED, and JUST OpenDNS Account enabled, with one specific domain blacklisted, and two specific domains Whitelisted, and filtering set to "Minimal." OpenDNS is set to the correct IP address for my home network. It is actively pinging and listing Stats the last two days since arming statistics for this IP address.
C:\Users\Todd>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Todd>nslookup -type=txt debug.opendns.com
Server: UnKnown
Address: 192.168.1.1opendns.com
primary name server = auth1.opendns.com
responsible mail addr = noc.opendns.com
serial = 1555250333
refresh = 16384 (4 hours 33 mins 4 secs)
retry = 2048 (34 mins 8 secs)
expire = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 2560 (42 mins 40 secs)C:\Users\Todd>nslookup whoami.akamai.net
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
Name: whoami.akamai.net
Address: 24.93.72.132
C:\Users\Todd>nslookup billpay.etrade.net
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
Name: 4711-rxp.fiservapps.com
Address: 166.73.11.137
Aliases: billpay.etrade.net
C:\Users\Todd>nslookup saml2-prod.fiservapps.com
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
Name: saml2-prod.fiservapps.com
Address: 192.131.72.191
C:\Users\Todd>
....The one Blacklsited domain is NOT blocked. Nor are any domains blocked that are obvious in their nature
in that they are check as should be blocked. -
Now, here are the results, after:
- fully DELETING my network from OpenDNS Home. Flushing DNS. Enabling Netgear's Live Parental Controls (as in the only thing I only did to start this campaign). Verify, through Netgear's Netgenie that LPC controls were enabled and set to minimal.
Microsoft Windows [Version 10.0.17134.648]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Users\Todd>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Todd>nslookup -type=txt debug.opendns.com
Server: UnKnown
Address: 192.168.1.1Non-authoritative answer:
debug.opendns.com text ="server r2.atl1"
debug.opendns.com text ="device 0000729A0D937DE3"
debug.opendns.com text ="flags 422 0 10 180000000000000000003840000000000000000"
debug.opendns.com text ="originid 193468098"
debug.opendns.com text ="actype 1"
debug.opendns.com text ="bundle 193468098"
debug.opendns.com text ="source 71.76.72.72:44468"
C:\Users\Todd>nslookup whoami.akamai.net
Server: UnKnown
Address: 192.168.1.1Name: whoami.akamai.net
Address: 2a04:e4c0:24::71
C:\Users\Todd>nslookup billpay.etrade.net
Server: UnKnown
Address: 192.168.1.1*** UnKnown can't find billpay.etrade.net: Server failed
C:\Users\Todd>nslookup saml2-prod.fiservapps.com
Server: UnKnown
Address: 192.168.1.1*** UnKnown can't find saml2-prod.fiservapps.com: Server failed
C:\Users\Todd>
... And the Blacklisted domains ARE correctly blocked, unlike the previous run of having OpenDNS Home enabled and Netgear's LPC disabled.
... The Billpay sub-site of my financial website is inaccessible although all other features of etrade.com work as expected.
-
"Love how an end-user gets blamed"
Well, I'm an end user too, like you, and I have every right to blame you if you aren't cooperative to make my voluntary assistance easier. Do you see this differently?
"software designed to be GUI intensive and "easy" to use is having some bugs in discrete-well defined"
What software are you talking about? I don't know about any such software...
Btw, you do not need to flush your local resolver cache each time before nslookup commands. Nslookup does never use your local resolver cache.
What I can see from your new command outputs is this:
Without LPC but with OpenDNS Home
- You are not using OpenDNS, because TXT records for debug.opendns.com cannot be obtained. Instead you're using RoadRunner's DNS service, to be seen from 24.93.72.132. And this one can and does resolve the two domains in question.
With LPC enabled
- You have LPC enabled, to be seen from the device ID, but unfortunately your IP address 71.76.72.72 is also registered with some OpenDNS network (network ID 193468098, maybe another user's), and this is causing that you are most likely using both, LPC and OpenDNS Home. With LPC your IP address must not be registered with OpenDNS. Strange enough that the DNS lookups for the two domains in question return SERVFAIL. These are not being blocked by your settings, because blocking by LPC or OpenDNS Home returns an OpenDNS IP address, not SERVFAIL or something like that. This must be another issue, differently from your settings. It could be a specific problem at their Atlanta DC which you're reaching.
"Yeah, I think this is going to require Level II or Level III tech support (someone who really has the knowledge to look deep in to the problem)."
It's not the knowledge, but the available information, else fully correct. Someone must check your account and the account where your IP address is registered. This is not something we other users are in the position to clarify for you, because we (fortunately) do not have access to this information. Only staff have the power for doing this.
But just by chance: do you have Avast or AVG AV software installed and running? Then ensure that you have disabled the "Secure DNS / Fake Site / Real Site" option. Your symptoms remind a bit on the behavior of this software with this option enabled.
Please sign in to leave a comment.
Comments
13 comments