I forgot to reply to the list, but a quick google shows that is the IP for the iBoss (http://www.iboss.com/) content filtering system.
Nothing too sinister going on (and should be expected for a school based internet system).
R. On 08/12/15 05:29 PM, Shane Harvey wrote:
Could this be the case? Can you try +trace +additional ?This was from -> http://serverfault.com/questions/482913/is-dig-trace-always-accurate |"+trace| cheated and consulted the local resolver to obtain the IP address of the next hop nameserver instead of consulting the glue. Sneaky! This is usually "good enough" and won't cause a problem for most people. Unfortunately, there are edge cases. If for whatever reason your upstream DNS cache is providing the wrong answer for the nameserver, this model breaks down entirely. Real world example: * domain expires * glue is repointed at registrar redirection nameservers * bogus IPs are cached for ns1 and ns2.yourdomain.com <http://ns2.yourdomain.com> * domain is renewed with restored glue * any caches with the bogus nameserver IPs continue to send people to a website that says the domain is for sale In the above case, |+trace| will suggest that the domain owner's own nameservers are the source of the problem, and you're one call away from incorrectly telling a customer that their servers are misconfigured. Whether it's something you can (or are willing to) do something about is another story, but it's important to have the right information. |dig +trace| is a great tool, but like any tool, you need to know what it does and doesn't do, and how to troubleshoot the issue manually when it proves insufficient." On Tue, Dec 8, 2015 at 3:58 PM, Ski Kacoroski <[email protected] <mailto:[email protected]>> wrote: One more bit of information. When I wireshark the queries, any query to youtube.com <http://youtube.com> ends with: Standard query response .... A 208.70.74.21 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] Queries to other locations work correctly and do not have that problem. cheers, ski On 12/08/2015 01:36 PM, Shane Harvey wrote: try doing a dig @localDNSserver youtube.com <http://youtube.com> <http://youtube.com> and see what is happening. Do you have any content filtering that may be blocking it? I used to see a lot of schools getting blocked by google because of traffic routing through a content filter/firewal/NAT and google would block that ip by the amount of traffic from one ip. On Tue, Dec 8, 2015 at 3:16 PM, Ski Kacoroski <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: Hi, This morning everything went south with youtube.com <http://youtube.com> <http://youtube.com> for my school district in Bothell, WA. When I am on the school district network I get: ski@elle:~$ dig +trace youtube.com <http://youtube.com> <http://youtube.com> ; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> +trace youtube.com <http://youtube.com> <http://youtube.com> ;; global options: +cmd . 436781 IN NS j.root-servers.net <http://j.root-servers.net> <http://j.root-servers.net>. . 436781 IN NS c.root-servers.net <http://c.root-servers.net> <http://c.root-servers.net>. . 436781 IN NS h.root-servers.net <http://h.root-servers.net> <http://h.root-servers.net>. . 436781 IN NS f.root-servers.net <http://f.root-servers.net> <http://f.root-servers.net>. . 436781 IN NS m.root-servers.net <http://m.root-servers.net> <http://m.root-servers.net>. . 436781 IN NS b.root-servers.net <http://b.root-servers.net> <http://b.root-servers.net>. . 436781 IN NS g.root-servers.net <http://g.root-servers.net> <http://g.root-servers.net>. . 436781 IN NS d.root-servers.net <http://d.root-servers.net> <http://d.root-servers.net>. . 436781 IN NS k.root-servers.net <http://k.root-servers.net> <http://k.root-servers.net>. . 436781 IN NS l.root-servers.net <http://l.root-servers.net> <http://l.root-servers.net>. . 436781 IN NS e.root-servers.net <http://e.root-servers.net> <http://e.root-servers.net>. . 436781 IN NS a.root-servers.net <http://a.root-servers.net> <http://a.root-servers.net>. . 436781 IN NS i.root-servers.net <http://i.root-servers.net> <http://i.root-servers.net>. . 515218 IN RRSIG NS 8 0 518400 20151218170000 20151208160000 62530 . QgF9b0kXkgGRVGVcwqm6g8EwvtFqG+vO4kx1lQfGijbaZcLkwkEIOoEh 8wPc6IiVyI6c7ua0SaL9i7A7Q0zy//fQJLb+Ji7xFtD4n0uSTzm0Xyd/ iainDAwnXRzwoFxR2j7dLRu7N0dsLpYKF9s9VF+Ky2nCcCnZqQlLEFDs L+A= ;; Received 913 bytes from 127.0.1.1#53(127.0.1.1) in 74 ms youtube.com <http://youtube.com> <http://youtube.com>. 0 IN A 208.70.74.21 ;; Received 45 bytes from 192.203.230.10#53(e.root-servers.net <http://e.root-servers.net> <http://e.root-servers.net>) in 1 ms Notice that there is no recursion or name servers. This does not look like a standard DNS transaction. Not only that, but 208.70.74.21 is owned by Multacom Corp. Any ideas why this is going on? Is my DNS being hijacked somehow. This only happens for youtube.com <http://youtube.com> <http://youtube.com> - apple.com <http://apple.com> <http://apple.com>, www.google.com <http://www.google.com> <http://www.google.com>, etc. all work as expected. For comparison, when I use my verizon phone hotspot I get: ski@elle:~$ dig +trace youtube.com <http://youtube.com> <http://youtube.com> ; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> +trace youtube.com <http://youtube.com> <http://youtube.com> ;; global options: +cmd . 38588 IN NS b.root-servers.net <http://b.root-servers.net> <http://b.root-servers.net>. . 38588 IN NS d.root-servers.net <http://d.root-servers.net> <http://d.root-servers.net>. . 38588 IN NS f.root-servers.net <http://f.root-servers.net> <http://f.root-servers.net>. . 38588 IN NS c.root-servers.net <http://c.root-servers.net> <http://c.root-servers.net>. . 38588 IN NS m.root-servers.net <http://m.root-servers.net> <http://m.root-servers.net>. . 38588 IN NS g.root-servers.net <http://g.root-servers.net> <http://g.root-servers.net>. . 38588 IN NS e.root-servers.net <http://e.root-servers.net> <http://e.root-servers.net>. . 38588 IN NS i.root-servers.net <http://i.root-servers.net> <http://i.root-servers.net>. . 38588 IN NS l.root-servers.net <http://l.root-servers.net> <http://l.root-servers.net>. . 38588 IN NS k.root-servers.net <http://k.root-servers.net> <http://k.root-servers.net>. . 38588 IN NS h.root-servers.net <http://h.root-servers.net> <http://h.root-servers.net>. . 38588 IN NS j.root-servers.net <http://j.root-servers.net> <http://j.root-servers.net>. . 38588 IN NS a.root-servers.net <http://a.root-servers.net> <http://a.root-servers.net>. ;; Received 239 bytes from 127.0.1.1#53(127.0.1.1) in 16499 ms com. 172800 IN NS m.gtld-servers.net <http://m.gtld-servers.net> <http://m.gtld-servers.net>. com. 172800 IN NS l.gtld-servers.net <http://l.gtld-servers.net> <http://l.gtld-servers.net>. com. 172800 IN NS k.gtld-servers.net <http://k.gtld-servers.net> <http://k.gtld-servers.net>. com. 172800 IN NS j.gtld-servers.net <http://j.gtld-servers.net> <http://j.gtld-servers.net>. com. 172800 IN NS i.gtld-servers.net <http://i.gtld-servers.net> <http://i.gtld-servers.net>. com. 172800 IN NS h.gtld-servers.net <http://h.gtld-servers.net> <http://h.gtld-servers.net>. com. 172800 IN NS g.gtld-servers.net <http://g.gtld-servers.net> <http://g.gtld-servers.net>. com. 172800 IN NS f.gtld-servers.net <http://f.gtld-servers.net> <http://f.gtld-servers.net>. com. 172800 IN NS e.gtld-servers.net <http://e.gtld-servers.net> <http://e.gtld-servers.net>. com. 172800 IN NS d.gtld-servers.net <http://d.gtld-servers.net> <http://d.gtld-servers.net>. com. 172800 IN NS c.gtld-servers.net <http://c.gtld-servers.net> <http://c.gtld-servers.net>. com. 172800 IN NS b.gtld-servers.net <http://b.gtld-servers.net> <http://b.gtld-servers.net>. com. 172800 IN NS a.gtld-servers.net <http://a.gtld-servers.net> <http://a.gtld-servers.net>. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20151218170000 20151208160000 62530 . CqO6/JQRMrFAIlB7I6oguyun+/InWoLWNJh0pPCNOJ00sOjxz+X9EZT0 jy0Dpn2nYAdI6F7adUOnGG5jHsiz7oQmHg9ncyMUoVkeMQV+p0JL4Wdf kLqufz6NueraOLgs8FII8GP968odDLDbFbpD3wWM9tEh+NqZhaS5PiMT YJQ= ;; Received 735 bytes from 198.41.0.4#53(a.root-servers.net <http://a.root-servers.net> <http://a.root-servers.net>) in 3031 ms youtube.com <http://youtube.com> <http://youtube.com>. 172800 IN NS ns2.google.com <http://ns2.google.com> <http://ns2.google.com>. youtube.com <http://youtube.com> <http://youtube.com>. 172800 IN NS ns1.google.com <http://ns1.google.com> <http://ns1.google.com>. youtube.com <http://youtube.com> <http://youtube.com>. 172800 IN NS ns3.google.com <http://ns3.google.com> <http://ns3.google.com>. youtube.com <http://youtube.com> <http://youtube.com>. 172800 IN NS ns4.google.com <http://ns4.google.com> <http://ns4.google.com>. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20151214055737 20151207044737 51797 com. MrwJSdJZKLjHepqim6qM+oa1W+Ya6OzG4/yHhG3DRcjGGYUVzfTqqKsA GOHkyBZ2eUKiBhcjKEdf+uvwpx0pAuaV0v1u3LaML52ILvd8Jh6Hxx2r OqHPZ5O2QuZMnnFZuXYYYRWDnExxtPPhh94jHf7vHojNIiv/zDanYb5E VSo= H5AFKDOBP05VCGM6958STOKNIEDLV3OR.com. 86400 IN NSEC3 1 1 0 - H5AMN1SCRI4J99BRA7K4B8C018PJIVPN NS DS RRSIG H5AFKDOBP05VCGM6958STOKNIEDLV3OR.com. 86400 IN RRSIG NSEC3 8 2 86400 20151214055802 20151207044802 51797 com. oMRyyXEiWOQVDPLjm2ggBzF3CzI2/HO4PGJhO4nFueMD9gamuiENz+gA ew/kdtnbztKucRSCMgtG2+uhQployz/WBRf1angLfWtIqeJR2008qayS O0I4lHtchB6QGPT1UQf/qH9Bt9u5VlD7Naw/luQxBk9O4W+HiFf2wGsi fKA= ;; Received 668 bytes from 192.31.80.30#53(d.gtld-servers.net <http://d.gtld-servers.net> <http://d.gtld-servers.net>) in 2402 ms youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.25 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.44 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.59 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.54 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.55 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.20 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.35 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.49 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.29 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.45 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.39 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.24 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.30 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.34 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.50 youtube.com <http://youtube.com> <http://youtube.com>. 300 IN A 209.118.208.40 ;; Received 285 bytes from 216.239.38.10#53 <tel:216.239.38.10%2353> <tel:216.239.38.10%2353>(ns4.google.com <http://ns4.google.com> <http://ns4.google.com>) in 415 ms cheers, ski -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>, 206-501-9803 <tel:206-501-9803> <tel:206-501-9803 <tel:206-501-9803>> or ski98033 on most IM services _______________________________________________ Discuss mailing list [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/ -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, [email protected] <mailto:[email protected]>, 206-501-9803 <tel:206-501-9803> or ski98033 on most IM services _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
