Failing reverse DNS lookup
flashgordon3
Enthusiast - Level 1

I am having trouble connecting to an secure shell (SSH) server to update a website - it's just not working. I spoke to the server admins and they said it was a problem they see with a lot of Verizon internet users because of a security problem. They said it is not working because in the connection process, I failing a reverse DNS lookup... so basically, they don't think my IP address is secure enough to allow me through.

I've called Fios support three times and have had no luck solving this issue. It's obvious the staff has no idea what SSH or DNS is and unless I want to pay for premium tech support I am SOL (they know that one). I'm hoping someone here knows what I'm talking about. Thanks!

0 Likes
Re: Failing reverse DNS lookup
lasagna
Community Leader
Community Leader

Unlikely.   While what your hosting provider is referring to is a common security control that SSH can enforce to do a reverse lookup check (spoofed IP addresses and addresses from unregistered network locations being used for hacking will often use space which doesn't resolve fully), Verizon's dynamic IP address pools do resolve.

Easy enough to test...

First, open a browser window and go to the website:   http://whatismyip.com

You'll see your IP address display as a series of 4 numbers (x.x.x.x).

Next, click on the link that says IP Address Lookup on the left side.   The number from above should already be filled in, but if it's not, type it in and submit the form.   You will a summary of where it thinks you're located approximately.  Interesting stuff, but not what we're really interested in.   What we want is the name under host name on the right side.   If you have a name here, you have a PTR record (or reverse lookup record) which is what your hosting provider is claiming you don't have.

As a last test, you can open a command window (cmd) and run the following two commands:

c:\> nslookup x.x.x.x 8.8.8.8   (substitute the number above for x.x.x.x, leave 8.8.8.8 as is). 

c:\> nslookup hostname 8.8.8.8 (substitute the hostname from the IP address lookup for hostname)

The first command should give you the hostname you looked up on the website.   The second command should give you the same IP address back again that you started with (this is called a forward lookup).

If anything is missing or mismatched, then the hosting provider has a point.  However, I suspect all is in order an the hosting provider is incorrect.  More likely ... the hosting provider has a firewall which they selectively enable to allow SSH session in which does not have your address (the one you've just been looking up) entered as permitted -or- the hosting provider is using an "alternate" port number (SSH usually runs on port 22, but many providers now use 222 or 2222 to try to defeat port scanning scripts) and you are not specifying the proper port number as an argument to your SSH command.

0 Likes
Re: Failing reverse DNS lookup
flashgordon3
Enthusiast - Level 1

Thank you! Unfortunately I tried the lookup and I got host name: unknown

You have a good point about the hosting provider (it's a college); they are pretty tight with security. The thing that kills me is that I have been able to connect in the past so I'm not sure what changed that. I haven't changed any settings on my end.

I've had friends suggest I manually change my DNS but that's where I'm get in over my head. I wish Verizon would make it right or at least confirm that it is something on their end they can fix!

Re: Failing reverse DNS lookup
spacedebris
Master - Level 2

Well your probably out of luck with having Verizon do anything. They have a pool of IP addresses that they give out to customer routers. And that is the limit to what the front end agents know about. Your getting into things that go beyond them. And unless they get some business customers or a mass amount of customers having the exact same issue. They are unlikely to take action.

Changing the DNS is actually quite simple. There are basically two ways.

1. Change the DNS in the router.

       *  for the actiontec rotuer. You open your browser and type 192.168.1.1 into the address field. Log into the router, The username should be admin and the password should be the serial number located on the sticker on the back of the router (unless you've changed this to a personal password, and you should know that one). Once logged in, click on "My Network" on the top. Then click on "Network setting" on the left. On this page you are going to have to click on either "broadband connection (coax)" or "broadband connection ethernet" depending on your connection style (probably coax). In the next window click on the "settings" button. Then finally on this page go down to where it says DNS Server and change the drop down to "use the following". Now you can put in a lot of different things here, but the DNS server I use are 4.2.2.1 and 4.2.2.2. There are many others that you can use but this is where you put the info in.

2. Change the DNS on the computer.

       * I'll give the instructions for XP (I'm most familar with this) but it is similar on Vista and 7. You go to control pannel click on "network connections" then right click on "local area connection" (or wireless if using wireless). select "properties". in the next window. select "internet protocol (TCP/IP)" and then click properties again. Now in here, go to the bottom, select "use the following DNS servers" and again enter the DNS that you want to use (4.2.2.1 and 4.2.2.2 for my example)

If it is a DNS issue, then these are easy things you can try to see what happens.