Some Notes on the Machines

Recently, one site has been blocked from multiple web-based services. All of the services were using Amazon CloudFront as backend. One by one, when the vendors were contacted, they all found that CloudFront was blocking their site’s external Internet IP. This was happening despite the fact that a large number of blacklist checks were coming up green. Eventually, I found these:

talosintelligence.com/reputation_center

www.ipqualityscore.com

www.apivoid.com/tools/ip-reputation-check/

which do a lot more. Not sure how timely some of the reporting is. And they still did not explain the CloudFront issues.

For CIDR to IP range (IP range extraction):

http://bonomo.info/coyote/cidr-calculator.php

For IP range to CIDR:

http://ip2cidr.com/

For lots and lots more:

http://www.subnetmask.info/

This has become fraught with peril lately, even after initiation it can be far from easy to figure out what to do next. What to do next, after the transfer has initiated, is, we browse here:

www.networksolutions.com/manage-it/transfer-status.jsp

and we put the transfer authorization code, from the outgoing registrar, after finding the appropriate Network Solutions account number for the order, and scrolling in the above page (if there are more than one; if you do a lot of this, there will be a pile, if not, just one) to find that account number. Then open the account and enter the code.

If you have trouble finding that account number, browse here:

www.networksolutions.com/my-account/order-history

and the account number will be listed with the order for the transfer.

Cox
Primary 68.1.16.107
East Coast 68.1.16.108
West Cost 68.111.106.68

AT&T
68.94.156.1
68.94.157.1

Was just shown these, how nice of them!

https://www.speedtest.net/apps/cli

Here are web sites for diagnosing DNS, Internet email, and other issues.

http://mxtoolbox.com

A very good place to test Internet email servers and servers in general exposed to the Internet at large.

http://dnsstuff.com

DNSstuff is excellent for diagnosing DNS issues of all kinds.  Most of its tools require a small subscription fee.

http://whatismyipaddress.com/

whatismyipaddress.com is very good for obtaining geographical and ISP information for an IP address.

https://www.testexchangeconnectivity.com/

is very good for testing Exchange WAN services, e.g., smartphone access, Outlook Anywhere.

Microsoft is heavily using something called GeoIP, to optimize Internet data routing for its services, including Skype, Office 365, and all of the others.

All of the code below is within ‘nslookup’, running in CMD on Windows.

The way this works, basically, is different IP sets are reported by DNS lookups, depending on the upstream DNS server being polled. So if, like many right now, you were using Google’s DNS (8.8.8.8 and 8.8.4.4) on your LAN, and did nslookup on the recommended test hostname, outlook.office365.com, you would see this:

> outlook.office365.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    outlook-namsouth2.office365.com
Addresses:  2603:1036:0:26::2
          2603:1036:102:90::2
          2603:1036:404:a4::2
          2603:1036:102:107::2
          2603:1036:102:b8::2
          2603:1036:404:11b::2
          2603:1036:404:3f::2
          2603:1036:3:12e::2
          2603:1036:102:3e::2
          2603:1036:404:11c::2
          40.97.170.162
          40.97.30.130
          40.97.170.178
          40.97.142.18
          40.97.41.98
          40.97.162.130
          40.97.154.66
          40.97.166.178
          40.97.117.242
          40.97.119.178
Aliases:  outlook.office365.com
          outlook.ha.office365.com
          outlook.office365.com.g.office365.com

>

But on the other hand, if you were using OpenDNS (208.67.220.220/222.222), you would see this:

> outlook.office365.com
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    outlook-namsouth4.office365.com
Addresses:  2603:1036:d01:2::2
          2603:1036:101:2::2
          2a01:111:f400:31ab::2
          2603:1036:902:a3::2
          2603:1036:906:4d::2
          2603:1036:405:2::2
          2603:1036:405:15::2
          2603:1036:404:67::2
          2603:1036:100::2
          40.97.142.18
          40.97.41.98
          40.97.162.130
          40.97.154.66
          40.97.166.178
          40.97.117.242
          40.97.119.178
          40.97.170.162
          40.97.30.130
          40.97.170.178
Aliases:  outlook.office365.com
          outlook.ha.office365.com
          outlook.office365.com.g.office365.com

>

The most important thing to observe in the above, is that the IP set is different. And if you try pings from your test PC to each of the above IPs, you will notice major differences. In recent testing, most of Google’s results ping much slower (higher, in milliseconds) than OpenDNS’s. But we found OpenDNS’s pings noticeably slower than our current known best of breed, Level3 (209.244.0.3/4):

> outlook.office365.com
Server:  resolver1.level3.net
Address:  209.244.0.3

Non-authoritative answer:
Name:    outlook-namsouth.office365.com
Addresses:  2603:1036:404:16::2
          2603:1036:404:b6::2
          2603:1036:102:16::2
          2603:1036:405:29::2
          2603:1036:906:4f::2
          2603:1036:d00::2
          2603:1036:102:8f::2
          2603:1036:405:4a::2
          2603:1036:4:4c::2
          40.97.133.130
          40.97.132.194
          40.97.125.114
          40.97.132.226
          40.97.126.50
          40.97.31.50
          40.97.164.146
          40.97.136.194
          40.97.166.34
Aliases:  outlook.office365.com
          outlook.ha.office365.com
          outlook.office365.com.g.office365.com

>

We have also noticed that the lists of IPs do not correspond to names, i.e., outlook-namsouth3 does not return the same IP list each time. So there is a lot of highly complex geographically-centered IP routing by DNS, going on, by Microsoft, and Level3 seems to cooperate best.

The upshot is, if you see any Microsoft cloud-based services being slow, hesitating, freezing up, or losing connection regularly, switch your LAN’s DNS forwarders to Level 3, and you may well knock the problem out most easily. CloudFlare’s DNS works as well if not better.

In Windows Server 2012 R1/2, 2008 R1/2, 7, Vista, and 2003 SP2 and later, whenever time is out of sync, it’s good to run the following two commands in an administrative command prompt (an ordinary command prompt for 2003SP2+):

w32tm /config "/manualpeerlist:north-america.pool.ntp.org 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org" /syncfromflags:MANUAL /update 
w32tm /resync

If the service has not been registered, the whole canole is:

w32tm /register
net start w32time
w32tm /config "/manualpeerlist:north-america.pool.ntp.org 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org" /syncfromflags:MANUAL /update 
w32tm /resync

Under Windows 2000, we need to go a bit more archaic:

net time /setsntp:north-america.pool.ntp.org
net time /querysntp

Two addenda:

• We used to recommend just pool.ntp.org , but geoblocking has become quite common, so a more geographically appropriate setup is now the rule.
• Do the above for domain controllers, standalone PCs, and mobile laptops. Add the domain controller’s IP to “Time Server” in DHCP, to reach desktops.

An excellent test recommended by Watchguard:

https://speedof.me

A very good one:

https://testmy.net/SmarTest/combinedAuto

and another:

https://sourceforge.net/speedtest/

Here’s the first one we saw which was HTML5 only, no Flash or Java:

http://www.bandwidthplace.com

Here’s a commonly used one which requires Flash:

http://www.speedtest.net

And another which uses java:

http://www.speakeasy.net/speedtest/

If you are checking this for wifi, we do recommend that you check for and rectify wifi channel congestion as a next step.

Test if UDP ports are open to the Internet.

https://www.ipvoid.com/udp-port-scan/