Page 1 of 1

Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 12:12 pm
by rl_albright
Yes the subject line is correct. The 881 firewall in one of my buildings is periodically blocking all traffic to the lds.org domain. Turns out there is a rogue DNS server out there in the net-verse that is pointing some systems to the wrong IP address for LDS.org. The temporary fix that the GSC came up with is to add an entry to the HOST file of the local computers:
216.49.176.33 www.lds.org

This works well for any computer connected directly to the network that is always at the building, but it still has no affect for those that connect via wireless to the network.

So has anyone else experienced this problem? Has anyone else come up with a more permanent fix? An idea I had is to place a small DNS server software on one of the local computers (in the stake offices) with the permanent routing information for lds.org traffic, and then have the GSC add that address as a DNS server into the firewall. Any thoughts in regards to this.

This problem has been driving me NUTS for the past 3 weeks. Please help.

Re: Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 12:23 pm
by russellhltn
I'm guessing the problem is affecting your ISP and the DNS they provide. Perhaps GSC can program your firewall to ignore the ISP's DNS and use something more reliable. Any device on your network that's using DHCP is going to get it's DNS settings from the DHCP - in this case the 881. So the key is to get the 881 to use something reliable.

If this was wide-spread, I'd think this issue would affect far more users outside of the church network - including from home.

Re: Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 12:30 pm
by aebrown
We have this problem in one of our meetinghouses. I talked to someone in the GSC, and he said it was being looked at, but they had no estimated time it would be fixed. It's interesting that the other meetinghouses in our stake have no problem (although they use the same ISP). I verified that all the DNS servers issued via DHCP by the firewall are correct.

Modifying the host file will fix the 3 affected clerk computers, but the vast majority of the connections are wireless, and they're out of luck.

Re: Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 1:20 pm
by russellhltn
I wonder if this is a defective filter server?

Re: Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 6:54 pm
by rl_albright
russellhltn wrote:I'm guessing the problem is affecting your ISP and the DNS they provide. Perhaps GSC can program your firewall to ignore the ISP's DNS and use something more reliable. Any device on your network that's using DHCP is going to get it's DNS settings from the DHCP - in this case the 881. So the key is to get the 881 to use something reliable.

If this was wide-spread, I'd think this issue would affect far more users outside of the church network - including from home.
I do not think this is the case, as they posted a message in regards to this "Only Church-specified Domain Name System (DNS) entries are allowed on devices connected to Meetinghouse Internet. Any devices connected to Meetinghouse Internet that have been set to use non-Church specified DNS servers should be changed to use approved Church meetinghouse DNS servers (8.34.34.92 and 8.35.35.92) or to obtain DNS server addresses automatically. Devices set differently may not filter correctly and may not connect to the Internet properly beginning April 21, 2014"

I myself notice this caused problems for us around that time, as our firewall in our trouble building was not allowing ANY traffic through the internet, turns out the DNS servers were set incorrectly in the firewall.

As for this issue causing problems at the home, do we really have a way to monitor that? I don't think so, and even if we did how would it get reported?
russellhltn wrote:I wonder if this is a defective filter server?
It is not, at least not according to what I understand from the GSC. What is happening is the church's DNS servers point to a third party (akamaitechnologies.com) which host the LDS.org website. For whatever reason, by my understanding, there is a rogue DNS server somewhere out there that is propagating the wrong information out on the internet.

Does anyone think my solution might have merit?

Re: Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 7:25 pm
by russellhltn
rl_albright wrote:For whatever reason, by my understanding, there is a rogue DNS server somewhere out there that is propagating the wrong information out on the internet.
Which I'd expect to affect more than just the meetinghouse.

Note that the church's filtering works at the DNS level. That's why they're saying we have to use the one assigned by the DHCP and not allowing other DNS servers to be used. What I don't know is if the filtering solution just checks the request and then passes it on to the local level or if it also functions as the DNS. Either way, that's where the search for the bad DNS information has to start.
rl_albright wrote:Does anyone think my solution might have merit?
First of all, you'd have to get GSC to cooperate in making the change. That could be a non-starter. You're also trying to run a DNS server on a network that should be blocking calls to non-church DNS servers - sounds iffy to me.

What you might want to do is see what DNS servers are being served up by the firewall and compare it to other meetinghouses, especially the one aebrown says has the same problem. Maybe it will turn up something.

Re: Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 7:32 pm
by rl_albright
russellhltn wrote: First of all, you'd have to get GSC to cooperate in making the change. That could be a non-starter. You're also trying to run a DNS server on a network that should be blocking calls to non-church DNS servers - sounds iffy to me.

What you might want to do is see what DNS servers are being served up by the firewall and compare it to other meetinghouses, especially the one aebrown says has the same problem. Maybe it will turn up something.
Okay running an IPConfig /all command, I get the following information:


Windows IP Configuration

Host Name . . . . . . . . . . . . : Lakewood_SVPC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ldschurch.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : ldschurch.org
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 44-8A-5B-87-80-76
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::35f7:d1:369c:f634%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.109.145(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Lease Obtained. . . . . . . . . . : Wednesday, August 20, 2014 5:35:37 PM
Lease Expires . . . . . . . . . . : Wednesday, August 20, 2014 6:50:37 PM
Default Gateway . . . . . . . . . : 192.168.108.1
DHCP Server . . . . . . . . . . . : 192.168.108.1
DHCPv6 IAID . . . . . . . . . . . : 239372891
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-34-19-D7-44-8A-5B-87-80-76
DNS Servers . . . . . . . . . . . : 8.34.34.92
8.35.35.92
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.ldschurch.org:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : ldschurch.org
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3c16:1067:3f57:926e(Preferred)
Link-local IPv6 Address . . . . . : fe80::3c16:1067:3f57:926e%13(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

aebrown: what information does yours present? (I recently re-activated the firewall here and the new firewall settings change the IP range from a Class A network to a Class C network (from 10.*.*.* to 192.168.*.*)

Re: Firewall filtering out LDS.org

Posted: Wed Aug 20, 2014 7:51 pm
by aebrown
russellhltn wrote:
rl_albright wrote:For whatever reason, by my understanding, there is a rogue DNS server somewhere out there that is propagating the wrong information out on the internet.
Which I'd expect to affect more than just the meetinghouse.
Not if the DNS server causing the problem is part of the zPath system that the Church standardized on a little while ago. That's the problem as I understand it. And that's why it's unlikely to be fixed very soon -- the Church either has to convince zPath to fix their problem, which apparently is not yielding immediate action, or they have to find another provider, which is not something you can do in a day (or even a week).
russellhltn wrote:What you might want to do is see what DNS servers are being served up by the firewall and compare it to other meetinghouses, especially the one aebrown says has the same problem. Maybe it will turn up something.
Nope, my ipconfig output looks almost identical to that of rl_albright. The DNS servers are the approved 8.34.34.92 and 8.35.35.92. The problem is beyond those two servers -- it's not in the meetinghouse, and not in the firewall.

Note also that these problems are occurring in meetinghouses that have worked fine for many months, with no change made locally. Yet many meetinghouses throughout the Church suddenly started having the problem. It is NOT A LOCAL PROBLEM.

Re: Firewall filtering out LDS.org

Posted: Thu Aug 21, 2014 2:02 pm
by aebrown
Moderator Note: A tangential discussion ensued at this point, which can now be found at New 192.168.x.x subnet option for MH firewalls.

Re: Firewall filtering out LDS.org

Posted: Fri Aug 22, 2014 8:42 pm
by rl_albright
aebrown wrote:
russellhltn wrote:
rl_albright wrote:For whatever reason, by my understanding, there is a rogue DNS server somewhere out there that is propagating the wrong information out on the internet.
Which I'd expect to affect more than just the meetinghouse.
Not if the DNS server causing the problem is part of the zPath system that the Church standardized on a little while ago. That's the problem as I understand it. And that's why it's unlikely to be fixed very soon -- the Church either has to convince zPath to fix their problem, which apparently is not yielding immediate action, or they have to find another provider, which is not something you can do in a day (or even a week).
russellhltn wrote:What you might want to do is see what DNS servers are being served up by the firewall and compare it to other meetinghouses, especially the one aebrown says has the same problem. Maybe it will turn up something.
Nope, my ipconfig output looks almost identical to that of rl_albright. The DNS servers are the approved 8.34.34.92 and 8.35.35.92. The problem is beyond those two servers -- it's not in the meetinghouse, and not in the firewall.

Note also that these problems are occurring in meetinghouses that have worked fine for many months, with no change made locally. Yet many meetinghouses throughout the Church suddenly started having the problem. It is NOT A LOCAL PROBLEM.
THAT IS RIGHT!! I forgot that the GSC did mention about the issue with zPath and their DNS servers routing traffic incorrectly. Now I wonder how we might as a group be able to get zPath to get their act together to fix this issue. My stake president doesn't like the fact that he can no longer get to lds.org on his iPad during meetings to display content of some kind for that meeting. It is frustrating for me as he asks me about it once a week for the past 3 weeks and I have had to tell him that there is nothing that I can do to fix it. (And I have been his go-to fix it person on ALL technology in the stake now for over a year.)

URGGHHH!!!! *OKAY RANT OVER*