Mac Mavericks 10.9 DNS problem with specific addresses
A number of network addresses appear to be unreachable from my computer (Mac Mavericks, 10.9.2). For example I do not see any images on wikipedia. Today's featured article does not show the image http://upload.wikimedia.org/wikipedia/commons/5/54/Potret_Roekiah1.jpg (Safari times out trying to load the image).
Here are my attempts of understanding what's going on (I did edit ids and some ip numbers).
[Radek ~]$ ping upload.wikimedia.org
PING upload-lb.esams.wikimedia.org (91.198.174.234): 56 data bytes
36 bytes from ae2.cr1-esams.wikimedia.org (195.69.145.176): Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 48 5400 e066 0 0000 3c 01 d18f 192.168.1.18 91.198.174.234
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
(and ping times-out or reports Destination Net Unreachable
for other attempts)
[Radek ~]$ traceroute upload.wikimedia.org
traceroute to upload-lb.esams.wikimedia.org (91.198.174.234), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 2.359 ms 2.102 ms 2.016 ms
2 xxx.adsl2.static.versatel.nl (82.173.xx.xx) 104.734 ms 106.157 ms 107.574 ms
3 xxx.xxx.versatel.net (217.16.39.169) 125.938 ms * 49.443 ms
4 ae6-xxx.brxxxsara.versatel.net (212.53.xx.xx) 55.765 ms 66.818 ms 80.532 ms
5 * * *
...
64 * * *
Here are some details of my configuration:
[Radek ~]$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether xx:xx
inet6 xxxx:xxxx%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.18 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether xx:xx
media: autoselect <full-duplex>
status: inactive
en2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether xx:xx
nd6 options=1<PERFORMNUD>
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether xx:xx
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
nd6 options=1<PERFORMNUD>
media: <unknown type>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether xx:xx
media: autoselect
status: inactive
[Radek ~]$ netstat -s
tcp:
4041934 packets sent
2109154 data packets (2412741336 bytes)
4336 data packets (4973578 bytes) retransmitted
0 resends initiated by MTU discovery
1515058 ack-only packets (788 delayed)
0 URG only packets
8 window probe packets
315897 window update packets
98042 control packets
997 data packets sent after flow control
3032003 checksummed in software
3032003 segments (2030699244 bytes) over IPv4
0 segments (0 bytes) over IPv6
4874936 packets received
1245553 acks (for 2412436596 bytes)
61704 duplicate acks
0 acks for unsent data
3590173 packets (4105070383 bytes) received in-sequence
4782 completely duplicate packets (2495220 bytes)
881 old duplicate packets
103 packets with some dup. data (44979 bytes duped)
88880 out-of-order packets (119408758 bytes)
0 packets (0 bytes) of data after window
0 window probes
1297 window update packets
2853 packets received after close
0 bad resets
1 discarded for bad checksum
3221507 checksummed in software
3221507 segments (2755880532 bytes) over IPv4
0 segments (0 bytes) over IPv6
0 discarded for bad header offset fields
0 discarded because packet too short
53415 connection requests
11 connection accepts
0 bad connection attempts
0 listen queue overflows
45391 connections established (including accepts)
53529 connections closed (including 5839 drops)
742 connections updated cached RTT on close
742 connections updated cached RTT variance on close
258 connections updated cached ssthresh on close
5357 embryonic connections dropped
2919226 segments updated rtt (of 1129684 attempts)
7233 retransmit timeouts
44 connections dropped by rexmit timeout
0 connections dropped after retransmitting FIN
21 persist timeouts
0 connections dropped by persist timeout
137 keepalive timeouts
1 keepalive probe sent
84 connections dropped by keepalive
522089 correct ACK header predictions
3349375 correct data packet header predictions
1800 SACK recovery episodes
3142 segment rexmits in SACK recovery episodes
4404841 byte rexmits in SACK recovery episodes
40073 SACK options (SACK blocks) received
88105 SACK options (SACK blocks) sent
0 SACK scoreboard overflow
0 LRO coalesced packets
0 times LRO flow table was full
0 collisions in LRO flow table
0 times LRO coalesced 2 packets
0 times LRO coalesced 3 or 4 packets
0 times LRO coalesced 5 or more packets
2627 limited transmits done
1212 early retransmits done
1495 times cumulative ack advanced along with SACK
udp:
1116361 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
1 with no checksum
831232 checksummed in software
814776 datagrams (107515088 bytes) over IPv4
16456 datagrams (5525356 bytes) over IPv6
463 dropped due to no socket
588682 broadcast/multicast datagrams undelivered
0 times multicast source filter matched
0 dropped due to full socket buffers
0 not for hashed pcb
527216 delivered
68356 datagrams output
57620 checksummed in software
50288 datagrams (3553575 bytes) over IPv4
7332 datagrams (1789298 bytes) over IPv6
ip:
6126838 total packets received
0 bad header checksums
4194980 headers (83905872 bytes) checksummed in software
0 with size smaller than minimum
0 with data size < data length
154979 with data size > data length
0 packets forced to software checksum
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
121 fragments received
0 dropped (dup or out of space)
0 dropped after timeout
60 reassembled ok
5964502 packets for this host
7957 packets for unknown/unsupported protocol
0 packets forwarded (0 packets fast forwarded)
2108 packets not forwardable
152210 packets received for unknown multicast group
0 redirects sent
4125494 packets sent from this host
305 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
3 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
0 packets dropped due to no bufs for control data
3091053 headers (61835944 bytes) checksummed in software
icmp:
463 calls to icmp_error
0 errors not generated 'cuz old message was icmp
Output histogram:
echo reply: 4
destination unreachable: 463
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
echo reply: 100
destination unreachable: 6099
echo: 4
time exceeded: 71
4 message responses generated
ICMP address mask responses are disabled
igmp:
1971 messages received
0 messages received with too few bytes
1 message received with wrong TTL
0 messages received with bad checksum
1963 V1/V2 membership queries received
0 V3 membership queries received
0 membership queries received with invalid field(s)
1963 general queries received
0 group queries received
0 group-source queries received
0 group-source queries dropped
7 membership reports received
0 membership reports received with invalid field(s)
7 membership reports received for groups to which we belong
0 V3 reports received without Router Alert
3506 membership reports sent
ipsec:
0 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
0 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
arp:
1236 ARP requests sent
1838 ARP replies sent
0 ARP announcements sent
171129 ARP requests received
1141 ARP replies received
172326 total ARP packets received
0 ARP conflict probes sent
0 invalid ARP resolve requests
0 total packets dropped due to lack of memory
2014 total packets dropped due to no ARP entry
71 total packets dropped during ARP entry removal
960 ARP entries timed out
0 Duplicate IPs seen
ip6:
33159 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with data size > data length
0 packets forced to software checksum
0 with bad options
0 with incorrect version number
1208 fragments received
0 dropped (dup or out of space)
0 dropped after timeout
0 exceeded limit
604 reassembled ok
27697 packets for this host
0 packets forwarded
4297 packets not forwardable
0 redirects sent
4297 multicast packets which we don't join
0 packets whose headers are not continuous
0 tunneling packets that can't find gif
0 packets discarded due to too may headers
0 forward cache hit
0 forward cache miss
0 packets dropped due to no bufs for control data
5010 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
5782 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 packets that violated scope rules
Input histogram:
hop by hop: 62
TCP: 30
UDP: 26459
fragment: 1208
ICMP6: 5397
Mbuf statistics:
7285 one mbuf
two or more mbuf:
lo0= 4535
21339 one ext mbuf
0 two or more ext mbuf
0 failures of source address selection
icmp6:
0 calls to icmp_error
0 errors not generated because old message was icmp error or so
0 errors not generated because rate limitation
Output histogram:
router solicitation: 186
neighbor solicitation: 73
neighbor advertisement: 73
MLDv2 listener report: 113
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Input histogram:
MLDv1 listener report: 50
neighbor solicitation: 21
neighbor advertisement: 1091
Histogram of error messages to be generated:
0 no route
0 administratively prohibited
0 beyond scope
0 address unreachable
0 port unreachable
0 packet too big
0 time exceed transit
0 time exceed reassembly
0 erroneous header field
0 unrecognized next header
0 unrecognized option
0 redirect
0 unknown
0 message responses generated
0 messages with too many ND options
0 messages with bad ND options
0 bad neighbor solicitation messages
19 bad neighbor advertisement messages
0 bad router solicitation messages
0 bad router advertisement messages
0 bad redirect messages
0 path MTU changes
ipsec6:
0 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
0 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
rip6:
0 messages received
0 checksum calcurations on inbound
0 messages with bad checksum
0 messages dropped due to no socket
0 multicast messages dropped due to no socket
0 messages dropped due to full socket buffers
0 delivered
0 datagrams output
pfkey:
0 requests sent to userland
0 bytes sent to userland
0 messages with invalid length field
0 messages with invalid version field
0 messages with invalid message type field
0 messages too short
0 messages with memory allocation failure
0 messages with duplicate extension
0 messages with invalid extension type
0 messages with invalid sa type
0 messages with invalid address extension
0 requests sent from userland
0 bytes sent from userland
0 messages toward single socket
0 messages toward all sockets
0 messages toward registered sockets
0 messages with memory allocation failure
The problem is specific to my Mac (wikipedia works on iOS devices) and persists despite trying:
- different networks (fails at work and at home)
- different interfaces (via wi-fi or ethernet)
- reboot (even system updates, currently 10.9.2)
- different DNS ("automatic" as well as google 8.8.8.8 and 8.8.4.4)
UPDATE:
Solved! Thanks.... It was a "VPN over ssh" client sshuttle that changed my /etc/hosts
file to redirect from wikimedia (among >1000 others…)
In the assumption that you have no software installed that would explicitly block those sites here is how to block and unblock web sites.
A Mac’s hosts file is a simple text file that dictates what the system should do when specific domains or IP addresses are accessed.
You can trigger a “page cannot be displayed” error or even redirect them to other domains/IPs of your choice.
For the sake of this tutorial, all blocked websites will be pointed to 127.0.0.1, which is the localhost or system itself.
To get started, Copy and paste the following code in Terminal:
sudo /bin/cp /etc/hosts /etc/hosts-original
Terminal will ask for your password.
Now we can start editing the hosts file. Copy and paste this code in Terminal (all one line):
sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
The hosts file will open in TextEdit.
Notice the following lines and do not delete them under any circumstances:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
You should not have any further data here.
Create a new line directly under the last one shown above. Type the following, replacing the sample domain with the domain or IP address you want to block:
127.0.0.1 sample.com www.sample.com
Continue adding lines following the format in step 6 for each website you want to block. When you’re done, quit TextEdit and save the hosts file when prompted. Back in Terminal, run the following command to flush the computer’s DNS and put the new hosts file into effect. You can restartyour Mac instead, if you prefer.
dscacheutil -flushcache
That’s all there is to it! Websites added to the hosts file will no longer be accessible from any user account on that Mac.
In your case look for the blocked IP's
- re-enable access to blocked websites, just repeat this process and remove the lines you added in the hosts file. Just remember not to delete the original 4 lines shown in step 5.