Mac Mavericks 10.9 DNS problem with specific addresses

A number of network addresses appear to be unreachable from my computer (Mac Mavericks, 10.9.2). For example I do not see any images on wikipedia. Today's featured article does not show the image http://upload.wikimedia.org/wikipedia/commons/5/54/Potret_Roekiah1.jpg (Safari times out trying to load the image).

Here are my attempts of understanding what's going on (I did edit ids and some ip numbers).

[Radek ~]$ ping upload.wikimedia.org
PING upload-lb.esams.wikimedia.org (91.198.174.234): 56 data bytes
36 bytes from ae2.cr1-esams.wikimedia.org (195.69.145.176): Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  48 5400 e066   0 0000  3c  01 d18f 192.168.1.18  91.198.174.234 

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

(and ping times-out or reports Destination Net Unreachable for other attempts)

[Radek ~]$ traceroute upload.wikimedia.org
traceroute to upload-lb.esams.wikimedia.org (91.198.174.234), 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  2.359 ms  2.102 ms  2.016 ms
 2  xxx.adsl2.static.versatel.nl (82.173.xx.xx)  104.734 ms  106.157 ms      107.574 ms
 3 xxx.xxx.versatel.net (217.16.39.169)  125.938 ms *  49.443 ms
 4  ae6-xxx.brxxxsara.versatel.net (212.53.xx.xx)  55.765 ms  66.818 ms  80.532 ms
 5  * * *
...
 64  * * *

Here are some details of my configuration:

[Radek ~]$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 ::1 prefixlen 128 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether xx:xx 
    inet6 xxxx:xxxx%en0 prefixlen 64 scopeid 0x4 
    inet 192.168.1.18 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=1<PERFORMNUD>
    media: autoselect
    status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=60<TSO4,TSO6>
    ether xx:xx 
    media: autoselect <full-duplex>
    status: inactive
en2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=60<TSO4,TSO6>
    ether xx:xx 
    nd6 options=1<PERFORMNUD>
    media: autoselect <full-duplex>
    status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=63<RXCSUM,TXCSUM,TSO4,TSO6>
    ether xx:xx 
    Configuration:
        id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
        maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
        root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
        ipfilter disabled flags 0x2
    member: en1 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 6 priority 0 path cost 0
    nd6 options=1<PERFORMNUD>
    media: <unknown type>
    status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether xx:xx 
    media: autoselect
    status: inactive

[Radek ~]$ netstat -s
tcp:
    4041934 packets sent
        2109154 data packets (2412741336 bytes)
        4336 data packets (4973578 bytes) retransmitted
        0 resends initiated by MTU discovery
        1515058 ack-only packets (788 delayed)
        0 URG only packets
        8 window probe packets
        315897 window update packets
        98042 control packets
        997 data packets sent after flow control
        3032003 checksummed in software
            3032003 segments (2030699244 bytes) over IPv4
            0 segments (0 bytes) over IPv6
    4874936 packets received
        1245553 acks (for 2412436596 bytes)
        61704 duplicate acks
        0 acks for unsent data
        3590173 packets (4105070383 bytes) received in-sequence
        4782 completely duplicate packets (2495220 bytes)
        881 old duplicate packets
        103 packets with some dup. data (44979 bytes duped)
        88880 out-of-order packets (119408758 bytes)
        0 packets (0 bytes) of data after window
        0 window probes
        1297 window update packets
        2853 packets received after close
        0 bad resets
        1 discarded for bad checksum
        3221507 checksummed in software
            3221507 segments (2755880532 bytes) over IPv4
            0 segments (0 bytes) over IPv6
        0 discarded for bad header offset fields
        0 discarded because packet too short
    53415 connection requests
    11 connection accepts
    0 bad connection attempts
    0 listen queue overflows
    45391 connections established (including accepts)
    53529 connections closed (including 5839 drops)
        742 connections updated cached RTT on close
        742 connections updated cached RTT variance on close
        258 connections updated cached ssthresh on close
    5357 embryonic connections dropped
    2919226 segments updated rtt (of 1129684 attempts)
    7233 retransmit timeouts
        44 connections dropped by rexmit timeout
        0 connections dropped after retransmitting FIN
    21 persist timeouts
        0 connections dropped by persist timeout
    137 keepalive timeouts
        1 keepalive probe sent
        84 connections dropped by keepalive
    522089 correct ACK header predictions
    3349375 correct data packet header predictions
    1800 SACK recovery episodes
    3142 segment rexmits in SACK recovery episodes
    4404841 byte rexmits in SACK recovery episodes
    40073 SACK options (SACK blocks) received
    88105 SACK options (SACK blocks) sent
    0 SACK scoreboard overflow
    0 LRO coalesced packets
        0 times LRO flow table was full
        0 collisions in LRO flow table
        0 times LRO coalesced 2 packets
        0 times LRO coalesced 3 or 4 packets
        0 times LRO coalesced 5 or more packets
    2627 limited transmits done
    1212 early retransmits done
    1495 times cumulative ack advanced along with SACK
udp:
    1116361 datagrams received
        0 with incomplete header
        0 with bad data length field
        0 with bad checksum
        1 with no checksum
        831232 checksummed in software
            814776 datagrams (107515088 bytes) over IPv4
            16456 datagrams (5525356 bytes) over IPv6
        463 dropped due to no socket
        588682 broadcast/multicast datagrams undelivered
        0 times multicast source filter matched
        0 dropped due to full socket buffers
        0 not for hashed pcb
        527216 delivered
    68356 datagrams output
        57620 checksummed in software
            50288 datagrams (3553575 bytes) over IPv4
            7332 datagrams (1789298 bytes) over IPv6
ip:
    6126838 total packets received
        0 bad header checksums
        4194980 headers (83905872 bytes) checksummed in software
        0 with size smaller than minimum
        0 with data size < data length
        154979 with data size > data length
            0 packets forced to software checksum
        0 with ip length > max ip packet size
        0 with header length < data size
        0 with data length < header length
        0 with bad options
        0 with incorrect version number
        121 fragments received
            0 dropped (dup or out of space)
            0 dropped after timeout
            60 reassembled ok
        5964502 packets for this host
        7957 packets for unknown/unsupported protocol
        0 packets forwarded (0 packets fast forwarded)
        2108 packets not forwardable
        152210 packets received for unknown multicast group
        0 redirects sent
    4125494 packets sent from this host
        305 packets sent with fabricated ip header
        0 output packets dropped due to no bufs, etc.
        3 output packets discarded due to no route
        0 output datagrams fragmented
        0 fragments created
        0 datagrams that can't be fragmented
        0 tunneling packets that can't find gif
        0 datagrams with bad address in header
        0 packets dropped due to no bufs for control data
        3091053 headers (61835944 bytes) checksummed in software
icmp:
    463 calls to icmp_error
    0 errors not generated 'cuz old message was icmp
    Output histogram:
        echo reply: 4
        destination unreachable: 463
    0 messages with bad code fields
    0 messages < minimum length
    0 bad checksums
    0 messages with bad length
    0 multicast echo requests ignored
    0 multicast timestamp requests ignored
    Input histogram:
        echo reply: 100
        destination unreachable: 6099
        echo: 4
        time exceeded: 71
    4 message responses generated
    ICMP address mask responses are disabled
igmp:
    1971 messages received
    0 messages received with too few bytes
    1 message received with wrong TTL
    0 messages received with bad checksum
    1963 V1/V2 membership queries received
    0 V3 membership queries received
    0 membership queries received with invalid field(s)
    1963 general queries received
    0 group queries received
    0 group-source queries received
    0 group-source queries dropped
    7 membership reports received
    0 membership reports received with invalid field(s)
    7 membership reports received for groups to which we belong
    0 V3 reports received without Router Alert
    3506 membership reports sent
ipsec:
    0 inbound packets processed successfully
    0 inbound packets violated process security policy
    0 inbound packets with no SA available
    0 invalid inbound packets
    0 inbound packets failed due to insufficient memory
    0 inbound packets failed getting SPI
    0 inbound packets failed on AH replay check
    0 inbound packets failed on ESP replay check
    0 inbound packets considered authentic
    0 inbound packets failed on authentication
    0 outbound packets processed successfully
    0 outbound packets violated process security policy
    0 outbound packets with no SA available
    0 invalid outbound packets
    0 outbound packets failed due to insufficient memory
    0 outbound packets with no route
arp:
    1236 ARP requests sent
    1838 ARP replies sent
    0 ARP announcements sent
    171129 ARP requests received
    1141 ARP replies received
    172326 total ARP packets received
    0 ARP conflict probes sent
    0 invalid ARP resolve requests
    0 total packets dropped due to lack of memory
    2014 total packets dropped due to no ARP entry
    71 total packets dropped during ARP entry removal
    960 ARP entries timed out
    0 Duplicate IPs seen
ip6:
    33159 total packets received
        0 with size smaller than minimum
        0 with data size < data length
        0 with data size > data length
            0 packets forced to software checksum
        0 with bad options
        0 with incorrect version number
        1208 fragments received
            0 dropped (dup or out of space)
            0 dropped after timeout
            0 exceeded limit
            604 reassembled ok
        27697 packets for this host
        0 packets forwarded
        4297 packets not forwardable
        0 redirects sent
        4297 multicast packets which we don't join
        0 packets whose headers are not continuous
        0 tunneling packets that can't find gif
        0 packets discarded due to too may headers
        0 forward cache hit
        0 forward cache miss
        0 packets dropped due to no bufs for control data
    5010 packets sent from this host
        0 packets sent with fabricated ip header
        0 output packets dropped due to no bufs, etc.
        5782 output packets discarded due to no route
        0 output datagrams fragmented
        0 fragments created
        0 datagrams that can't be fragmented
        0 packets that violated scope rules
    Input histogram:
        hop by hop: 62
        TCP: 30
        UDP: 26459
        fragment: 1208
        ICMP6: 5397
    Mbuf statistics:
        7285 one mbuf
        two or more mbuf:
            lo0= 4535
        21339 one ext mbuf
        0 two or more ext mbuf
        0 failures of source address selection
icmp6:
    0 calls to icmp_error
    0 errors not generated because old message was icmp error or so
    0 errors not generated because rate limitation
    Output histogram:
        router solicitation: 186
        neighbor solicitation: 73
        neighbor advertisement: 73
        MLDv2 listener report: 113
    0 messages with bad code fields
    0 messages < minimum length
    0 bad checksums
    0 messages with bad length
    Input histogram:
        MLDv1 listener report: 50
        neighbor solicitation: 21
        neighbor advertisement: 1091
    Histogram of error messages to be generated:
        0 no route
        0 administratively prohibited
        0 beyond scope
        0 address unreachable
        0 port unreachable
        0 packet too big
        0 time exceed transit
        0 time exceed reassembly
        0 erroneous header field
        0 unrecognized next header
        0 unrecognized option
        0 redirect
        0 unknown
    0 message responses generated
    0 messages with too many ND options
    0 messages with bad ND options
    0 bad neighbor solicitation messages
    19 bad neighbor advertisement messages
    0 bad router solicitation messages
    0 bad router advertisement messages
    0 bad redirect messages
    0 path MTU changes
ipsec6:
    0 inbound packets processed successfully
    0 inbound packets violated process security policy
    0 inbound packets with no SA available
    0 invalid inbound packets
    0 inbound packets failed due to insufficient memory
    0 inbound packets failed getting SPI
    0 inbound packets failed on AH replay check
    0 inbound packets failed on ESP replay check
    0 inbound packets considered authentic
    0 inbound packets failed on authentication
    0 outbound packets processed successfully
    0 outbound packets violated process security policy
    0 outbound packets with no SA available
    0 invalid outbound packets
    0 outbound packets failed due to insufficient memory
    0 outbound packets with no route
rip6:
    0 messages received
    0 checksum calcurations on inbound
    0 messages with bad checksum
    0 messages dropped due to no socket
    0 multicast messages dropped due to no socket
    0 messages dropped due to full socket buffers
    0 delivered
    0 datagrams output
pfkey:
    0 requests sent to userland
    0 bytes sent to userland
    0 messages with invalid length field
    0 messages with invalid version field
    0 messages with invalid message type field
    0 messages too short
    0 messages with memory allocation failure
    0 messages with duplicate extension
    0 messages with invalid extension type
    0 messages with invalid sa type
    0 messages with invalid address extension
    0 requests sent from userland
    0 bytes sent from userland
    0 messages toward single socket
    0 messages toward all sockets
    0 messages toward registered sockets
    0 messages with memory allocation failure

The problem is specific to my Mac (wikipedia works on iOS devices) and persists despite trying:

  • different networks (fails at work and at home)
  • different interfaces (via wi-fi or ethernet)
  • reboot (even system updates, currently 10.9.2)
  • different DNS ("automatic" as well as google 8.8.8.8 and 8.8.4.4)

UPDATE:

Solved! Thanks.... It was a "VPN over ssh" client sshuttle that changed my /etc/hosts file to redirect from wikimedia (among >1000 others…)


In the assumption that you have no software installed that would explicitly block those sites here is how to block and unblock web sites.

A Mac’s hosts file is a simple text file that dictates what the system should do when specific domains or IP addresses are accessed.

You can trigger a “page cannot be displayed” error or even redirect them to other domains/IPs of your choice.

For the sake of this tutorial, all blocked websites will be pointed to 127.0.0.1, which is the localhost or system itself.

  • To get started, Copy and paste the following code in Terminal:

    sudo /bin/cp /etc/hosts /etc/hosts-original
    
  • Terminal will ask for your password.

  • Now we can start editing the hosts file. Copy and paste this code in Terminal (all one line):

    sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
    

The hosts file will open in TextEdit.

Notice the following lines and do not delete them under any circumstances:

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

You should not have any further data here.

Create a new line directly under the last one shown above. Type the following, replacing the sample domain with the domain or IP address you want to block:

    127.0.0.1 sample.com www.sample.com

Continue adding lines following the format in step 6 for each website you want to block. When you’re done, quit TextEdit and save the hosts file when prompted. Back in Terminal, run the following command to flush the computer’s DNS and put the new hosts file into effect. You can restartyour Mac instead, if you prefer.

    dscacheutil -flushcache

That’s all there is to it! Websites added to the hosts file will no longer be accessible from any user account on that Mac.

In your case look for the blocked IP's

  • re-enable access to blocked websites, just repeat this process and remove the lines you added in the hosts file. Just remember not to delete the original 4 lines shown in step 5.