Accessing the Web Portal - “This site can’t be reached” (DNS_PROBE_FINISHED_NXDOMAIN) error message

Owned by Mark Baker
Last updated: May 15, 2024
3 min read

A new form of security protection has recently been added to many routers and it stops the user being able to connect to the dialler. This is called “DNS Rebinding Protection” and needs to be disabled for the connection to be made.

 

 

What is DNS rebinding protection?

DNS rebinding protection is a security mechanism aimed at preventing a malicious website from exploiting a user's web browser to make unauthorized requests to internal private IP addresses within their local network.

This protection works by ensuring that DNS responses from potentially untrusted sources are properly validated and resolved, thus thwarting attackers from manipulating DNS records to deceive a user's browser into accessing sensitive resources it shouldn't.

In short, DNS rebinding protection prevents a public DNS hostname (such as your-dialler.invade.net) resolving to an internal IP addresses (10.0.0.1 for example)

Why is this preventing access to the Invade dialler web portal?

The Invade cloud dialler solution is built in a secure environment accessed over a Virtual Private Network (VPN) and as such the dialler itself resides on an internal IP address.

You will either be connected to a corporate network that is configured to connect to the Invade cloud via a VPN, or connect via a VPN directly on your own device.

To reach the dialler you will then access a hostname that resolves to the internal private IP of the dialler. The resolution of that hostname to an IP is blocked if you have a router with DNS rebinding protection enabled.

Diagnosing the problem:

If you find you’re unable to access the Invade dialler web portal, despite having a VPN connection on your device connected you may be getting blocked by DNS rebinding protection.

Your browser will normally show an error “DNS_PROBE_FINISHED_NXDOMAIN”:

Google Chrome error - DNS_PROBE_FINISHED_NXDOMAIN

You can verify the issue by trying to resolve the dialler hostname against you local DNS resolver (most likely your router) and then again via a public DNS server (such as Google’s 8.8.8.8). If you find you can resolve via public DNS, but not local you most likely have DNS rebinding protection enabled.

We fully understand the security benefits of rebinding protection, but there are situations where it is necessary to be able to resolve a hostname to a private IP address.

Our suggested fixes are:

  1. Some routers allow you to disable DNS rebinding protection for a specific hostname so you could whitelist the dialler hostname you’ve been given.

  2. You may opt to disable DNS rebinding protection on your router fully, if it doesn’t give you the option above.

  3. Change the device experiencing the problem to use a public DNS server rather than your router. We recommend using a tool like https://www.dnsperf.com/#!dns-resolvers to find the best performing public DNS resolver from your Internet connection. Remember to update both IPv4 and IPv6 network settings if applicable.

If you need help understanding what change to make and where please reach out to Invade support.

I still need further help!

Please reach out to support via support@invade.net and we will be glad to assist you further with any issues.