can't ping any website even google.com "unknown host google.com"

September 11, 2014 24.4k views

I have:
512MB Ram 20GB SSD Disk Singapore 1 LEMP on Ubuntu 14.04

I have installed LEPM one-click installation.
then I:

  1. Went through initial server setup
  2. key-based authentication
  3. I ran mysql_secure_installation
  4. installed a firewall (ufw)

now I wanted to install logentries to monitor my server logs and in the installation I have got an error.
After lots of search I found out that I cannot ping any domain even google.com. It gives me the following error:
ping: unknown host google.com
What is the best solution to solve this because I am going to have this server for years so I don't want a "spaghetti" solution :-)

1 comment
  • Update:

    in step 4 I have closed all incoming and outgoing ports and just allowed a few incoming:

    1. 2222 (ssh port)
    2. 80
    3. 21 (ftp)

    I think that this is the problem but at the same time I have no clue about ufw I have did How To Setup a Firewall with UFW Example link tutorial.
    If the problem is with the closed ports, Please refer me to an article or tutorial that explains what ports (incoming and outgoing) needs to be open.

    by Shaun Lewis
    Learn how to setup a firewall with UFW on an Ubuntu / Debian cloud server.
4 Answers

Hi,

If you can't resolve google.com domain, can you show us the content of your /etc/resolv.conf file ?

It is possible that you don't adress your queries to the proper DNS server. Your /etc/resolv.conf file should contain at least 8.8.8.8 and 8.8.4.4 as DNS servers to have DNS resolution.

Hope this helps !

--
rustx

Not a ufw user I prefer iptables. So you have to enter icmp rules to enable ping, from a quick google search I found that you have to enable icmp rules in /etc/ufw/before.rules if there are any rules. If not add the following:

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

  • Thanks for the reply but my before.rules does contain all of the following rules that you have mentioned.

  • Post your rules file, we will be able to help you better.

  • Here is my file before.rules
    by the way I have added 2 lines:

    # allow outbound icmp
    -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
    

    witch I don't understand it but I found it online and it helped me to ping 8.8.8.8 but when I ping a domain name like google.com I get the same message "unknown host name".

    #
    
    # rules.before
    
    #
    
    # Rules that should be run before the ufw command line added rules. Custom
    
    # rules should be added to one of these chains:
    
    #   ufw-before-input
    
    #   ufw-before-output
    
    #   ufw-before-forward
    
    #
    
    
    
    # Don't delete these required lines, otherwise there will be errors
    
    *filter
    
    :ufw-before-input - [0:0]
    
    :ufw-before-output - [0:0]
    
    :ufw-before-forward - [0:0]
    
    :ufw-not-local - [0:0]
    
    # End required lines
    
    
    
    
    
    # allow all on loopback
    
    -A ufw-before-input -i lo -j ACCEPT
    
    -A ufw-before-output -o lo -j ACCEPT
    
    
    
    # quickly process packets for which we already have a connection
    
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    
    
    # drop INVALID packets (logs these in loglevel medium and higher)
    
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    
    
    
    # ok icmp codes for INPUT
    
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
    
    
    
    # ok icmp code for FORWARD
    
    -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
    
    -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
    
    -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
    
    -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
    
    -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
    
    
    
    # allow outbound icmp
    
    -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    
    
    # allow dhcp client to work
    
    -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
    
    
    
    #
    
    # ufw-not-local
    
    #
    
    -A ufw-before-input -j ufw-not-local
    
    
    
    # if LOCAL, RETURN
    
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    
    
    
    # if MULTICAST, RETURN
    
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    
    
    
    # if BROADCAST, RETURN
    
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    
    
    
    # all other non-local packets are dropped
    
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    
    -A ufw-not-local -j DROP
    
    
    
    # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
    # is uncommented)
    
    -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
    
    
    
    # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
    
    # is uncommented)
    
    -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
    
    # don't delete the 'COMMIT' line or these rules won't be processed
    
    COMMIT
    
  • Check your DNS settings. Usually in /etc/resolv.conf

  • @mdvucak

    nameserver 8.8.8.8
    nameserver 8.8.4.4
    nameserver 208.255.0.2
    

Don't know how to use ufw, but in iptables you must add an entry for incoming connections that permits responses from remote hosts:```
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Be sure to add this above any ```-j REJECT``` rules

Hello,

Can you ping the default gateway ?

I had the same connectivity issue, due to kernel 3.13.0-24, but after upgrading to 3.13.0-32 I was able to ping the default gateway, so my connectivity issues were gone.

  • sorry for my noob question but what is the default gateway? is it my own ip?

  • Hello,

    Logon as root on your droplet console, then enter the following command:

    netstat -rn

    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 178.62.0.1 0.0.0.0 UG 0 0 0 eth0
    178.62.0.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0

    In my case, the default gateway is the IP 178.62.0.1, see the following command:

    ping -c 3 178.62.0.1

    PING 178.62.0.1 (178.62.0.1) 56(84) bytes of data.
    64 bytes from 178.62.0.1: icmpseq=1 ttl=64 time=0.957 ms
    64 bytes from 178.62.0.1: icmp
    seq=2 ttl=64 time=0.589 ms
    64 bytes from 178.62.0.1: icmp_seq=3 ttl=64 time=0.586 ms

    --- 178.62.0.1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 0.586/0.710/0.957/0.176 ms

    My droplet network interface is reaching the default gateway, so I have access to the Internet.

    Do the same.

  • @cviniciusm
    I did that and it worked fine. pinging ip is fine after I added the following to my before.rules file for ufw firewall:

    # allow outbound icmp
    -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
    
  • Hello,

    Right. Well done.

    Now does your connectivity issues were gone ?

  • the thing is my website works fine now after that.
    The only problem that might get serious in future is that if I need to install something like https://logentries.com/ to monitor my website log. installation requires to run the following:

    wget https://raw.github.com/logentries/le/master/install/linux/logentries_install.sh && sudo bash logentries_install.sh
    

    Basically the code has 2 parts.
    Part one is to download the logentries_install.sh file which is:

    wget https://raw.github.com/logentries/le/master/install/linux/logentries_install.sh
    

    The problem is that I get unknown host error because I am trying to access a domain (raw.github.com) not ip. I can ping ip addresses but not domain names.

    And part two is tu run the logentries_install.sh file which is:

    sudo bash logentries_install.sh
    

    The script asks me to enter my accunt email at logentries.com and my password. and when I enter my account info it does not continue because I think it is trying to authenticate my info through a url and because I cant access a url then it fails.

    However, I can disable my firewall (ufw) and after installing the software enable the firewall again.

  • [deleted]
Have another answer? Share your knowledge.