OathKeepers sites down - False Alarm

[jshuberg]

EDIT: Thanks to some input from mrp below it appears like this may have been the result of a hardware failure at a service provider in Utah. The nature and timing of the outage kinda made me poop myself a little, and I may have jumped the gun on assuming nefarious intent.

EDIT2: As I was editing this post, I got the following email from OathKeepers:

Earlier this morning our server along with thousands of others went down. This was caused by a problem at the data center that houses the Oath keepers servers. This issue caused packet drops and latency issues. The problems is actively worked on and until our server is back up and running.

So they are aware of the issue and believe that it's due to a hardware failure. Good enough for me. Feel free to carry on with your rest of your lives now

--------------------------

A little earlier I tried to access oathkeepers.org. I couldn't access it, and believing they might be the subject of a DDOS attack, I decided to look a little deeper. To my total shock I discovered that it no longer had a DNS entry!!! The whois information is still present, but I checked a dozen or so different DNS servers, and there are no longer any records for this domain.

Also, there is no response from the following IP addresses:

74.55.206.244 - ns1.oathkeepers.org
74.55.206.243 - ns2.oathkeepers.org
74.55.206.245 - operationsleepinggiant.com
198.1.71.128 - oathkeepers.org

The servers could be down due to an outage or DDOS attack or the like, but the removal of the DNS entries could not be the result of a hacker or error. It must have been intentionally deleted. I believe that this can only be done via court order, but I vaguely recall a provision in the patriot act where the fedgov could seize DNS entries. Either way, if this is what I think this is - the the fedgov has shutdown oathkeepers for their participation in the Navada ranch standoff - this is a *serious* violation of that organizations 1st amendment rights!!!

Tech nerds, please confirm. I haven't seen anything about this on the news and google doesn't return anything from various queries. If this is true, it's likely indicative of much bigger things in the near future.

[Randygmn]

A little earlier I tried to access oathkeepers.org. I couldn't access it, and believing they might be the subject of a DDOS attack, I decided to look a little deeper. To my total shock I discovered that it no longer had a DNS entry!!! The whois information is still present, but I checked a dozen or so different DNS servers, and there are no longer any records for this domain.

Also, there is no response from the following IP addresses:

74.55.206.244 - ns1.oathkeepers.org
74.55.206.243 - ns2.oathkeepers.org
74.55.206.245 - operationsleepinggiant.com
198.1.71.128 - oathkeepers.org

The servers could be down due to an outage or DDOS attack or the like, but the removal of the DNS entries could not be the result of a hacker or error. It must have been intentionally deleted. I believe that this can only be done via court order, but I vaguely recall a provision in the patriot act where the fedgov could seize DNS entries. Either way, if this is what I think this is - the the fedgov has shutdown oathkeepers for their participation in the Navada ranch standoff - this is a *serious* violation of that organizations 1st amendment rights!!!

Tech nerds, please confirm. I haven't seen anything about this on the news and google doesn't return anything from various queries. If this is true, it's likely indicative of much bigger things in the near future.

Oathkeepers are a source for militia mobilization. The govt may have shut them down in advance of an operation.

[jshuberg]

That's my thinking. I got the following from them this morning. At that time, I could reach their site. This afternoon - poof it's gone!

NOTE: First, at the moment things are quiet here. 99% of the rumors on the internet are either blatantly false or wildly inaccurate. No strong presence of federal agents has been seen. Remnants of BLM's recent sojourn here are still present, such as the lights they had put up at their "field-headquarters" and no doubt we are under surveillance of all kinds, but there is no overt, visible massing of federal law enforcement.

We are, however concerned that the domestic enemies of the Constitution that infest the federal government might try to take advantage of folks going home, and attempt to make a move on the Bundy family. We feel certain that they will want to try again at some point, perhaps in a different way, even perhaps by executing a dynamic entry raid to attempt to arrest the Bundys. And we have heard that this is being discussed, though I have not been able to directly confirm it. But it is a real risk.

Therefore, to prevent such a raid, or to at least throw a monkey wrench into any such plans and make it more difficult for them, we're doing the following:

1: We are calling on all Oath Keepers who can possibly get here to come to the Bundy Ranch to serve as volunteers on an ongoing, rotating watch.
That is not because there is any great emergency, but is a preventative measure - sort of like doing a rotation on the DMZ.


I am urging each and every Oath Keepers member who can, to get here and spend a bit of time to ensure that the Bundys are not alone. We need boots on the ground. We want you here, standing watch, which is appropriate for us Oath Keepers since our motto is "Not on Our Watch."

We have six Oath Keepers here from New Hampshire (one of whom - Jerry DeLemus - is now the head of security for the ranch). We have one woman, Lori Storm, who drove down by herself from Nebraska, and one of our Board members from Nebraska, Steve Homan, is also here. We've got people here from Montana, Utah, Arizona, California, and Washington State. People are here from all over the country.

But people, however dedicated, will get burnt out and we need others to rotate in. We need you to step up and serve your turn on watch.

We are raising money to help with gasoline - just be sure to save all receipts for reimbursement.

(EA here: That may only be available on first-come first-served basis. Of the money we've raised thus far, we've given $12,000.00 dollars to the Bundy family, and we purchased a $1,000.00 generator, but we are now raising more money to help some folks traveling from afar.)

I will not ask you to do anything I am not willing to do myself. So, even though I have been away from my home and family since April 10, I am still here, and I will remain here through April 19, standing watch with the others. I was supposed to be speaking at a rally in Idaho on that day, but I canceled that because I need to be here to lead by example by also pulling a watch stint.
And I can think of no better place to be on April 19 than on ground where modern patriots followed the example of the Founders and stood firm in defense of liberty. Like their forefathers before them who stood at Lexington and Concord, they refused to bend the knee to tyranny, and they stood their ground. And that spot of ground may go down in history as the birthplace of the next American Revolution, where the tide was turned, and the people stood up.
-

Bundy Ranch: We Came Risking Never Coming Home
-
OATH RENEWAL CEREMONY, SATURDAY, APRIL 19

On Saturday, April 19, we w ill have speakers (such as Mike Vanderboegh of the Three Percenters) and then we will follow in the foosteps of the Founding generation by renewing our oaths at approximately 6pm. What better place to do that than where brave Americans just kept their oaths and continue to keep their oaths in such a profound and moving way.

I invite you to join us there, both to do your duty, and to honor our forefathers and every American who has fought for this nation, from Lexington Green to today, as we celebrate our liberty that has been won for us and preserved for us, at such great cost.

NOTE: There is also a cowboy barbeque being thrown Friday night, April 18, by the Bundy family down by the river near their ranch. The Bundy's will provide the food and live music, with the first band going on at 6pm. All you need to do is show up. Ammon Bundy told me that you are welcome to bring your families, and are welcome to camp there. So, this is not just about standing watch. This is also about fellowship, family, and enjoying the land the Bundy family has been caring for for generations.

All of us who are here consider it a great honor to stand with this patriot family, and I can tell you that we Oath Keepers also consider it a great honor to be in the company of this fine bunch of Americans who have traveled from all over our country to support and stand with the Bundy family.

The Bundys are open and very grateful for people coming to be there for them, and thus far the caliber and quality of the people who've been here has been outstanding. From all over America people of good character and brave spirit have come to help and have done honor to our American traditions. We want those types of people. We do not want hot-heads who are looking for a fight. We want "cool, calm, and collected" - the "quiet professional." Thank you for understanding. Yes, by all means, bring your rifles, handguns, and whatever other gear you think you will need to stand watch, and yes, that includes any cammo you think will work best.

2: A rotating vigil of state legislators and current serving sheriffs at the ranch. This second part of our plan is a continuation of what we've already been doing. Oath Keepers helped facilitate a number of legislators from several Western States traveling to the Bundy Ranch this past week. Sheriff Mack's Constitutional Sheriffs and Peace Officers Association (CSPOA.org) helped ensure that some real-deal constitutional Sheriffs were also present on the side of the Bundy family.
-

Bundy Ranch: Stewart Rhodes and the Statesman Vigil
-
We will be continuing this effort and we need proactive Oath Keepers to help arrange a steady stream of State and County officials to rotate presence there so that the idiot government will have to admit it's ready to kill sitting elected public servants to assert its authority, or leave the Bundy family - and their cows - alone. Nevada Assemblywoman Michele Fiore, on Monday night, served the first vigil in the Bundy Ranch House (if only the Nevada Governor, Brian Sandoval, had a fraction of her integrity and courage. We wouldn't need to be here).

And to support that "official" stream of State and County officials, as well as others with names of gravity, Oath Keepers' general membership will also rotate into service there.

There is also some serious perimeter security and Oath Keepers CPTers who volunteer to help with the out-lying security in the desert will find this to be a great training exercise. Bring your gear. Consider this your Minute Man FTX. But however you come, do come. Oath Keepers will not be alone in this. Many other Americans are mobilizing now, millions of Americans are learning about it and are wanting to be helpful. Be part of it.

For the Republic!
Stewart Rhodes
Founder and President of Oath Keepers

PS - I want to personally thank Nebraska Oath Keepers President and member of our national BOD, Steve Homan, a Marine's Marine, who fought in Vietnam, who is here with me. Though Steve has five stints in his heart, and still carries around a bullet in his stomach courtesy of the NVA, he is here, and he will be standing watch with me till Saturday evening. I also want to thank four fine patriots and Oath Keepers - Rick, Ben, George, and John - who also attend Pastor Chuck Baldwin's Liberty Fellowship church in Montana. They drove down here together last week and though George had to fly home, Rick, Ben, and John have agreed to stay here with me until Saturday night, and then drive all night to get us home for Easter Service at Liberty Fellowship in Kalispell (I promised my wife and kids I would be home for Easter and that is a promise I need to keep if at all possible).

[mrp]

Or maybe there's an outage in Hostgator's Utah datacenter.

For future reference, check who owns the IPs. Go to the providers site. Check for network outages. THEN maybe unlock the gun safe.

http://forums.hostgator.com/network-out ... 16804.html

[Squib Joe]

Most likely somebody doesn't like the Harry Reid link to the land grab as reported earlier this morning on the OK website

http://conservativeread.com/feds-desper ... land-grab/

[xd ED]

They have a Facebook page, but not being familiar with the format, I cannot access the posts with regards to the most recent. Might be worth a try by someone more up on FB than I am.

[jshuberg]

Or maybe there's an outage in Hostgator's Utah datacenter.

For future reference, check who owns the IPs. Go to the providers site. Check for network outages. THEN maybe unlock the gun safe.

http://forums.hostgator.com/network-out ... 16804.html

I'm showing 198.1.71.128 as owned by Unified Layer in Provo, Utah and 74.55.206.243-74.55.206.245 owned by ThePlanet.com Internet Services, Inc. in Houston, Texas. Where did you find a reference to HostGator? Are they associated with or share hardware with Unified Layer?

Even if there was an outage in one of the data centers in Utah, that wouldn't explain the unresponsiveness of their servers in Texas, or the deletion of the DNS records from every DNS server I've checked.......

[mrp]

IIRC, Hostgator, websitewelcome & unifiedlayer are related.

I didn't dig into this all that much, but I see enough to chalk it up to hosting/network problems to dig any more.

C:\>dig @192.36.148.17 oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @192.36.148.17 oathkeepers.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1550
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;oathkeepers.org. IN A

;; AUTHORITY SECTION:
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.

;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1

;; Query time: 46 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Apr 16 15:26:09 2014
;; MSG SIZE rcvd: 435


C:\>dig @a2.org.afilias-nst.info oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @a2.org.afilias-nst.info oathkeepers.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1244
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;oathkeepers.org. IN A

;; AUTHORITY SECTION:
oathkeepers.org. 86400 IN NS ns1.oathkeepers.org.
oathkeepers.org. 86400 IN NS ns2.oathkeepers.org.

;; ADDITIONAL SECTION:
ns1.oathkeepers.org. 86400 IN A 198.154.250.36
ns2.oathkeepers.org. 86400 IN A 198.1.71.127

;; Query time: 31 msec
;; SERVER: 199.249.112.1#53(199.249.112.1)
;; WHEN: Wed Apr 16 15:26:48 2014
;; MSG SIZE rcvd: 101


C:\>dig @198.154.250.36 oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @198.154.250.36 oathkeepers.org
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

C:\>dig @198.1.71.127 oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @198.1.71.127 oathkeepers.org
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached


Tis@I ~
$ whois -h whois.geektools.com 198.154.250.36
GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 66.191.131.228... ok.
Final results obtained from whois.arin.net.
Results:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=198.1 ... xt=netref2
#

NetRange: 198.154.192.0 - 198.154.255.255
CIDR: 198.154.192.0/18
OriginAS:
NetName: HGBLOCK-6
NetHandle: NET-198-154-192-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
RegDate: 2012-09-21
Updated: 2012-09-21
Ref: http://whois.arin.net/rest/net/NET-198-154-192-0-1

OrgName: WEBSITEWELCOME.COM
OrgId: BO
Address: 5005 Mitchelldale
Address: Suite #100
City: Houston
StateProv: TX
PostalCode: 77092
Country: US
RegDate: 2011-02-16
Updated: 2013-11-13
Ref: http://whois.arin.net/rest/org/BO

ReferralServer: rwhois://rwhois.websitewelcome.com:4321

OrgNOCHandle: IPADM551-ARIN
OrgNOCName: IP Admin
OrgNOCPhone: +1-866-964-2867
OrgNOCEmail: ipadmin@websitewelcome.com
OrgNOCRef: http://whois.arin.net/rest/poc/IPADM551-ARIN

OrgAbuseHandle: IPADM551-ARIN
OrgAbuseName: IP Admin
OrgAbusePhone: +1-866-964-2867
OrgAbuseEmail: ipadmin@websitewelcome.com
OrgAbuseRef: http://whois.arin.net/rest/poc/IPADM551-ARIN

OrgTechHandle: IPADM551-ARIN
OrgTechName: IP Admin
OrgTechPhone: +1-866-964-2867
OrgTechEmail: ipadmin@websitewelcome.com
OrgTechRef: http://whois.arin.net/rest/poc/IPADM551-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (66.191.131.228) has visited 9 times today.




Found a referral to rwhois.websitewelcome.com:4321.

%rwhois V-1.5:003eff:00 rwhois.websitewelcome.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-BO.198.154.250.36/32
network:Auth-Area:198.154.192.0/18
network:Network-Name:BO-198.154.250.36/32
network:IP-Network:198.154.250.36/32
network:IP-Network-Block:198.154.250.36 - 198.154.250.36
network:Organization;I:oathkeepers.oathkeepers.org
network:Tech-Contact;I:support@websitewelcome.com
network:Admin-Contact;I:support@websitewelcome.com
network:Created:20130402
network:Updated:20130717
network:Updated-By:support@websitewelcome.com

network:Class-Name:network
network:ID:NETBLK-BO.198.154.192.0/18
network:Auth-Area:198.154.192.0/18
network:Network-Name:BO-198.154.192.0/18
network:IP-Network:198.154.192.0/18
network:IP-Network-Block:198.154.192.0 - 198.154.255.255
network:Organization;I:WEBSITEWELCOME.COM
network:Tech-Contact;I:support@websitewelcome.com
network:Admin-Contact;I:support@websitewelcome.com
network:Created:20130204
network:Updated:20130204
network:Updated-By:support@websitewelcome.com

%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok

Tis@I ~
$ whois -h whois.geektools.com 198.1.71.127
GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 66.191.131.228... ok.
Final results obtained from whois.arin.net.
Results:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=198.1 ... xt=netref2
#

NetRange: 198.1.64.0 - 198.1.127.255
CIDR: 198.1.64.0/18
OriginAS: AS46606
NetName: UNIFIEDLAYER-NETWORK-11
NetHandle: NET-198-1-64-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
RegDate: 2012-07-02
Updated: 2012-11-14
Ref: http://whois.arin.net/rest/net/NET-198-1-64-0-1


OrgName: Unified Layer
OrgId: BLUEH-2
Address: 1958 South 950 East
City: Provo
StateProv: UT
PostalCode: 84606
Country: US
RegDate: 2006-08-08
Updated: 2012-11-26
Ref: http://whois.arin.net/rest/org/BLUEH-2

ReferralServer: rwhois://rwhois.unifiedlayer.com:4321

OrgNOCHandle: NETWO5508-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-888-401-4678
OrgNOCEmail: netops@unifiedlayer.com
OrgNOCRef: http://whois.arin.net/rest/poc/NETWO5508-ARIN

OrgTechHandle: NETWO5508-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-888-401-4678
OrgTechEmail: netops@unifiedlayer.com
OrgTechRef: http://whois.arin.net/rest/poc/NETWO5508-ARIN

OrgAbuseHandle: ABUSE3581-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-888-401-4678
OrgAbuseEmail: abuse@unifiedlayer.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3581-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (66.191.131.228) has visited 10 times today.




Found a referral to rwhois.unifiedlayer.com:4321.

%rwhois V-1.5:000080:00 rwhois.unifiedlayer.com (by Unified Layer, V-1.0.0)
network:Class-Name:network
network:ID: NETBLK-UL.198.1.71.127/32
network:Auth-Area: 198.1.71.127/32
network:Network-Name: UL-198.1.71.127/32
network:IP-Network: 198.1.71.127/32
network:Organization: websitewelcome.com
network:Tech-Contact: abuse@websitewelcome.com
network:Admin-Contact: abuse@websitewelcome.com
network:Abuse-Contact: abuse@websitewelcome.com
network:Created: 20130103
network:Updated: 20130103
network:Updated-By: abuse@websitewelcome.com

%ok

ARIN isn't going to tell you where the IPs are physically located. rDNS can be more helpful.
Trace 198.154.250.36 ...
...
3 96.34.25.8 7ms 8ms 8ms TTL: 0 (dtr01rsmtmn-tge-0-1-1-3.rsmt.mn.charter.com probable bogus rDNS: No DNS)
4 96.34.27.184 27ms 21ms 17ms TTL: 0 (crr02stcdmn-tge-0-4-0-2.stcd.mn.charter.com probable bogus rDNS: No DNS)
5 96.34.2.136 11ms 14ms 18ms TTL: 0 (bbr01stcdmn-bue-3.stcd.mn.charter.com probable bogus rDNS: No DNS)
6 96.34.1.149 21ms 24ms 28ms TTL: 0 (bbr02chcgil-bue-1.chcg.il.charter.com probable bogus rDNS: No DNS)
7 96.34.3.11 26ms 21ms 23ms TTL: 0 (prr01chcgil-bue-4.chcg.il.charter.com probable bogus rDNS: No DNS)
8 206.223.119.174 21ms 21ms 28ms TTL: 0 (tg1-2.br01.chcg.acedc.NET ok)
***Provo, UT ----> 9 199.58.196.85 73ms 73ms 75ms TTL: 0 (ve58.ar04.prov.acedc.net ok)
10 199.58.199.114 78ms 76ms 77ms TTL: 0 (rtr-a.unifiedlayer.com probable bogus rDNS: No DNS)
11 No Response * * *

[george]

Kinda like when China blocked the internet during protests!!!!

Sent from my HUAWEI H881C using Tapatalk

[jshuberg]

OK, so I'm fine with being wrong. I actually *hope* that I'm wrong. I'm not a network guru though, so please indulge me. How is it that a router going down in Utah would result in DNS queries for oathkeepers.org and operationsleepinggiant.com returning no results?

I used the utility at http://www.zoneedit.com/lookup.html to lookup these domain names using multiple DNS servers. Including google at 8.8.8.8. All show no records. I don't understand how a single outage could cause this.

[Randygmn]

IIRC, Hostgator, websitewelcome & unifiedlayer are related.

I didn't dig into this all that much, but I see enough to chalk it up to hosting/network problems to dig any more.

C:\>dig @192.36.148.17 oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @192.36.148.17 oathkeepers.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1550
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;oathkeepers.org. IN A

;; AUTHORITY SECTION:
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.

;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1

;; Query time: 46 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Apr 16 15:26:09 2014
;; MSG SIZE rcvd: 435


C:\>dig @a2.org.afilias-nst.info oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @a2.org.afilias-nst.info oathkeepers.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1244
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;oathkeepers.org. IN A

;; AUTHORITY SECTION:
oathkeepers.org. 86400 IN NS ns1.oathkeepers.org.
oathkeepers.org. 86400 IN NS ns2.oathkeepers.org.

;; ADDITIONAL SECTION:
ns1.oathkeepers.org. 86400 IN A 198.154.250.36
ns2.oathkeepers.org. 86400 IN A 198.1.71.127

;; Query time: 31 msec
;; SERVER: 199.249.112.1#53(199.249.112.1)
;; WHEN: Wed Apr 16 15:26:48 2014
;; MSG SIZE rcvd: 101


C:\>dig @198.154.250.36 oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @198.154.250.36 oathkeepers.org
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

C:\>dig @198.1.71.127 oathkeepers.org

; <<>> DiG 9.4.1-P1 <<>> @198.1.71.127 oathkeepers.org
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached


Tis@I ~
$ whois -h whois.geektools.com 198.154.250.36
GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 66.191.131.228... ok.
Final results obtained from whois.arin.net.
Results:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=198.1 ... xt=netref2
#

NetRange: 198.154.192.0 - 198.154.255.255
CIDR: 198.154.192.0/18
OriginAS:
NetName: HGBLOCK-6
NetHandle: NET-198-154-192-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
RegDate: 2012-09-21
Updated: 2012-09-21
Ref: http://whois.arin.net/rest/net/NET-198-154-192-0-1

OrgName: WEBSITEWELCOME.COM
OrgId: BO
Address: 5005 Mitchelldale
Address: Suite #100
City: Houston
StateProv: TX
PostalCode: 77092
Country: US
RegDate: 2011-02-16
Updated: 2013-11-13
Ref: http://whois.arin.net/rest/org/BO

ReferralServer: rwhois://rwhois.websitewelcome.com:4321

OrgNOCHandle: IPADM551-ARIN
OrgNOCName: IP Admin
OrgNOCPhone: +1-866-964-2867
OrgNOCEmail: ipadmin@websitewelcome.com
OrgNOCRef: http://whois.arin.net/rest/poc/IPADM551-ARIN

OrgAbuseHandle: IPADM551-ARIN
OrgAbuseName: IP Admin
OrgAbusePhone: +1-866-964-2867
OrgAbuseEmail: ipadmin@websitewelcome.com
OrgAbuseRef: http://whois.arin.net/rest/poc/IPADM551-ARIN

OrgTechHandle: IPADM551-ARIN
OrgTechName: IP Admin
OrgTechPhone: +1-866-964-2867
OrgTechEmail: ipadmin@websitewelcome.com
OrgTechRef: http://whois.arin.net/rest/poc/IPADM551-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (66.191.131.228) has visited 9 times today.




Found a referral to rwhois.websitewelcome.com:4321.

%rwhois V-1.5:003eff:00 rwhois.websitewelcome.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-BO.198.154.250.36/32
network:Auth-Area:198.154.192.0/18
network:Network-Name:BO-198.154.250.36/32
network:IP-Network:198.154.250.36/32
network:IP-Network-Block:198.154.250.36 - 198.154.250.36
network:Organization;I:oathkeepers.oathkeepers.org
network:Tech-Contact;I:support@websitewelcome.com
network:Admin-Contact;I:support@websitewelcome.com
network:Created:20130402
network:Updated:20130717
network:Updated-By:support@websitewelcome.com

network:Class-Name:network
network:ID:NETBLK-BO.198.154.192.0/18
network:Auth-Area:198.154.192.0/18
network:Network-Name:BO-198.154.192.0/18
network:IP-Network:198.154.192.0/18
network:IP-Network-Block:198.154.192.0 - 198.154.255.255
network:Organization;I:WEBSITEWELCOME.COM
network:Tech-Contact;I:support@websitewelcome.com
network:Admin-Contact;I:support@websitewelcome.com
network:Created:20130204
network:Updated:20130204
network:Updated-By:support@websitewelcome.com

%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok

Tis@I ~
$ whois -h whois.geektools.com 198.1.71.127
GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 66.191.131.228... ok.
Final results obtained from whois.arin.net.
Results:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=198.1 ... xt=netref2
#

NetRange: 198.1.64.0 - 198.1.127.255
CIDR: 198.1.64.0/18
OriginAS: AS46606
NetName: UNIFIEDLAYER-NETWORK-11
NetHandle: NET-198-1-64-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
RegDate: 2012-07-02
Updated: 2012-11-14
Ref: http://whois.arin.net/rest/net/NET-198-1-64-0-1


OrgName: Unified Layer
OrgId: BLUEH-2
Address: 1958 South 950 East
City: Provo
StateProv: UT
PostalCode: 84606
Country: US
RegDate: 2006-08-08
Updated: 2012-11-26
Ref: http://whois.arin.net/rest/org/BLUEH-2

ReferralServer: rwhois://rwhois.unifiedlayer.com:4321

OrgNOCHandle: NETWO5508-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-888-401-4678
OrgNOCEmail: netops@unifiedlayer.com
OrgNOCRef: http://whois.arin.net/rest/poc/NETWO5508-ARIN

OrgTechHandle: NETWO5508-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-888-401-4678
OrgTechEmail: netops@unifiedlayer.com
OrgTechRef: http://whois.arin.net/rest/poc/NETWO5508-ARIN

OrgAbuseHandle: ABUSE3581-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-888-401-4678
OrgAbuseEmail: abuse@unifiedlayer.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3581-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (66.191.131.228) has visited 10 times today.




Found a referral to rwhois.unifiedlayer.com:4321.

%rwhois V-1.5:000080:00 rwhois.unifiedlayer.com (by Unified Layer, V-1.0.0)
network:Class-Name:network
network:ID: NETBLK-UL.198.1.71.127/32
network:Auth-Area: 198.1.71.127/32
network:Network-Name: UL-198.1.71.127/32
network:IP-Network: 198.1.71.127/32
network:Organization: websitewelcome.com
network:Tech-Contact: abuse@websitewelcome.com
network:Admin-Contact: abuse@websitewelcome.com
network:Abuse-Contact: abuse@websitewelcome.com
network:Created: 20130103
network:Updated: 20130103
network:Updated-By: abuse@websitewelcome.com

%ok

ARIN isn't going to tell you where the IPs are physically located. rDNS can be more helpful.
Trace 198.154.250.36 ...
...
3 96.34.25.8 7ms 8ms 8ms TTL: 0 (dtr01rsmtmn-tge-0-1-1-3.rsmt.mn.charter.com probable bogus rDNS: No DNS)
4 96.34.27.184 27ms 21ms 17ms TTL: 0 (crr02stcdmn-tge-0-4-0-2.stcd.mn.charter.com probable bogus rDNS: No DNS)
5 96.34.2.136 11ms 14ms 18ms TTL: 0 (bbr01stcdmn-bue-3.stcd.mn.charter.com probable bogus rDNS: No DNS)
6 96.34.1.149 21ms 24ms 28ms TTL: 0 (bbr02chcgil-bue-1.chcg.il.charter.com probable bogus rDNS: No DNS)
7 96.34.3.11 26ms 21ms 23ms TTL: 0 (prr01chcgil-bue-4.chcg.il.charter.com probable bogus rDNS: No DNS)
8 206.223.119.174 21ms 21ms 28ms TTL: 0 (tg1-2.br01.chcg.acedc.NET ok)
***Provo, UT ----> 9 199.58.196.85 73ms 73ms 75ms TTL: 0 (ve58.ar04.prov.acedc.net ok)
10 199.58.199.114 78ms 76ms 77ms TTL: 0 (rtr-a.unifiedlayer.com probable bogus rDNS: No DNS)
11 No Response * * *

Excuse me, what does all this mean?

[mrp]

OK, so I'm fine with being wrong. I actually *hope* that I'm wrong. I'm not a network guru though, so please indulge me.

Maybe next time start with "The website is down" rather than "taken down" until you have something more to go on. It could be something other than network problems, but you don't have any evidence of that yet.

How is it that a router going down in Utah would result in DNS queries for oathkeepers.org and operationsleepinggiant.com returning no results?

Oathkeepers is operating their own DNS servers. When you ask google's DNS server where oathkeepers.org is at, google has to go figure out who is supposed to know. Google then asks those servers, and tells you what it learns. Since the oathkeeper's DNS servers are down, google doesn't get an answer.

Google does cache DNS records for a short while, and does regularly prefetch records for popular domains, but if oathkeeper's dns servers were down for an hour it wouldn't be surprising to find that neither google nor any of the other public DNS servers still had it cached.

Operationsleepinggiant.com is affected because it also relies on oathkeeper's DNS server.

C:\>dig @c.gtld-servers.net operationsleepinggiant.com ns

; <<>> DiG 9.4.1-P1 <<>> @c.gtld-servers.net operationsleepinggiant.com ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1272
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;operationsleepinggiant.com. IN NS

;; AUTHORITY SECTION:
operationsleepinggiant.com. 172800 IN NS ns1.oathkeepers.org.
operationsleepinggiant.com. 172800 IN NS ns2.oathkeepers.org.

[jshuberg]

Google does cache DNS records for a short while, and does regularly prefetch records for popular domains, but if oathkeeper's dns servers were down for an hour it wouldn't be surprising to find that neither google nor any of the other public DNS servers still had it cached.

That's interesting, and actually very surprising to me. I was under the impression that most DNS servers will cache entries for a day or more, specifically so the problem of a DNS server going down temporarily wouldn't result in its entries from becoming unreachable. That and performance. Also, having a secondary DNS server on a separate subnet in a different datacenter as a redundancy is supposed to prevent this kind of problem from happening.

If the location information for the IPs of their DNS servers are correct, one should be in located in Houston Texas, and the other in Provo Utah. A router going out in Provo shouldn't be able to effect the proper operation of one in Texas. Maybe the internet is considerably more fragile than it was when I was first spun up on IP networks in the mid 90's. The idea was that the routing of packets and domain name resolution was supposed to be so redundant to be able to survive a nuclear attack, let alone a problem with a single router. Thus my pooping myself when I found the DNS entry removed.

Thanks for looking into it. You have me 80% convinced that it's probably the router failure in Utah, but I'll keep an eye out for the all clear from their tech guys and see if the site comes back up again. How long should it take to replace and configure a router? It's been around 10 hours......

[jshuberg]

Got an email from OathKeepers. Edited and updated first post with the info. I'm glad it turned out to just be a hardware issue than, well, what I was thinking it was.

[xd ED]

Got an email from OathKeepers. Edited and updated first post with the info. I'm glad it turned out to just be a hardware issue than, well, what I was thinking it was.

Just because you might be paranoid, it doesn't mean they're not out to get you.

Thinking about this, if someone did want to take down their site, it would appear less suspicious to have a broader 'failure' than one specific .org.

Also the sites are still down

ETA: Grammar correction