Shared publicly  - 
 
I'm still running Mac OS 10.5. I found a strange issue when you try to use parental controls, you can run into an issue when you try to log-in to a site and Safari or Firefox says that it cannot access a website. This happens even when you add the full site into the approved website lists. Scouring the internet I finally found this from the fora at support.apple.com. I didn't want to lose the information, so I'm posting it here...

I know, I should be running OS X 10.6. :-P

"We ran into this problem, and a wonderfully helpful Apple technician dug up a solution brought down from engineering. I'm very surprised it wasn't made into a knowledge base article.The problem is that https, by design, keeps the hostname you're trying to access (apple.com, mail.google.com, etc.) secret. The computer can't determine directly whether the connection should be allowed. It does know the IP address, and performs a reverse lookup on that IP address get the hostname it checks against your list of allowed sites.

So, the solution is to add as an allowed site the hostname associated with the IP address. It's not too difficult, but does require that you dive into the Terminal.

As an example, let's try to allow access to the Apple store. Start with the hostname you know: store.apple.com. Head into Terminal, and type:

<pre>host store.apple.com</pre>

You should get back something like this:

<pre>store.apple.com is an alias for store.apple.com.akadns.net.
store.apple.com.akadns.net has address 17.251.201.32
store.x.com.akadns.net mail is handled by 10 cbox-ember01.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember02.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember03.apple.com.
</pre>

You can ignore everything except the address line. Now we know that the Apple Store's IP address is 17.251.201.32. Let's use host again:

<pre>host 17.251.201.32</pre>

Which returns

<pre>32.201.251.17.in-addr.arpa domain name pointer cup-store.apple.com.</pre>

Which is the information that we're looking for. The reverse DNS name of the Apple Store's only IP address is cup-store.apple.com. You can add this to allowed sites, or just add apple.com.

Head back over to the store page, reload, and see if everything's loading. You can use the Activity window (in the Window menu) to see what is and isn't loading successfully on the page. In some cases, you may find content that's not loaded from the same domain — in this case, static content like images is coming from a248.e.akamai.net. You can follow the same steps to find the reverse DNS names of these other domains.

If a domain resolves to multiple IP addresses, check a few of them. If you're lucky, they'll all point to the same or similar domains, and you can just add the second level domain to allowed sites. If you're not, they may not have reverse DNS records at all, and you'll get a response like this:

<pre>Host 153.234.138.207.in-addr.arpa. not found: 3(NXDOMAIN)</pre>

In this case, you may have to add all of the IP addresses individually to allowed sites.

If you're having trouble with this method of finding reverse DNS, try to load a problematic site and check the Parental Controls logs. The site should show up under Websites Blocked. Open one of the history entries in a browser. It should just show up as a hostname or IP address, with nothing after the slash. That's the address you need to add

Finally, if you just want to allow access to GMail, I did the work for you: most of Google's IP addresses resolve to a .1e100.net address. If you add google.com and 1e100.net to allowed sites (Google has lots of IPs, it's not worth trying to add them individually), you should be all set."
1
Kathy Hofmann's profile photoMark Hofmann's profile photo
3 comments
 
Oh, I posted this because it's a weird issue that I will run up against again, and I don't want to have to search for it again. If I put it somewhere, then I have it forever. :-)
Add a comment...