Using public wifi on Lion is driving me mad
 

Since upgrading to Lion, accessing public wifi services has been a nightmare. That is, those in Starbucks, for example, at libraries (I'm in the UK and have a BT Openzone account).

Previously on Snow Leopard I mostly had success.

Connecting to my home wifi, or that of my parents, works perfectly.

Anybody got any ideas? I've tried enabling proxy detection but it doesn't work.

I'm guessing public wifi involves things like proxies and content filters, which might be causing the issues. In most cases I seem to get a valid IP address.


The Cloud in Wetherspoons pubs -- works without a problem
The Cloud at McDonalds -- doesn't work for some reason
Costa coffee's voucher-based wifi (not sure who runs it) -- works sometimes, not other times (browser blank, forever searching)
My local library -- doesn't work at all, browser blank, forever searching for a page

What exactly happens when you try to connect?

It may possibly be a problem with old caches or stored data associated with those networks from previous OS versions.

In System Preferences > Network, delete the problem wifi connection from the list of known wifi, and then try again.

The computer isn't set to remember networks. And it was a fresh install of Lion (I made my own DVD from the App Store package).

I've done a lot of research and all I can find is a suggestion to delete the following file, but it doesn't exist on my system:

~/Library/Preferences/com.apple.security.revocation.plist

Usually, when I see problems where there appears to be a valid IP address, but you get a blank browser forever searching, it's a problem with DNS.

Try changing your DNS settings, whatever they are. If you have DNS servers explicitly set in System Preferences > Network > select "Airport" in the left column > click "Advanced" button > DNS tab, then remove them and use the ones that the DHCP server gives you.

On the other hand, if you don't have DNS servers explicitly set in that spot, then set some. I like the Google public DNS servers, so if you want to try those, set 8.8.8.8 and 8.8.4.4. There are also lots of other public DNS servers if you wish, use your preferred search engine to find them.

Let us know if setting or unsetting your DNS fixed the problem.

Trevor

I think DNS is the problem but my Mac is set to use whatever DNS is specified by DHCP.

A lot of these public wifi services use DNS to force the browser to go to a sign-in page, before assigning actual genuine DNS servers. For some reason my Mac isn't liking this.

That file is in your user folder, in the Library which is normally hidden in Lion. Perhaps that's why you don't find it....
Go to your Finder, then go to the Go menu. That will show a variety of the folders in your system. Press your Option key, and your own Library will appear. You'll find that 'missing' file there.

I don't know if it will actually help your situation, but shouldn't hurt anything to remove the file.

Fortunately I can find and view the folder in question, and the file just isn't there on my computer.

I'm starting to wonder if Little Snitch is throwing a spanner into the works.

That seems likely, as Little Snitch is good at blocking outgoing traffic, thus you may have inadvertently ordered LS to block out alternate network connections (I don't really know for sure on that)
So, try turning off, or removing LS, to check for working connections....

So, explicitly set DNS to 8.8.8.8 and 8.8.4.4 and see if it helps.

Trevor

But that won't work because, when I connect to public wifi, I won't be able to find the sign-in page. These systems appear to be setup to that, whenever anybody joins the open wifi network, they're given an IP address and a "fake" DNS that directs ANY web address to the sign-in server.

So setting a fixed DNS will override that, and will mean I won't be able to sign-in.

In some ways, you're describing the problem I'm having! It's like I join the network and my Mac refuses to use the "fake" DNS addresses, so I never get to the sign-on page.

Did you try the DNS addresses that trevor suggested?
You should also delete any existing DNS server entries that are already in your Network settings.

Don't assume that you still won't connect, when you haven't made the attempt. You may be happily surprised.
Come back after you have tried with those changed DNS servers, and you still can't connect.

I might as well stick my finger in a bowl of ice cream for all the good it'll do.

I've tried using Google's public DNS and OpenDNS already. It does no good. It cannot do any good. Either my understanding of DNS is very wrong (unlikely--I worked as a sysadmin for several years) or people should stop suggesting this.

Maybe you could explain in more detail why (or what) you think "cannot do any good" - since configuring your Mac to use different DNS servers when the default ones (e.g. as supplied by your ISP) aren't working is definitely something that can do good.

Have your read any of the earlier postings? You talk of the DNS servers "supplied by your ISP". They're not the issue here. We're talking about public wifi services offered by the likes of Starbucks, or libraries.

You ask me to explain in more detail. Well, start from the top message and read down. It'll only take you a few minutes, and it'll be well worth the effort.

I really haven't the strength to explain it all again. I've explained twice how DNS works on public wifi systems, at least the ones I've encountered.

I have OpenDNS set on my MacBook running Lion, and I can access public Wifi just fine.

Yes, your page requests go through a server that checks you're logged in. But that shouldn't stop your browser from querying the DNS server of your choosing.

Please try it, at the very least to placate the people who are trying to help you with the problem that you have. This might not fix your problem, but it's always good to rule things out, rather than assume that they aren't related.

I for one never like to rule out the possibility that I might be mistaken. I also enjoy an opportunity to prove to others that I'm right! If it does nothing, you can rub our noses in it. If it does improve things, you will have solved your problem. There's no down side to trying it!

Some Debugging Steps:

1) Make sure that there isn't some software or some configuration of software on your Mac that is causing the problem. For example, disable any 3rd-party security-related or network-related software. Make sure that your browser allows cookies (some sites won't work unless cookies are enabled). Make sure your browser or your Mac isn't configured to use a proxy server. Try a different browser (e.g. Firefox instead of Safari)

2) Try a different user account - preferably a freshly created one with no customizations.

3) It might be useful to cut the visual parts of the browser out of the equation by using a text-only browser as a test to see what part of the HTTP transaction is causing a problem.
Try the 'debug_http' script that I outlined in this old thread:
http://forums.macosxhints.com/showpo...91&postcount=7
Show us the results and we can help interpret.

4) To check if the problem is "only" with DNS, try accessing web sites via IP address rather than name. E.g. try http://74.125.226.243/ instead of http://google.com

Note that the usual way that public WiFi access points control your access is to have the DNS server set up to redirect your first web page access to a login web page on their server. After you login, they configure their firewall to allow your computer to send requests to the Internet. If you don't login, their firewall prevents all access except DNS.

So for debugging, the following are quite different problems:
- to get to the login page and successfully log in
- to access web pages (and other Internet resources) after you are logged in
You need to figure out which problem you have in each case.

Making a new user account is an excellent idea. I'd need to log out of all other accounts though. In Lion there's a strange bug (maybe a "feature") whereby if you use the user account switcher, you have to reconnect to the wifi again. This is on my Macbook Pro, I don't know if other Macs work the same way.

As for trying a site's IP address, I'd still have to get to the sign-in page but that's also a good idea.

At the moment my thinking is that Little Snitch is causing some kind of issue (obviously I've tried disabling it but the problem persists). I like the program but in the five years I've been using it it's not yet saved my bacon from a hack attack. It's more for curiosity's sake to see what programs are trying to get online. Therefore I'm going to try living without it.

Hello everybody, an update for you.

I'm currently in a cafe using BT FON, a public wifi service here in the UK. So I got it working, but in a weird way.

Initially I couldn't get any sites. After connecting to the wifi, I saw the same thing, a blank browser screen forever in both Chrome and Safari. ping and dig at the command-line returned time-outs too. Checking Networking under System Prefs, I see that I have a proper IP address and router address, and DNS. See http://imgur.com/52MTv and http://imgur.com/5dV7Q. So everything is fine from that perspective.

I then tried the Google public DNS (8.8.8.8 and 8.8.4.4). This time I get a "DNS not responding" message in Chrome/Safari. So I deleted them, reverting to BT FON's defaults, and -- hey presto -- everything works. I get the BT FON sign-on screen, and can get online.

Any thoughts on what's happening?

Edit: Like I said earlier I've uninstalled Little Snitch, and any other software that might cause problems. But I've got a new theory. In the past I manually edited my /etc/hosts file, adding a few entries. I think OS X Lion might have a bug whereby this messes everything up. In future I'll try using the dscacheutil -flushcache command to flush the DNS to see if it helps me connect. That might be the best solution to the problem.

dscacheutil -flushcache is depleted on Lion and in fact Snow as well.

The system no longer uses Directory Services for DNS caching. It now uses mDNSResponder, so your dscacheutil commands aren't going to work. If you want to look at mDNSResponder's record cache in system.log
sudo killall -INFO mDNSResponder

....and many DNS issues can be resolved by using this Terminal command. This works well if you hop networks a lot.
sudo killall mDNSResponder

To use BTFON/Openworlf and all those services you have to use their DNS servers. It is the way it all works.

I know I have to use their DNS. It's other people here suggesting I don't, and suggesting it as a solution, which is something I've been complaining about.

What a weird thread this is.

But thanks for the advice about mDNSResponder. I'll do some research.

The following link is interesting re: what I said about edits I've made to /etc/hosts.

OS X Lion doesn't check the /etc/hosts file first. It checks it second. This is probably a bug but might be a "feature", but it's hard to work out what the reasoning is.

http://www.justincarmony.com/blog/20...ns-resolution/

And also this which mentions that it's not necessary to edit /etc/hosts on OS X any longer. http://tomafro.net/2009/07/dscl-the-...d-hosts-on-osx

My point is that OS X is caching the DNS from when you where connected to another network and not fully refreshing new DNS servers during the network transition.

I have ended up scripting this for clients as this issue effects loads of mobile users without them knowing it.....they just restart machine/tinker turning WIFI on and off and then all works fine....well i KNOW it is mDNSResponder as i have dealt with this very issue 100s of time.

Certain parts of OS X (the BSD bits) still can resolve /etc/hosts it is DNS resolution/search order that changed.

Unfortunately the Apple way is not always the best/right way and we have to lump it !

I think I've found my solution. Many thanks!

OK, the following seems to explain the issue and is pretty much what I've been experiencing:

http://apple.stackexchange.com/a/39076

I think the only reasonable solution is to add the domains they mention to the hosts file, so the look-up times out very quickly and you can get on with accessing the sign-on page.

This is a serious bug/oversight on behalf of Apple.

Edit: The (slightly insecure) solution to public hotspot/wifi connection issues, where you can connect but get a time-out when trying to sign-on via a browser, is to add the following lines to the bottom of your /etc/hosts file:

127.0.0.1 crl.usertrust.com
127.0.0.1 ocsp.usertrust.com
127.0.0.1 crl.incommon.org
127.0.0.1 ocsp.incommon.org

Be careful not to edit /etc/hosts with something like TextEdit, which will add the wrong type of line endings. I use nano at the command-line. If using something like TextWrangler, be sure to set the line encoding as "Unix (LF)".

Couple this with the way these Hotspots work....

You connect to their "special" network it provides a special DNS server which redirects any page request to a sign in page. You fill in details and it redirects you to the Public facing side which has different Public DNS servers...however the Mac still is using the old DNS server to try and resolve due to mDNSResponder being an awkward piece of crap (bet you are all feeling my love for it!)

DNS is so fundamental and Windows and Linux are generally very good as they have stuck with tried and tested methods of DNS resolution....Apple decided to do it a different way and have IMHO gone off course. It is certainly one of the key issues i deal with on a day to day basis and wish Apple would just nail it !

Didn't the Ubuntu people bugger around with DNS too? I agree that a simple solution is best, but engineers love to mess around with stuff.