From Blacklists To DNS Leaks: Fast Network Diagnostics When Users Can't Connect

When users report access problems, IT support needs fast answers. “I can’t reach the application,” “This site blocks me,” or “Everything works on my phone but not my laptop” are common tickets, but the actual cause can range from IP reputation issues to routing problems to browser configuration conflicts. Whoer What Is My IP tool provides a quick external view of what websites and services actually see when a user connects, making it easier to pinpoint the issue without diving into packet captures or complex network tools first.

This guide covers the most frequent connection problems IT teams face and how to diagnose them efficiently.

Taking a Network Snapshot

The first step in any access issue is understanding what the external world sees. Users might think they’re connecting from the office network with standard settings, but the reality can be different.

Open Whoer.net from the affected user’s machine or have them navigate to it during a screen share. You’ll immediately see:

Public IP address and ISP
ASN (Autonomous System Number)
Geographic location based on IP
DNS server information
Proxy or VPN indicators
Basic browser fingerprint data

This snapshot helps classify the incident fast. Is the user actually on the corporate network or accidentally on mobile data? Are they behind an unexpected proxy? Does the IP match what you expect for their location?

For remote workers, this matters even more. VPN connections can fail silently, DNS can resolve incorrectly, and users often don’t realize they’ve switched networks. Having them check Whoer.net while on the call confirms exactly what network they’re using right now, not what they think they’re using.

Blacklist and IP Reputation Problems

A user reports they can’t access a vendor portal or keep getting access denied errors. The application team says nothing changed on their end. Check the IP reputation first before escalating further.

Whoer.net shows if the current IP appears on common blacklists. This happens more often than you’d expect:

Shared IP blocks: Office buildings or data centers often use IP ranges where one tenant’s bad behavior affects everyone. If someone in your building ran a spam campaign, your whole block might be flagged.
Dynamic IPs from ISPs: Home workers on residential connections get recycled addresses. The previous user of that IP might have triggered abuse filters.
Cloud and VPS ranges: Corporate VPNs or cloud gateways sometimes use IP ranges that are widely shared and frequently flagged because of high abuse rates from other customers.

If you see blacklist indicators, document the specific IP and which lists it appears on. For static corporate IPs, this becomes a ticket for your network team to contact blacklist operators. For dynamic IPs, you can try having the user disconnect and reconnect to get a fresh address. For cloud providers, this might require escalation to your infrastructure team.

In your ticket notes, write something like: “User’s current IP (203.0.113.45) flagged on Spamhaus XBL and Barracuda blacklists. Not an application configuration issue. Recommended user switch to mobile hotspot as temporary workaround while network team addresses IP reputation.” This saves the next technician from redoing your work.

DNS Leaks and Misconfigurations

VPN is connected, user confirms they see the VPN icon, but they’re still blocked from internal resources or their location still shows as “home” instead of “office.” DNS leaks are the likely culprit.

A DNS leak means DNS queries bypass the VPN tunnel and go directly to the user’s ISP or public DNS servers. The VPN encrypts web traffic but DNS requests reveal which sites the user visits and can cause location/access inconsistencies.

Whoer.net displays which DNS servers are actually handling requests. Compare this to what should be configured:

Corporate VPN should show internal DNS servers (typically 10.x.x.x or your company ranges)
If you see 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare) when VPN is supposedly active, that’s a leak
If you see the user’s ISP DNS servers, VPN isn’t controlling DNS at all

Common causes and fixes:

VPN client doesn’t properly override system DNS: Reinstall VPN client or check for configuration updates from your team
DNS over HTTPS (DoH) in browsers: Firefox and Chrome can enable DoH by default, bypassing system DNS entirely. Disable it in browser settings or via group policy
IPv6 DNS queries leak while IPv4 goes through VPN: Either ensure your VPN tunnels IPv6 properly or disable IPv6 on the user’s adapter
Operating system DNS cache: Have user run ipconfig /flushdns on Windows or sudo dscacheutil -flushcache on Mac

When documenting DNS issues, note the actual DNS servers you saw versus what should be there. “User showing Google DNS (8.8.8.8) instead of corporate DNS (10.20.30.40) despite active VPN connection” gives your network team something concrete.

Cross-Device and Cross-Location Inconsistencies

“It works on my phone but not my laptop” is a classic support ticket. Before assuming it’s a device-specific problem, verify they’re using the same network connection.

Run Whoer.net on both devices during the same support session. You’ll often find:

Laptop is on office Wi-Fi (corporate IP, office location)
Phone is on cellular data (mobile carrier IP, cell tower location)
Completely different ISPs, ASNs, and geographic markers

These are essentially two different internet connections with different reputations and characteristics. A service that trusts your office IP might be suspicious of mobile carrier IPs due to higher fraud rates. Or the mobile network’s geographic location triggers regional restrictions.

The same applies to remote workers connecting from home versus office, or users switching between wired and Wi-Fi networks that route through different gateways.

Your ticket should specify: “Issue reproduced on corporate network (Comcast Business, IP 203.0.113.89, Chicago location). Cannot reproduce on user’s mobile connection (T-Mobile, IP 198.51.100.10, Milwaukee location). Application likely has IP-based restrictions. Escalating to application vendor with corporate IP for whitelisting.”

This level of detail prevents back-and-forth and helps the next team understand exactly what’s happening.

Browser Fingerprint and Anti-Fraud Blocks

Some access denials aren’t about IP or network at all. Modern security systems examine the entire browser fingerprint: headers, installed fonts, screen resolution, language settings, timezone, installed plugins, and more.

When these signals don’t align, anti-fraud systems get suspicious. Common scenarios:

User’s IP shows United States, but browser language is set to Chinese and timezone is GMT+8
Corporate laptop has unusual font lists that don’t match the claimed OS
Too many browser extensions or automation tools detected
WebRTC reveals a different IP than the connection IP

Whoer.net’s fingerprint section shows what browsers are broadcasting. Walk through this with the user during your call. Look for obvious mismatches between the IP location and browser/system settings.

Quick fixes you can do immediately:

Correct timezone in system settings to match actual location
Set browser language to match user’s region
Disable unnecessary browser extensions temporarily to test
Check that system time is accurate (off by hours triggers fraud detection)

For persistent issues, document what you found: “User browser showing Korean language (ko-KR) and Seoul timezone (GMT+9) but connecting from US IP. Corrected to en-US and Eastern timezone, issue resolved.” This helps identify patterns if multiple users have similar misconfigurations.

Routing and Geographic Mismatches

User complaints about high latency or unexpectedly being placed in the wrong regional server often trace back to routing issues.

Check the ASN and geographic location on Whoer.net. If a user in London shows an IP geolocated to Frankfurt, their ISP might be routing through a German exchange point. If the ASN doesn’t match the expected provider, traffic might be going through an upstream or peering arrangement that adds latency.

This matters because you can immediately tell the user: “Your connection is routing through Frankfurt instead of London. This isn’t something we can fix from the application side. You’ll need to contact your ISP about the routing, or we can look into getting you on a different connection.”

For multi-site organizations, this also helps verify that branch offices are actually exiting through the expected links and not accidentally routing through headquarters or other sites due to misconfigured routing tables.

Document this in tickets going to your network team with specifics: “Seattle office user showing exit through AS3356 in Los Angeles (should be AS7018 in Seattle). Adds 40ms latency to East Coast applications. Routing investigation needed.”

Corporate Proxy and Gateway Issues

Sometimes users are behind proxies they don’t know about. Transparent proxies, security gateways, or misconfigured routing can insert intermediary hops that change how external sites see the connection.

Whoer.net’s proxy detection indicators can flag unexpected intermediaries. If it shows proxy indicators when users should be on direct connections, that’s worth investigating.

Look at the HTTP headers section if available. X-Forwarded-For headers, Via headers, or other proxy-specific headers reveal if traffic is being processed by intermediaries. This matters for applications that do IP-based access control or logging, because they might see the proxy IP instead of the user’s actual IP.

If you spot this, escalate to your network team: “Whoer.net detecting proxy indicators for user on direct connection. User IP shows as 203.0.113.45 but X-Forwarded-For header reveals 10.20.30.40. Need network team to verify gateway configuration.”

Quick Diagnostic Workflow

Here’s a practical workflow for any “can’t connect” ticket:

Initial triage (2-3 minutes):

Have user open Whoer.net during screen share
Screenshot or note down: IP, ISP, location, DNS servers
Check blacklist indicators
Verify VPN/proxy status matches what user expects

If issue is access-related:

Blacklist flagged → Document IP and lists, provide workaround (different network/mobile hotspot)
Wrong location → Check VPN status and DNS servers
Works on different device → Compare IPs and networks between devices

If issue is performance-related:

Check ASN and geographic routing
Note latency indicators if shown
Document for network team escalation

If issue is intermittent:

Have user check Whoer.net when problem occurs and when it doesn’t
Compare the two snapshots to identify what’s changing

For your ticket notes:

Always include the actual IP address user was on when issue occurred
Note ISP/ASN if relevant
Include DNS servers if VPN-related
Screenshot Whoer.net results and attach to ticket

Building Your Knowledge Base

After resolving several tickets using this approach, you’ll start recognizing patterns:

“Users on AT&T residential get blocked from vendor portal” → IP reputation issue with that ISP’s range
“Remote workers in apartments can’t access internal tools” → Shared NAT causing conflicts
“Every new laptop has timezone mismatch” → Image deployment issue to fix

Document these patterns in your internal wiki or runbook. Create a section for known IP ranges and their quirks, common DNS leak scenarios for your VPN client version, or which vendor applications are particularly sensitive to browser fingerprints.

This turns Whoer.net from a one-off diagnostic tool into part of your standard troubleshooting process, making you faster and more effective at resolving user issues.