DNS queries to blocked countries?
Jeff Lightner
jlightner at water.com
Thu Jun 21 16:33:49 UTC 2007
The countries themselves are being blocked by network security. As I
said that is a political football others are trying to move.
My questions is basically trying to see if there is a way I could setup
something similar to hints used for root servers so that something else
would do the lookup. It doesn't seem likely to me but figured I might
not be the first person to run across this.
-----Original Message-----
From: Vinny Abello [mailto:vinny at tellurian.com]
Sent: Thursday, June 21, 2007 12:29 PM
To: Jeff Lightner
Cc: bind-users at isc.org
Subject: Re: DNS queries to blocked countries?
How are you blocking them? Why not just allow DNS query responses from
anywhere? Would that fix it?
Jeff Lightner wrote:
> OK I know this sounds like a stupid question but figured I'd ask
anyway.
> We currently have customers who have signed up to get email from us.
> However, the MX record won't resolve because the primary DNS for the
> customers is in a country we block inbound/outbound. Essentially
the
> dig +trace and whois both stop at the point the root servers hand off
to
> servers in those remote countries.
>
> An example would be "Samsung.com". Although the user is actually in
> the U.S., Samsung is a South Korean company. Due to this we can't get
> the MX record which may or may not point to a U.S. server. I'm
> wondering if there is any way I can setup things so the resolution for
> countries we block is reported back by some other server that would be
> U.S. based that doesn't block these countries?
>
> dig +trace -t MX samsung.com
>
> ; <<>> DiG 9.2.1 <<>> +trace -t MX samsung.com
> ;; global options: printcmd
> . 169576 IN NS K.ROOT-SERVERS.NET.
> . 169576 IN NS L.ROOT-SERVERS.NET.
> . 169576 IN NS M.ROOT-SERVERS.NET.
> . 169576 IN NS A.ROOT-SERVERS.NET.
> . 169576 IN NS B.ROOT-SERVERS.NET.
> . 169576 IN NS C.ROOT-SERVERS.NET.
> . 169576 IN NS D.ROOT-SERVERS.NET.
> . 169576 IN NS E.ROOT-SERVERS.NET.
> . 169576 IN NS F.ROOT-SERVERS.NET.
> . 169576 IN NS G.ROOT-SERVERS.NET.
> . 169576 IN NS H.ROOT-SERVERS.NET.
> . 169576 IN NS I.ROOT-SERVERS.NET.
> . 169576 IN NS J.ROOT-SERVERS.NET.
> ;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 25 ms
>
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
> com. 172800 IN NS k.gtld-servers.net.
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> ;; Received 489 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 119
ms
>
> samsung.com. 172800 IN NS dnssm.samsung.com.
> samsung.com. 172800 IN NS dnsss.samsung.com.
> ;; Received 101 bytes from 192.5.6.30#53(a.gtld-servers.net) in 22 ms
>
> dig: Couldn't find server 'dnssm.samsung.com': Name or service not
known
>
> P.S. Don't tell me to unblock the countries - that's a political
> football being tussled over at a different level.
>
>
>
>
--
Vinny Abello
Network Engineer
vinny at tellurian.com
(973)940-6100
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
"Courage is resistance to fear, mastery of fear - not absence of fear"
-- Mark Twain
More information about the bind-users
mailing list